MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 624a79f6676f30dacde483787ee4e8addd55a66309c56005c202701063e6c3eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 624a79f6676f30dacde483787ee4e8addd55a66309c56005c202701063e6c3eb
SHA3-384 hash: 44193e44522559b02dc6682f47d6c81f02c6f2da5ad1c737b62c1aed3bf5c72df06b802642b2e0c484b1ed10e73925b3
SHA1 hash: e94f6c61bf41d563f0cea1d9185ea6940a3a5265
MD5 hash: 85d07649652d200314947bb98e09ebc0
humanhash: finch-august-two-august
File name:85d07649652d200314947bb98e09ebc0.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:3'802'112 bytes
First seen:2023-01-23 19:08:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8388c4af61e6ca4e78048b4b09a8cbe (9 x Smoke Loader, 5 x CoinMiner, 4 x Tofsee)
ssdeep 98304:xGMg9NJcjivuYINSaXSVnj5XlYR2r/JB:oM03cjiSXCn1Xltr
Threatray 24'768 similar samples on MalwareBazaar
TLSH T11A063332FE95A436DC26003006A4CDE59E7DA2F3976C5B73B98A1B59B7713D23928313
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 101070c4d0684c44 (1 x Smoke Loader)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
85d07649652d200314947bb98e09ebc0.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 19:17:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/948a87f2-e63f-4457-b960-4572e1cb1389

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356081/
Detection(s):
Win.Packed.Stop-9985110-0
Create hunting rule

Win.Packed.Stop-9985116-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Changing a file
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63cedb501c9cbf7d6251bb80/reports/9697960d-a044-4c5f-a08a-a7b509cba0f3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86cb4588-b8f6-4cc8-ba9a-5f103a3d8128
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1157329
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/624a79f6676f30dacde483787ee4e8addd55a66309c56005c202701063e6c3eb/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjfht5thn4ynvtpeqn4h5zhivxovljtdbhcwabocajybay7gypvq._file
Verdict:
malicious
Similar samples:
217859f8f952a9de8aeb91dc175ef6dad10142327bb6111fafa2b4523161d178
Smoke Loader
3b19c8396a1294f52170ad5af4db3282f81a46445789ef94983ba891038c4cec
Smoke Loader
420148025ec21333fa89a72ee35309621aa1e7248d08d51e4384d267aef1518c
Smoke Loader
4ba96ecdcdfa746de28a0ee3ef474842e829917c9486ace35ec4cc2fa1ad956f
Smoke Loader
51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
Smoke Loader
81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d
Smoke Loader
927a4dddb1e5ffe4ba3a9a8ba4183c092eb350fb07ea79fecd84042c812f6dbc
Smoke Loader
e8aeaf935d69a1da8e8838c9744b0e6df06472abc0120c223c6424833f2ee17e
Smoke Loader
fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f
Smoke Loader
+ 24'758 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230123-xts8tseh63/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
83d8c2be95d707c1b6391ab3bba63e47107cdf3fc31ef79e005c4e9f05fa8c63
MD5 hash:
4d8148a531fdf9aa65ef50b901ee9924
SHA1 hash:
7d7f331f4c84f9880d30b12d3cdf8c37b35ca191
Link:
https://www.unpac.me/results/954d6a7a-40ad-4500-922b-ec9920893cf5/
SH256 hash:
577a508ca36e3eb9c762c216501c905c46b87b6973e172eaaa555831b0e284ff
MD5 hash:
9b8c69c6f286241970add369883381fd
SHA1 hash:
c95154c423cffb4638235112eb0248cd12324e30
Link:
https://www.unpac.me/results/954d6a7a-40ad-4500-922b-ec9920893cf5/
SH256 hash:
624a79f6676f30dacde483787ee4e8addd55a66309c56005c202701063e6c3eb
MD5 hash:
85d07649652d200314947bb98e09ebc0
SHA1 hash:
e94f6c61bf41d563f0cea1d9185ea6940a3a5265
Link:
https://www.unpac.me/results/954d6a7a-40ad-4500-922b-ec9920893cf5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/624a79f6676f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/624a79f6676f30dacde483787ee4e8addd55a66309c56005c202701063e6c3eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 624a79f6676f30dacde483787ee4e8addd55a66309c56005c202701063e6c3eb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2515360/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/356081/

Comments