MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841
SHA3-384 hash: a06266df17e81c023b4e9fba2623476f17cdb26f4cd5aaccc1e1d9e44f13cfd465ed1840016449124b06313946ddbc7e
SHA1 hash: 8033d843e95d6a67413116a81b278bff17afc217
MD5 hash: 696bbf18a42dc0a7b6e1a8f7fdb908e1
humanhash: xray-arizona-oregon-edward
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:257'536 bytes
First seen:2023-11-16 09:42:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c071df9f91908eb18d041533a3c969c (2 x Smoke Loader, 2 x Stealc, 2 x LummaStealer)
ssdeep 3072:5EfLtnBeJkgH8HGH5gR93IcxX/Ij+P/3sEM5HfhcOoRWx1KsicBIr:mLtQheauIcxX/k+P/3s75/hnxqP
Threatray 75 similar samples on MalwareBazaar
TLSH T1F5442943E2D1BD50E9268A369E1EC6E8321EF950CF6D7B6622197F2F14B2173D263310
TrID 45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.4% (.EXE) Win64 Executable (generic) (10523/12/4)
9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00004c0a8495cbc0 (1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from http://vpner.cc/upd/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-11-16 09:42:28 UTC
Tags:
loader smoke
Link:
https://app.any.run/tasks/cb0cbaeb-e8bd-44d7-87bc-36ad252826fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458812/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6555e4280290ea202bc5aedb/reports/a494b756-8d77-46b7-8249-d918dd71d8ac/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bb93a3d-7287-49fd-b936-6d9a14b4c106
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1343509
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-16 09:43:05 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcdgtdiwvvadfqsfvmi44m4slib3g4x5jts3nb5uka3b5qooxbaq._file
Verdict:
malicious
Similar samples:
07850ea1732b07aae1b520bc4e07f939a29ea8f842993a5849965d71aec14cb1
Smoke Loader
5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841
Smoke Loader
8ce95aee92cffc56420902fa657bc82a44574450ada63eb864d11e404a59a078
Smoke Loader
aeeee9f51ceec4a95e1e70dbb3c3c15df09a5408b29a5802ac1b65e2cd69210e
Smoke Loader
b3c7f502503d3102ecfa6f2145573ab851947dd3f2bdfd42fefab38947837dcd
Smoke Loader
ce015e5940a83246f5f69f4548281a05783e4a664be65b93422bab2d1ed9dc41
Smoke Loader
d0d97c70ea6e26b3708dc101a310f056d690bbc17306c493ccba4a6f00fad541
Smoke Loader
deab8c00637f509afc29190c048623d50e0aa2aa284ce1706b18c349ce157514
Smoke Loader
f2ab1aa34d0f6fc9cd8f6db413e96e7fecb62a63738db603fb41c1bda722d5fb
Smoke Loader
+ 65 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub4 backdoor trojan
Link:
https://tria.ge/reports/231116-lpw85shg37/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Deletes itself
SmokeLoader
Malware Config
C2 Extraction:
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Unpacked files
SH256 hash:
9b9d5cf0cbdcbf67a3d1f42509985228a4a62cacfd79ee095beb512c75ae4998
MD5 hash:
c6ba5e70e5a630f884f3c7cec5746363
SHA1 hash:
6b457f6f2abb8e4e1e3f49385ac8588acd2c7f29
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/de9ed210-1128-4179-9640-d8836918ff57/
Parent samples :
af63001bfd4ed850fb3bf50862ef7265a6822ffc20f6b24ed741975918c56f2c
d0d97c70ea6e26b3708dc101a310f056d690bbc17306c493ccba4a6f00fad541
ce015e5940a83246f5f69f4548281a05783e4a664be65b93422bab2d1ed9dc41
3b8e8d855e714ca23dbdb2f30665dd6d3e810c7aa6fa43e1d2dcb0b0bd6a3ed7
e2b5145997ea023b6a21e305f46d725c8686f152d5666bd452b8adcd5af92d82
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0
44fa511765693f9d912b3dce34be85c13be4fcc241d8ddc82fbab23852a6d174
1c42bdf6438c73d6f16d7bad5e9601e21dd92a7222e3c42761dc0f6d942b1a3a
ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a
dc13f91ceeb3c8c0959a9eb30ef56f5d23684be90bc459cdc80d1f105da3e58c
9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5
7c6dc6ae1caf94cd6f0cbcb075a81698bf496408e9553f63cd5c5742523b6bc8
2c08dae77574be67ecbd1d57d5ea8ea80042c7ee15f0ad5da405f574bf82b529
a6189864b80a674de976bc67a13f42fc6e601f2ea11c446047c84e2d12e120ae
22f1911d81e0e2feaf26b7b28208b5cbb68be45c39d5a6630c40047de2446f4e
d2a5bffc667647e9ba8a0d1733f9a27df01af72b9dbc7193031aad4c8853c6e4
ea226ab509f8001582cace500f1890df678371771cf7ee1cf1d61f949f201c5e
