MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4
SHA3-384 hash:	5d9240acf5ae992779e88c461bdfedf8d78a8aa9ca9ce4c275a6a99e52bc8a6c492a51d4fb6867fa9a62ee6f609849fc
SHA1 hash:	854ccbb2257e25cf279762c320ea88a7feacbfe7
MD5 hash:	2401209d23cbbdb7b5807387d5164f11
humanhash:	zulu-emma-charlie-white
File name:	699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	2'816'512 bytes
First seen:	2026-06-05 06:52:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	49152:hqyQRjpmsWjP+mizeNSGJHWDSEFdS6Ed5ELUsg0VjAeP0ERuukvwoOU7OX:wyw4sWjIEJHKFE6w5EO0VjA7E9u1/7O
Threatray	56 similar samples on MalwareBazaar
TLSH	T154D5DF0271BDFAC5F1F4617529A0AD37273CAFF0895C819AE2C8F537AEF16050E15A29
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	f0cc8ad4e892ccf0 (1 x AsyncRAT, 1 x Smoke Loader)
Reporter	JAMESWT_WT
Tags:	Click-Hijacking-TDS exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

193.169.194.5:5506/I-AM-NOT-A-ROBOT-VERIFY.txt

Verdict:

Malicious activity

Analysis date:

2026-02-23 13:34:02 UTC

Tags:

powershell possible-phishing stealer

Link:

https://app.any.run/tasks/95fe93a7-755c-4b78-bce1-2e34aab0dcf3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69128/

Detection(s):

SecuriteInfo.com.Variant.Lazy.709609.29636933.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a22722b57b7bf261d610fd5

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypt installer-heuristic packed

Link:

https://www.filescan.io/uploads/6a22722346e44aecc0d0d99a/reports/bea92106-5c5d-47f1-97c9-1a991ea517c6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-02-22T12:32:00Z UTC

Last seen:

2026-06-06T21:47:00Z UTC

Hits:

~100

Detections:

BSS:Trojan.Win32.Generic Trojan.Win32.Injuke.plxo

Link:

https://opentip.kaspersky.com/699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bb788472-4f49-48f8-b5be-efc122b353f4

Score:

85%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4/

Verdict:

Malicious

Threat:

Family.SMOKE LOADER

Link:

https://tip.neiki.dev/file/699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4

Threat name:

Win64.Trojan.Kepavll

Status:

Malicious

First seen:

2026-02-22 23:50:24 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

24 of 36 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ngpxyprfevjrqufjr4znftlaaugv3c4yuaaxhnc43to6koceqs2a._file

Verdict:

malicious

Label(s):

remus

Smoke Loader

52f6d81aa40d054ff5baa08ce64e8fd186917e9961b46fda2a317e7d48949595

Smoke Loader

636aaf7ca40f9e0afc947f9a0f380a1457402afa9f7c968a9a70661b2b489231

Smoke Loader

730fcc3ba3b9029eda9faf1a28fb107da62e10131a1248ad2e0dfc015cc9d75a

Smoke Loader

c371928e3bfb54be11b073c953583498544aed7bf5e042cee6711825ae1a5967

Smoke Loader

error

Smoke Loader

+ 46 additional samples on MalwareBazaar

Result

Malware family:

remus_stealer

Score:

10/10

Tags:

family:remus_stealer stealer

Link:

https://tria.ge/reports/260605-hm713sc19p/

Behaviour

Detects Remus stealer

Family: Remus

Unpacked files

SH256 hash:

699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4

MD5 hash:

2401209d23cbbdb7b5807387d5164f11

SHA1 hash:

854ccbb2257e25cf279762c320ea88a7feacbfe7

Link:

https://www.unpac.me/results/3faea701-def9-40e8-88b3-87e9e55fcd65/

Malware family:

RemusLogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/699f7c3e2525/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/699f7c3e2525531850a98f32d2cd60050d5d8b98a00173b45cdcdde5384484b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69128/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample