MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73a8ad379a2f6efec0754119102727765066db33a4f8b4a0aed21608bdb0cdfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 2


Intelligence 2 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73a8ad379a2f6efec0754119102727765066db33a4f8b4a0aed21608bdb0cdfd
SHA3-384 hash: 76b40f3dc77de8e56ddb3c5f68b883d27204ccfad275be4e04dbf886608c7f7230f9de3d2ee775bf179493f45e3e462c
SHA1 hash: 2d3bac5b5dc9b6fe89d3dbbfc5ba9abb0566908e
MD5 hash: 1ccdcb9dbe35370fa45ae3249c87b1cd
humanhash: indigo-minnesota-music-hotel
File name:1ccdcb9dbe35370fa45ae3249c87b1cd.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:465'920 bytes
First seen:2020-05-22 06:30:42 UTC
Last seen:2020-05-22 08:03:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:oeSduvsX4jSgVgkGM+CJ0Fd9YYeen7BDzo9:2du64eO+CJ0dDeexz
Threatray 19 similar samples on MalwareBazaar
TLSH 57A4BF3613CD1F43C17873B063B2467057EDEE4DC71ADA143E9D42485BF3AA6A627A0A
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader


Avatar
abuse_ch
Smoke Loader C2:
http://193.135.12.97/x/

Intelligence

File Origin
# of uploads :
2
# of downloads :
773
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43180615.13757.12075.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Occamy
Create hunting rule
Status:
Malicious
First seen:
2020-05-18 21:52:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
0098bf2ef8230d9bb30b451868272ffb271fe63a8c248bfc9ce569991c19f279
Smoke Loader
160c5ec01e302b73f84895263a7ab3b2cfbdb70598f0d338c1b196afb3f16bc4
Smoke Loader
38c4baea01347f88b497f928343cb19d1e68a693369da7cecdde067281e26fa9
Smoke Loader
69a34116377032442c113adb0490c641f4af86b04fb8a2027f094d3678674915
Smoke Loader
81dd6bf8f73b2cd5f20ddce56486310323723a6c07723b2a30803697fd17dded
Smoke Loader
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
Smoke Loader
8c3ab3dfe110988d790808121453336342297777bdac96a10d317bab2b0de2c6
Smoke Loader
bfa0531240e8ae03aee76df45f9e4c8748ad739a63f47c81269d7b2ca05fc329
Smoke Loader
f0cbd144abefbde7656a8ab6733b337165ea5929fd1829f179e8a852275d059f
Smoke Loader
fca6ebdeec0b760f2faeef8ba5edf6ab9d0141475b5f554ef1678aa4426baaac
Smoke Loader
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-2ttx5dzhwn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Blacklisted process makes network request
Malware Config
Dropper Extraction:
httP://paste.ee/r/MCprY
httPs://paste.ee/r/6wPlS
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_Case_Anomaly
Create hunting rule
Author:Florian Roth
Description:Detects obfuscated PowerShell hacktools
Reference:https://twitter.com/danielhbohannon/status/905096106924761088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 73a8ad379a2f6efec0754119102727765066db33a4f8b4a0aed21608bdb0cdfd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/366361/
  
Delivery method
Distributed via web download

Comments