MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb
SHA3-384 hash: 098d3541dde344bbd70b2ec9d02d49173a31917b1e015a171faad52ceef9d55cb8f001809114666d67822c2412de3032
SHA1 hash: fb5e01b63b9e100a9c81210d9c7eb0c962c797a9
MD5 hash: ba355806bff2f47d72c0ae2d2a2419c4
humanhash: ack-sodium-oranges-hotel
File name:SecuriteInfo.com.Win32.MalwareX-gen.16616.16590
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:6'144 bytes
First seen:2025-02-05 11:01:30 UTC
Last seen:2025-02-05 11:29:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 48:6Vezi5Qsy+PRDaZei3wxPwQAEfsQFNX8yd9mNMrI3odrvhRPaSl6sjDcE9tEp548:GR5hxYnpYldjZd7nEvwtEhnqzNt
Threatray 2'263 similar samples on MalwareBazaar
TLSH T1C0C1B510F3DA873AEE7A0775ADB217810274FB40DD579B9D1CC8668A2E076444B22F76
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
516
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.16616.16590.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a3467d2dcee78dd8198157
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated
Link:
https://www.filescan.io/uploads/67a3453c190d34a1af09298c/reports/dfd23905-5fff-4755-9b70-368067a571d5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1fdbbf84-63c5-4860-894d-537b6b54eca5
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.bank.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1607341
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1607341 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 05/02/2025 Architecture: WINDOWS Score: 100 42 prolinice.ga 2->42 44 files.catbox.moe 2->44 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 10 other signatures 2->74 10 SecuriteInfo.com.Win32.MalwareX-gen.16616.16590.exe 15 2 2->10         started        14 sueibsc 14 2 2->14         started        signatures3 process4 dnsIp5 48 files.catbox.moe 108.181.20.39, 443, 49704, 49961 ASN852CA Canada 10->48 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->102 104 Injects a PE file into a foreign processes 10->104 106 Switches to a custom stack to bypass stack traces 10->106 16 SecuriteInfo.com.Win32.MalwareX-gen.16616.16590.exe 10->16         started        108 Antivirus detection for dropped file 14->108 110 Multi AV Scanner detection for dropped file 14->110 112 Machine Learning detection for dropped file 14->112 signatures6 process7 signatures8 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->50 52 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->52 54 Maps a DLL or memory area into another process 16->54 56 2 other signatures 16->56 19 explorer.exe 69 4 16->19 injected process9 dnsIp10 46 prolinice.ga 46.173.214.14, 49945, 49976, 80 GARANT-PARK-INTERNETRU Russian Federation 19->46 38 C:\Users\user\AppData\Roaming\sueibsc, PE32 19->38 dropped 40 C:\Users\user\...\sueibsc:Zone.Identifier, ASCII 19->40 dropped 76 Benign windows process drops PE files 19->76 78 Injects code into the Windows Explorer (explorer.exe) 19->78 80 Writes to foreign memory regions 19->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->82 24 explorer.exe 19->24         started        27 explorer.exe 20 19->27         started        29 explorer.exe 19->29         started        31 6 other processes 19->31 file11 signatures12 process13 signatures14 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->84 86 Hijacks the control flow in another process 24->86 88 Changes memory attributes in foreign processes to executable or writable 24->88 98 3 other signatures 24->98 33 k3FzkOFjYkxvJn.exe 24->33 injected 90 System process connects to network (likely due to code injection or exploit) 27->90 92 Found evasive API chain (may stop execution after checking mutex) 27->92 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->94 100 3 other signatures 27->100 36 sueibsc 29->36         started        96 Tries to harvest and steal browser information (history, passwords, etc) 31->96 process15 signatures16 58 Found direct / indirect Syscall (likely to bypass EDR) 33->58 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->60 62 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->62 64 Maps a DLL or memory area into another process 36->64 66 2 other signatures 36->66
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-05 07:05:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4miirl2eyssobf6r3lxtlnyiicyb4gyphheb7faalpbkr3q5lvq._file
Verdict:
malicious
Label(s):
smokeloader
Create hunting rule
Similar samples:
3c2457e6b7ddd7106766490a9b89a3fbda7bdc73b92d8402a92606d079995a20
Smoke Loader
48156752f6d6ae585d0058643156f6744700cfa263513f2e9365c8122d65c6bc
Smoke Loader
64addaaf98a7661110412b386b41251e01b5baabb8b693c25e5d8e8a8adcdf88
Smoke Loader
76930f5752402bbffccf8edeb6b07cd1ccf925c8c34853650e367cb2e0bc3e8a
Smoke Loader
871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb
Smoke Loader
d438bd2936d8564a021b534873b9bb3a34d421fa9bd442fcc1453892887849d6
Smoke Loader
d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b
Smoke Loader
error
Smoke Loader
+ 2'253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250205-m47h4avndn/
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/06fecfbf-0b99-49c6-bd24-3c0f2cdea611
Unpacked files
SH256 hash:
871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb
MD5 hash:
ba355806bff2f47d72c0ae2d2a2419c4
SHA1 hash:
fb5e01b63b9e100a9c81210d9c7eb0c962c797a9
Link:
https://www.unpac.me/results/4707e3e2-7c34-4086-bd5d-9bf9c702cf7a/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/871884457a26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 871884457a26252704be8ed779adb8420580f0d879ce40fca002de154770eaeb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3428711/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments