MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042
SHA3-384 hash:	ce7eb22426037cf826dd0b8e9babd42d60ecbdb069a5e1b982cc1a79b35516ed1f764a2fa9d0bbc47dd862aa8e098a5a
SHA1 hash:	79fc7f8a64a662120ade006a67f34c63e2f8a5d7
MD5 hash:	4fb9314b70c173f8569011efc7a98d81
humanhash:	grey-sweet-bravo-nevada
File name:	file
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	213'504 bytes
First seen:	2023-11-17 04:35:13 UTC
Last seen:	2023-11-17 07:23:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4b036b1ebc23e5c5c9b73c2e7870fe99 (6 x Smoke Loader, 1 x MarsStealer)
ssdeep	3072:KK05QL//b+mWSA0ZkH2NbjWk6wfPuT1mhmdfKRO9Vo1G/ziU:WuL//CtSNZkHG8Sa15x
Threatray	26 similar samples on MalwareBazaar
TLSH	T16C249E13A2E0BC51D51F4B739E2EC6E8BA1EB991DF59772E22185A3F0B701B2C163315
TrID	45.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.4% (.EXE) Win64 Executable (generic) (10523/12/4) 9.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	000208a2218d8808 (1 x Smoke Loader)
Reporter	andretavare5
Tags:	exe Smoke Loader

andretavare5

Sample downloaded from http://gons20cl.top/build.exe

Intelligence

File Origin

# of uploads :

# of downloads :

368

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/458902/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed xpack

Link:

https://www.filescan.io/uploads/6556edb218918145a816d658/reports/bfd146b3-efc9-4cc3-8397-02f422c18cc7/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f5c77942-37fd-4b8e-b4cc-a3f73239ba0f

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1343975

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking computer name)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-11-17 04:36:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lykkk3wcuupk72motppwgiaaw4ocrwe4up3t2ayscrc4rpvnibba._file

Verdict:

malicious

Smoke Loader

7e2fc238252c47231d37ab938055672b07423ce2688bb32cff3b97dc179fee9b

Smoke Loader

93f4f7dd1458ebc9caa287fe4a81737a417a75ab8e3a4a150c5c907f87b51d11

Smoke Loader

961fa39e74e92717c34a65cefca250df55cfc76faf1780c45e6b7dfc0fc80eca

Smoke Loader

b04caf3e505f0d1a6ed6348f82d5ff27de4a8ff134154c13b20c0409912bb12c

Smoke Loader

b4177d3d69f7951f46d07b01204fc749befc81531720de78ab7e75e93db35c58

Smoke Loader

c1463af12fd0e9bda5b5c94381ea22d82abd5d95008ffb77894c5be3c77e3bbc

Smoke Loader

e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08

Smoke Loader

f94464959b33782231ae5a82624d3407833a812cb17c09bca2647e4476b78fde

Smoke Loader

+ 16 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/231117-e78xbsga8x/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks installed software on the system

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Downloads MZ/PE file

Unpacked files

SH256 hash:

711e6bf949b2e82681786b011634cf98733445d02324671dbb7780e81f9c4bda

MD5 hash:

93d4a1842c8c585011d305db13d67aee

SHA1 hash:

cdbf845fc2767edab8b2162ce60112cb96ed1504

Detections:

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Link:

https://www.unpac.me/results/0f867b1d-8a5f-44b3-9e32-cf7dc33d8bce/

Parent samples :

5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042
0e093049b2e7265ce11c541b4f4d9125d44f668fb51ed397c51545c6b46f0fa1

SH256 hash:

5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042

MD5 hash:

4fb9314b70c173f8569011efc7a98d81

SHA1 hash:

79fc7f8a64a662120ade006a67f34c63e2f8a5d7

Link:

https://www.unpac.me/results/0f867b1d-8a5f-44b3-9e32-cf7dc33d8bce/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5e14a56ec2a5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5e14a56ec2a51eafe98e9bdf632000b71c28d89ca3f73d03121445c8bead4042

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2731344/

Cape

https://www.capesandbox.com/analysis/458902/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample