MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5878e738c8b3e36e7b1778ba14f8a00766f079d9c7555d9de2a01f633d7dbf37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	5878e738c8b3e36e7b1778ba14f8a00766f079d9c7555d9de2a01f633d7dbf37
SHA3-384 hash:	5f71163065986e61489eb6bbf364059304a74bed4e86d8ffdfe60c6b6230b35596cf0568506dddb418f6921af15d8c79
SHA1 hash:	4d74820df4ba129f8661143ec4b488f9aa1dcc19
MD5 hash:	23d656a149c2858db13a5e15b9cb40ee
humanhash:	arkansas-uncle-indigo-winner
File name:	file
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	297'984 bytes
First seen:	2023-02-18 16:05:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	81831dbd0bb62ee86f0858d78363b4f1 (2 x Smoke Loader, 2 x TeamBot, 1 x GCleaner)
ssdeep	6144:o7r6LhonXq02R1lzaCZ9BaURjOrkMpgamtw6:oP6tonXNI1lzag9BlF3MRmT
Threatray	953 similar samples on MalwareBazaar
TLSH	T1D554BF13B6E07C51D9124E729E2ACBEC7A6DF5204E44A76A123C5DAF08F41F2D7A3781
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0643490222224200 (1 x Smoke Loader)
Reporter	jstrosch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-02-18 16:16:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/27a3e030-37c6-4deb-83cc-2408298673cd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/368137/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Deleting a recently created file

Launching the default Windows debugger (dwwin.exe)

Reading critical registry keys

Forced system process termination

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/71656/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63f0f76ac0c2113f82dab058/reports/0706b003-b09b-40da-9998-26870053a9cc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5878e738c8b3e36e7b1778ba14f8a00766f079d9c7555d9de2a01f633d7dbf37

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3eeae067-5bcc-40ec-97df-ce599ad931b7

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1178693

Signature

Antivirus detection for URL or domain

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found potential ransomware demand text

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5878e738c8b3e36e7b1778ba14f8a00766f079d9c7555d9de2a01f633d7dbf37/

Threat name:

Win32.Infostealer.Rhadamanthus

Status:

Malicious

First seen:

2023-02-18 16:06:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lb4ooogiwprw46yxpc5bj6faa5tpa6ozy5kv3hpcuapwgpl5x43q._file

Verdict:

malicious

Smoke Loader

49a4c9b865e272372dc2c42f4e23861637616f84ee08b007786e3baef4af936f

Smoke Loader

5fc3376cb40e9e8f22785c7b90e9e2c00acff1521f65691b33d9dc07195d0e8c

Smoke Loader

64d1d03c3378be695f30daea3877b732f662fc453dcd03af0f7990467c698a8f

Smoke Loader

8a8bf4a261ae984007e0da758f9c8c9c609beb83041e91d036ff4ef0ed1bb328

Smoke Loader

a860f0a0550d4e011d2fa244f01892f163d218f036c273e78851ab383d361843

Smoke Loader

fd19241e3dbb2519f4f10b8e415e5dee056a7f2894bd7b0e7000a544147caf0a

Smoke Loader

+ 943 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection discovery spyware stealer

Link:

https://tria.ge/reports/230218-tj267scf66/

Behaviour

outlook_win_path

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

Program crash

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

9c0bd64e8888569d9f394853aade64392c431a684452d9bc8f819dfb2d1bac1a

MD5 hash:

016615af8b3cb0a90066b3bedcf65aa9

SHA1 hash:

315dd04a70f9bcc2b62b57846dbfa79426eb5856

Link:

https://www.unpac.me/results/cd71613f-f2f6-4196-95d7-d5ac93efd524/

SH256 hash:

5878e738c8b3e36e7b1778ba14f8a00766f079d9c7555d9de2a01f633d7dbf37

MD5 hash:

23d656a149c2858db13a5e15b9cb40ee

SHA1 hash:

4d74820df4ba129f8661143ec4b488f9aa1dcc19

Link:

https://www.unpac.me/results/cd71613f-f2f6-4196-95d7-d5ac93efd524/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5878e738c8b3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5878e738c8b3e36e7b1778ba14f8a00766f079d9c7555d9de2a01f633d7dbf37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.