MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 926979379368085e561b9bd88832bd7fe93927dad7eb254b63c66622e0664623. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 926979379368085e561b9bd88832bd7fe93927dad7eb254b63c66622e0664623
SHA3-384 hash: 8587c056f7de8564c89e4d2e0ae3e7453d894b9efff147b0dae8c0463d497d434e0ce70e93941421cdbc1b5274d845d9
SHA1 hash: c3f3f7775a4d4a29e81521db05fd309b7ed04c78
MD5 hash: b63f4cc6fbe0f2e53e842b5a95c91940
humanhash: blue-lamp-magazine-alanine
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:253'440 bytes
First seen:2023-09-19 05:57:19 UTC
Last seen:2023-09-19 06:56:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f06506eee90c0a3a305eaa9c4f190ff (3 x Smoke Loader, 1 x CoinMiner, 1 x Stealc)
ssdeep 3072:JvniyEE2XcO4uWVlzU7g7/X3i4/L4smyFrM1:pEE2XH4uW7U7g7v3i4RZ
Threatray 2'553 similar samples on MalwareBazaar
TLSH T1E044D02277F1D832E4A745355871C2B52A7B78225675C68F37A02B3E5F703C1AA7A323
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70c0ded0d0d0d2dd (1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://www.cotomac.com/tmp/index.php

Intelligence

File Origin
# of uploads :
4
# of downloads :
294
Origin country :
US US
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449559/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.2492.341.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Enabling autorun by creating a file
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware lolbin shell32
Link:
https://www.filescan.io/uploads/6509386b988a26b6d96e7a1e/reports/c6d58bc8-6ef3-45d9-971f-9e2329456f55/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/926979379368085e561b9bd88832bd7fe93927dad7eb254b63c66622e0664623
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4d22c39-ed5c-4ddf-ba6f-ca29ec9a9241
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310536
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1310536 Sample: file.exe Startdate: 19/09/2023 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 6 other signatures 2->46 7 file.exe 2->7         started        10 sreicrg 2->10         started        12 vgeicrg 2->12         started        14 sreicrg 2->14         started        process3 signatures4 56 Detected unpacking (changes PE section rights) 7->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->58 60 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->60 16 explorer.exe 5 11 7->16 injected 62 Antivirus detection for dropped file 10->62 64 Multi AV Scanner detection for dropped file 10->64 66 Machine Learning detection for dropped file 10->66 21 WerFault.exe 3 10 12->21         started        68 Maps a DLL or memory area into another process 14->68 70 Checks if the current machine is a virtual machine (disk enumeration) 14->70 72 Creates a thread in another existing process (thread injection) 14->72 process5 dnsIp6 34 187.212.185.70, 49711, 49714, 49716 UninetSAdeCVMX Mexico 16->34 36 gudintas.at 201.119.22.99, 49710, 49722, 49728 UninetSAdeCVMX Mexico 16->36 38 11 other IPs or domains 16->38 26 C:\Users\user\AppData\Roaming\vgeicrg, PE32 16->26 dropped 28 C:\Users\user\AppData\Roaming\sreicrg, PE32 16->28 dropped 30 C:\Users\user\AppData\Local\Temp\6212.exe, PE32 16->30 dropped 32 C:\Users\user\...\sreicrg:Zone.Identifier, ASCII 16->32 dropped 48 System process connects to network (likely due to code injection or exploit) 16->48 50 Benign windows process drops PE files 16->50 52 Deletes itself after installation 16->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->54 23 6212.exe 16->23         started        file7 signatures8 process9 signatures10 74 Antivirus detection for dropped file 23->74 76 Multi AV Scanner detection for dropped file 23->76 78 Detected unpacking (changes PE section rights) 23->78 80 5 other signatures 23->80
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/926979379368085e561b9bd88832bd7fe93927dad7eb254b63c66622e0664623/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2023-09-19 05:58:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjuxsn4tnaef4vq3tpmiqmv5p7utsj6227vsks3dyztcfydgiyrq._file
Verdict:
malicious
Similar samples:
02a2eb47b6d8711c8a76cf30e0835a91ae9289540cfc9091ce837b809932c507
Smoke Loader
0c26ec308dc78ef090ebec907e1eb15d6dfdc28a85fa27e0a945fc5354a3e5f9
Smoke Loader
6ba6ba1ad5f6525a76e854affad5bb28d1e59c93bd26d88a9cf1da7b84ed3b27
Smoke Loader
80c8b0971ef6542ced612e91aff7bca5d0ae3462a62b20eea298e3ac20d4df2e
Smoke Loader
93c048fa590c3fc63003ccec29071f13aebda830c4094430445fd996d8cca072
Smoke Loader
b1a03e848235832237fff6c73ddfb785968b66ee3683c2dc1ec1e6be516ac461
Smoke Loader
b92797965358585eadbe928c2b8531c5575caa87cbcef1171a48f1941a10b740
Smoke Loader
de8385440c23789f44c418bdf2e30578559b1c6b142c820f081f81280d1c0888
Smoke Loader
e2890e9fa0e086c87f866ebcf6b83fed7029cc9221ecc19318af45a8608a11e8
Smoke Loader
e7b2ce3363313b6bcc7651b591e5fe8280f0ca40bd1e7652f6376cc3100cc441
Smoke Loader
+ 2'543 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub4 backdoor trojan
Link:
https://tria.ge/reports/230919-gn6c7sfb6v/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Deletes itself
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
26f3c6f6a5cb65279d5603528867c6357a952ce418ae88d3affadc4bdf16a33f
MD5 hash:
c8e025690e0519478cc1283ad0ee86ba
SHA1 hash:
f3619cfb6b2ab412bd3baa0a28957514d9d070d5
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/72f34213-cf3b-4859-a909-a6df852912c4/
Parent samples :
d2a1c4ad6137039edb6b556465d58a105d507fb4d522070015ba5c4dacbe3302
926979379368085e561b9bd88832bd7fe93927dad7eb254b63c66622e0664623
d3502cf4269d0c8890f864ef9788d4a8c0c13d0320799a821074215ab14ddb41
017f1012afed448245a9a6ffc678911132ca51d740275dd827e0ad0bff35708f
4bf8e00d93fda98684467170270aa463332645da8c743227199290cb7314c036
90dcdaf2845da12ab2b104a381adabc1e91220d8b0f6369e295f6a25ef920eba
596928382bb444075f26d60f0492641dcede85184d8fddcb7fb38b2eceaeb1c4
76a1b5a191dfe056c367a53b28dfb48d69e53b0e61a324556395ddf83621081a
bf44be67aea40cdbd3e7c3533989d42107e61f5c76bdbb3fc6e6f473fa65f84e
ff5794af33667de77d1b287bb096b8153b1c7d096ec1d940de3bb9692c95251c
0c40e99ccd352e86095dd75f786dc8846c45fe0cd4ddf619ac6aa4f7ea7ae9e6
688f1ace96bb0327c76e92afaf731fb90831c6fc9ec887768d7b7111891cc93e
a4e6221aa7745feb21d710cb4919530751ce3ad657d49d8b5c26cf76269fba72
8407e4bb6ffb05e1631bc7c1cc2165bb3ceef41e20586b9ca16baa65896c04ab
d81750a716e631f5506195bff20d3cff4d18e124db80e36a9318a1e1af2b94cf
563307cb0415d3767f1c0ab2ffc13194be9503fc5505ac97b4f02aff53b13c75
85630537714d5da40be00a1d0d43a52d17eedb10ea08785541b2e663231e05d1
f2add85a0ca49e697931313e766ea6a9bc1ff5cec9b2b667841f77a5f6f0845a
7e537132ddf640396c3bf33de736c0f2b94d429e74c2d4da9cc3c9ac88bbdd09
ae93375876fc887ded8b6bb111af27482110409d98bdda4ba931a4b24e3a00bf
a8da1b7176f1e2933bc5b368b740561ddbef0b12a42aaebc47b29d056366a69e
84e81e9664ffc778584fbd651a53a3aef26711a3c4dd2a573fae32be878f9366
b39ec8cf42464c5cdd5c56ec287940468a557e36d9a0a549f094eb283d84c1f8
39294c49fba76987db0276cbba3861df1faa14f1a879fb7a89bf49497b37b926
dcf036ddffddab12714415ab12279a6e21faf8a5feaf70e667c5a26f61b653a0