a31e66233b55244dea9219f5b5a4df56732ea52b4d2c7dac246851fcb9b9c318
c28c4cec1d98e3f612108826f92aef8d25da93ec22ac1b91523e944126ad0dbb
03c4bbba0969018b4e4e048b8f3c52ce0d99a3e37da9ed11a18997e8a836f28f
ba87c237b03a3a5a54273ccded35d16559f33678a76f05ce856389e207b68046
c5c00a192d1427f8d60b64e3e769c7f16b2fee7133dee7c63c042faaea4919fb
5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841
787c7572ea0492bdb433eb344fbc7f52e4ebdc62be69a2a3f1fa6180d4b22646
29da085a372470916f440dd7d72d7f6b2f4d634fc39880159786537bbf753efb
bbd761200738143705543689c13919065c19468a060b7cc63366ec414fcad107
e52e7b7b19091fbed821e1cfea10d78f6b20cda9e6119da26be4e77798b14907
d11cb28aa2618e76429ee7ebefb5c86c71374d2f8fdd58af946aee926c34615b
6bdfb620003859b5a5318fda333a8950d7d0edf266f297b8e3ae62b6018a07d5
c99d3d0a3d0d2ba99b089e1d71c8909a00e5876178c04db399afe57330bf615d
6503300b2dd8c4f441918d168a423dea5e342798eb112e0296757fe14e649d75
407c8e4e1a4fcba52d051e64eb52e67ad3ed5b1e1b41d41f21f7f6d32fd549f0
6a98e02fb015b78790f1c3b1f46ef61427e52a5a73d31fea518d9bd72a78dfa1
93bfa6ea57e67dae492fdaad02bdf1d0570deca1ac04e3665961e55f820c5320
7c6e6b4aaa210da5a69c5b12328158d54486e6d31bfe4938ab82097f2babc9f5
32d4bae99e3e24b7be91e342b78c84fb590146c0d5bc902f3c98b7673f6f7732
4afaefd1e04ef31fb1642e0b516c554e21de8340b84545641e7c29d028510afb
cd4942c9bb87b2b1d0c3511c23a2f7d8f1af35527a628aed2ea82f38e1d6a2d8
fdccf4ea45fd8aea2759fdb0c1b301ed989a6784a15778666db9b8e0e98403ca
8ca5fb996e43a8257aeead6230584228e1de3f34ac57ecf044cfb5135718a942
28a3132ff1dae5dda972e6d3910639c81d51bd593f065998df1e8efac0b64a9e
4fc7a527cd92275e3b8ae2cfb2e67d3f77760d29315755f02ce23dc455af27ed
b8cb255809d4f5e9475af6c541604c26021aaf8933a078143c6eef71dbfa77c1
b150b158d7dc445c348fffdb721f7c1a10f096482d2826ee455608f2061f6b63
9ccbd2020485782799f188fcde1c1015d4cef7a288b982afec7c94632ce292e9
e2056f95078e4e2d7df2819de53365fcc71bea3c022c4943bde8192039ef40d1
4c689166fc1682e14e6cf3cdb67a8cc62271334cdadf4410de99d3ba2b9d3a37
263a808889e25375c4e77085e7985d81c2f43150a4323e839619d0816d861c7e
4053798eb00caf7de7b00c2115db30dc8a1567d02035c23c79a279d1d3671177
e7ceec24f33171ed8426076f3c2011f20183fae40da62e379ab80333c3c48024
796bf8bc705cdc346f8c28dbe67ae39f0a384758dfb32f70ec7670ae7912fbe3
e1a8a8dad424eaca7496c436df74ced1215d42d7ac86f26a2d8108caf7a89940
4e2c32e76bec4ad95d0ca1a130e5b2a29bc624a1d348ce36fbd95027113c498b
fe2b3415794cd8ccb9ee4b28925f88c6815af95ccb14f58ac756210e9ad2d205
748c26e1f5c15693e97403c0e228b60433d4f051970fe13704174a90f824f5d7
26194c26b5412d22a2d59b50efc917df3e05102a5b1d0895e5c199c58c377211
fd787202cfb815a07775e5a12a87a8cec0736207ad3b27aadadb3c7eac245070
bd3c9be0544276fffc4b23029f7073661e859bbb41047292c4c0555ede12b1e5
65283a60a4a81ceaad94179b9555c1420abdc9ca49843c765098e5fa1e039efb
f6095eb7c5759c19ddc15879bb68bcad8ea5a1c30a7767d7b2b45ad837567a1f
43349b2181b49be96a57e0ac4da5ead230cbc6c048cd1c8089dd4e7428ca44e0
415bf1a2b1e00420502e3ac845170724004aaac7512b96440e2eb2965846bf51
fd01181f0a584579a652ad899163477ff55dcf48a8f1017e07805c69306b9731
5628951705135b7582a7913c52cc3c547b50a6a9badc656351b8b7945b1d8d38
36c2741465b9cf44c246ab5139421edce8b94483e63d5fe8e6eb18dade8ac263
17bd90ec1ab9fdfc235404d2a8705d20713b7c44f330097806e312dcbedbb2c4
8317ec6b484bb93b94883e8b9b354121716184ccbfcce47a3f732bed0c8d0a83
5aef45398566aece608ab79365c4c968438ee3c4de238865a266663be2ed849f
bbf35930603e2c79b466e38f249939ec19d6e8b8875868a03a607a92f39c62fb
91387a4e75e7e17acd8ffc08d87bb037a2217e967630c16c7681d006c1c0206f
d031dba06e6f21c4a0deaee93b9fa0ed8849f0d401ff26ca239e9da547030d77
f3a13cc76e0912f23dfdf11cf1a9f6b8015b540d1eae809d2a359c9a278ade1d
4d80f93923e0ff63d3dab7126446f4b33924d1306ae7524dacf36470689fdc28
SH256 hash:
5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841
MD5 hash:
696bbf18a42dc0a7b6e1a8f7fdb908e1
SHA1 hash:
8033d843e95d6a67413116a81b278bff17afc217
Link:
https://www.unpac.me/results/de9ed210-1128-4179-9640-d8836918ff57/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5086698d16ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2712503/
Cape
Cape
https://www.capesandbox.com/analysis/458812/
  
URLhaus
https://urlhaus.abuse.ch/url/2730657/

Comments