MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ba1c02ffb3a71afd89974b5452b53f65744ec88728c72b66b94d5e915856e78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	5ba1c02ffb3a71afd89974b5452b53f65744ec88728c72b66b94d5e915856e78
SHA3-384 hash:	5812d4c070680a7c48aeaf80de8d2699a159a0f01acb4dc04119fe64d90c17164a989eba7eb9cc419e87b7f67488c064
SHA1 hash:	8cdec79ade5a929cb33607966f9c212c705a02d2
MD5 hash:	2aa40252aed7517a76749b4940afa936
humanhash:	artist-football-fourteen-finch
File name:	TeamViewer.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	10'199'040 bytes
First seen:	2022-11-12 03:01:18 UTC
Last seen:	2022-11-12 04:41:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1c9e07af67348622700778228d2e8f08 (2 x Smoke Loader, 1 x PrivateLoader)
ssdeep	196608:yNBg5+7wT91yAmR6cg2WPcLcf9TwuZTvcDvcVL27QA7KL/V:y3fgyAmZbWPsClvLYR7S/V
Threatray	705 similar samples on MalwareBazaar
TLSH	T108A623B653A211D7E8B68C31C523FDB871722FEA8BC16CF559C57AC805310E9E316A1E
TrID	28.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 25.4% (.EXE) Win32 Executable (generic) (4505/5/1) 11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 11.4% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	31f0c0b2b2c0f071 (8 x Formbook, 7 x AgentTesla, 4 x AsyncRAT)
Reporter	AndreGironda
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

2

# of downloads :

161

Origin country :

US

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

TeamViewer.exe

Verdict:

No threats detected

Analysis date:

2022-11-12 03:41:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a4ae3bc4-2ae1-4a54-b319-98618e274e2f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/332743/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.12126.32673.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mokes packed

Link:

https://www.filescan.io/uploads/636f0caba8a86b129ea07125/reports/dbdac1e1-bc59-4e7a-ac2e-af53ea7fe626/overview

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d9dc2e49-e65b-447b-bfe8-b52f3bd5b0df

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1111667

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has a writeable .text section

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ba1c02ffb3a71afd89974b5452b53f65744ec88728c72b66b94d5e915856e78/

Threat name:

Win32.Backdoor.Mokes

Status:

Malicious

First seen:

2022-11-12 03:02:22 UTC

File Type:

PE (Exe)

Extracted files:

9

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=loq4al73hjy27wezos2ukk2t6zluj3eiokghfntlstk6sfmfnz4a._file

Verdict:

suspicious

Label(s):

raccoon

Similar samples:

354ff86b7dccc955b7ce0239141ef93f4aee741f48cd02e2c3341e711f1bf370

7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97

8f4650e1a483a2143eb1381d7c73d357b90bb0706e330213c9975639c5452490

ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1

d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c

e134f20c16c2d118f95738897fc6c8f3be4ec46563ad7e1c243c3d7595a0ea68

f4a57ad535ec4b0c7c1b3fbd9a116e451a392ee3f1e5e8b7a5ee0b05141208cc

+ 695 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221112-djf1zadd38/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/25508def-2e86-478e-ab92-72e2e22e8bea

Unpacked files

SH256 hash:

5ba1c02ffb3a71afd89974b5452b53f65744ec88728c72b66b94d5e915856e78

MD5 hash:

2aa40252aed7517a76749b4940afa936

SHA1 hash:

8cdec79ade5a929cb33607966f9c212c705a02d2

Detections:

win_smokeloader_a2

Link:

https://www.unpac.me/results/825fe1de-f026-4a7a-acc7-896678f04de7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/5ba1c02ffb3a71afd89974b5452b53f65744ec88728c72b66b94d5e915856e78

File information

The table below shows additional information about this malware sample such as delivery method and external references.

888efdded7a8913d6bbcac262ea6b3e9c0c4f2e283d335043b54cf8509f7daca

exe 5ba1c02ffb3a71afd89974b5452b53f65744ec88728c72b66b94d5e915856e78

(this sample)

Link

https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/

Dropped by

SHA256 888efdded7a8913d6bbcac262ea6b3e9c0c4f2e283d335043b54cf8509f7daca

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/332743/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample