MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
SHA3-384 hash: 9528b44e902d437bd91c8e2c68d8ae2a821263bd6d4427fbbc2e53348d66547997e41b4ac762a7fbebea014f9126446f
SHA1 hash: 2daa4cd4c7eca9c42ff00e7d1a4e027f55b836bc
MD5 hash: b7bd51ea4a3cbb85901f5e467009beaa
humanhash: august-twenty-colorado-green
File name:begoodforeverythinggreatthingsformebetterforgood.hta
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:110'765 bytes
First seen:2025-01-08 10:07:58 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 384:Fipci1dZ2FGFZrZi9qiA/zRj6TiezFSw4M7333j333V333x333kD333n33P333UM:zFLFSwkGpe1zOhVadsRZ4
Threatray 77 similar samples on MalwareBazaar
TLSH T1CDB36BFA5442E0BAE5DBC6BFFC9C2DA415009F27DDE85F4515EC880D6BE82C63124AC9
Magika javascript
Reporter lontze7
Tags:hta Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HEUR.Trojan.Script.Generic.6561.6048.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677e4fb6ffdcee13ec871935
Tags:
obfuscate shell sage
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/677e4f07aa636f963a1293c5/reports/91d3cf02-8f0a-404a-9a22-597dbc389a6b/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
Result
Threat name:
Cobalt Strike, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1585851
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Detected Cobalt Strike Beacon
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585851 Sample: begoodforeverythinggreatthi... Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 75 prolinice.ga 2->75 77 res.cloudinary.com 2->77 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 15 other signatures 2->89 14 mshta.exe 1 2->14         started        17 icgfugf 2 2->17         started        19 icgfugf 2->19         started        signatures3 process4 signatures5 129 Suspicious command line found 14->129 131 PowerShell case anomaly found 14->131 21 cmd.exe 1 14->21         started        24 conhost.exe 17->24         started        26 conhost.exe 19->26         started        process6 signatures7 99 Detected Cobalt Strike Beacon 21->99 101 Suspicious powershell command line found 21->101 103 Wscript starts Powershell (via cmd or directly) 21->103 105 PowerShell case anomaly found 21->105 28 powershell.exe 42 21->28         started        33 conhost.exe 21->33         started        process8 dnsIp9 81 192.3.27.144, 49733, 49743, 80 AS-COLOCROSSINGUS United States 28->81 71 sweetnessgoodforgreatnessthingswith.vbS, Unicode 28->71 dropped 73 C:\Users\user\AppData\...\thj2bm0i.cmdline, Unicode 28->73 dropped 133 Loading BitLocker PowerShell Module 28->133 35 wscript.exe 2 28->35         started        38 csc.exe 3 28->38         started        file10 signatures11 process12 file13 91 Detected Cobalt Strike Beacon 35->91 93 Suspicious powershell command line found 35->93 95 Wscript starts Powershell (via cmd or directly) 35->95 97 2 other signatures 35->97 41 powershell.exe 15 16 35->41         started        69 C:\Users\user\AppData\Local\...\thj2bm0i.dll, PE32 38->69 dropped 44 cvtres.exe 1 38->44         started        signatures14 process15 signatures16 125 Writes to foreign memory regions 41->125 127 Injects a PE file into a foreign processes 41->127 46 aspnet_compiler.exe 41->46         started        49 conhost.exe 41->49         started        process17 signatures18 135 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->135 137 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->137 139 Maps a DLL or memory area into another process 46->139 141 3 other signatures 46->141 51 explorer.exe 25 4 46->51 injected process19 dnsIp20 79 prolinice.ga 46.173.214.14, 49744, 49746, 80 GARANT-PARK-INTERNETRU Russian Federation 51->79 67 C:\Users\user\AppData\Roaming\icgfugf, PE32 51->67 dropped 107 Benign windows process drops PE files 51->107 109 Injects code into the Windows Explorer (explorer.exe) 51->109 111 Writes to foreign memory regions 51->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->113 56 explorer.exe 51->56         started        59 explorer.exe 51->59         started        61 explorer.exe 51->61         started        63 6 other processes 51->63 file21 signatures22 process23 signatures24 115 System process connects to network (likely due to code injection or exploit) 56->115 117 Found evasive API chain (may stop execution after checking mutex) 56->117 119 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 56->119 123 3 other signatures 56->123 121 Tries to harvest and steal browser information (history, passwords, etc) 59->121 65 WerFault.exe 63->65         started        process25
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073/
Threat name:
Win32.Phishing.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-01-08 02:29:41 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwiz7kujlwzyglpynv7pque4cekaogeqj54vpuhg2rfygcbh6bzq._file
Verdict:
malicious
Label(s):
smokeloader
Create hunting rule
Similar samples:
15f451bcfbbaf0532eb4c29a2651b10f68c40cef82d308efbb52fd1a20d85318
Smoke Loader
32f32787e8bbc5276d6f9d1d1d8b0f5f762b33df9abf8a820f34d6e702603b99
Smoke Loader
35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5
Smoke Loader
7467651082b81c0e0ac5c64b4821fcd49070b5d15c88e1a716f948bdac88b544
Smoke Loader
7910bb1786288ed1cc204913f0785c32a1bd0b1ee3476d2ef260df564be3b2a5
Smoke Loader
9af40d7dbe70e708bc2fc5cdf500f7f5389210ed8813f006ac342d6983dcd2ac
Smoke Loader
9c4e6335372584e7b1e145fe9ac1eeb43c148ac9b98337a4629b817badc83eec
Smoke Loader
af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80
Smoke Loader
error
Smoke Loader
f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
Smoke Loader
+ 67 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor defense_evasion discovery execution trojan
Link:
https://tria.ge/reports/250108-l571ksxpdj/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
SmokeLoader
Smokeloader family
Malware Config
Dropper Extraction:
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d919faa895d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

HTML Application (hta) hta 4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3393593/

Comments