4995678c8a4d9336fd9c02a44f9ba3a210d8d985ebbe5d8d97c611ce9ae2975e
754220d8423797544cd927a81bd2dd3f0703c521538ce9aec6db7a17ffd96739
9f3b60b57798ce71cd44a045f2cfa9333fd4354ccaaa1120597f19668ff4632c
bd1a7304c5cc386fb5b1291dc81a28c2fd6d9c6189fab48fffd31e1ddd18ddd1
cecc008c8d7603d9cda6bb9d127da6313a88f5fec9d21f894b167be0b9a9aebe
30c92f406ae3062b4e005828aa69e5fc44a78e01f09c600779fe5fcb019c604c
ec84ecaeb3ad309087734067a8336a8259580dda56b637b437ad994d6758a74b
96be8ff9b843492bed68b3c607dc752173eba06304f36de400c803fd6dc4635e
d80b243ce613fad00db08c6614db68527af554e6d3996aa06609ba811268089b
b6fba9803a085a82700599c71a74b024193fde59071fca8b0fb4b33fbb1171f4
f21c6190f1b5ad0e9de92ac6d341f7e2143ac5b3ea62b481a79336afbe6444ae
e3863e4304db2fadb48a0589ca8851c6d2186cb5e5ccd219b2bf3e5be18fa074
46ab939c8a747eb5e24012593cd89c0744940834dcf4ef028f5d908a98e073b3
7827ebf2c67e413ba80e41ec6d7d331a43d99e4107e20e9dc2850bccb9f33c1d
8d4f72a9f6a1a2e992a0e2904cfb4d199b18e6878931e148a0c270482d412500
6cad140e13b0cd2c2ed202a1008a0c4a15c34dd1105ccd62ff73c835aa3c5992
41a01be3dfec29fac73d73c6dd01de8d07d9115d2c2fb86b716e057ec5b6f353
7014db1fb3e4a01994633a2998e993c93a2c16a6a264abc25d86a929442fb3bf
7e053d298965b097bc2dd286aa38c056f94492ef03bd0c733211a7ee08805d79
0ebf1aa037d9cdc649e37b733275d018355cdde6f22f6c5532decadd43b99233
8d563a1972dc04359f7b2c710012276e85aebae7ef3919c513698d188150bdd3
710a8387a7dfc277fd58e476667067fd9ae73d1f232a79649cccae0603069e41
0fd5d12ecd023e00a35c3f22158709f4088e49c3b9fce7ac6ebbf7228f874978
83a67433a17f3565f30448747517bebf2c480b72e5d522a0e8df177a96d3a76d
c3bf1045d08ef3e29e8939ec75136e13b65dffeecae117058def55b6dc482d23
9dcf3ece764566551def12bc3103fe9764fa2622f45a305aaee038553a004e7c
e6a2459cf9c9761354d70563bd3c7c2b3740f68c03a35b5e7852a70919a45744
9072d0cb6d5f4ce2e85009eb965abd3c964b277bacec1277be23f46acde7c091
7005ac49242d30c3db32269e5029a253987ce6210a7fa53cc227acc7c71095c5
dc951f02c05c7f121e711adb4521869c66fed07ff3d0afe0062075dbd09805a8
b3458d317bb1d899de66eb3f3a50eeeaa1b8d2c7f4bd8e425a60d3fec697f3eb
a89879f3588fefc68f0ae7e4488158e3e8dbb959fd011b4cdf7caac915e9c4f3
9b08d6daf3eb76414c8e54f259f0c103264206ca4f56d56b977540f39b287814
0e13c6b6934ae51a0f8b2082e5cde777d75093e105275c1422d702d9ba336d23
3a4af1c874707ed02912ad75e46f0a5c4e2d06d0e592a1494d714fd6149219b0
db4b2b7994ed1cd49bea3181bf97ba163eae0c48f17a82586432d8cf2f9c0091
d055a2cfcc1c1c0399fbfd53b30b21083aed57ec6677f3fd4db61ebf01561356
ef26d97e748a6dfbadff05c1de384afc015cbf16fcfa3052f533c0827077198b
b6fcfa65d7b1a57400dafb8d0dccb9af9b70ac8a2a801d1bf221f95f3ec58bbc
b9212b5890e6c7cf4b56d58c67e17376889cdcef4b5fc68c61693a20785cd78b
99f2fe4de913e06bc5e11fee9f53605dcca109fac75382f772e6df5be15169e9
7d9d7c212fd9abba35e546d74732283a3bab58f1d2c93d55bd496b1970e307b8
e40aa48bbd379996e93f19561ea54e5f0059efb319fd68b7fcabbb0ee4f92a26
fbc03c46cf9cc6b4694a5fb659f4d815c19902a4ee8359557744c934a7813e50
07f743e4eed0f2153b18bc67b807e5b87e529c7c1cc85fa046a01f9367c95894
a4ce09752fb325fb3ec8de3ec1beb05ca3c92015d1ed8c48fd0b9e3a57cd8c51
303d4734d8dd9ae4b5440ba7c01dc7c3359a5a05b492275ef44c55c5d2ef87c9
8a633d717c4509c9c447ec5a237c9b53557622c23d3ffb6e2b8f6bad668cd637
3c8eed8e725d7eb608c751cbaa7bcf13e765dcc34f73145985e22eb61abc2873
4f9461979dd96c91f8314ba8384f78948fd2da6b251b1f8b4e9e16b087f833b0
4524b3d7da9557b4a86a91653dbd8298d520e56038bc1e5a663dcb83923c7325
712cf06bcef3ff8dccd7d96981de689bd1913610594ea2475aa99eee31654837
d4b60a5225dd6edc3d0fc961e00cd88b9f8afe777655e1da1ad0435a0ce40be6
a35cc9eb427fb3ebddef87a9ffa5eb38eedaca33ba2419757de62c6ee1669948
b4911e503858d4b265946254141a9d9c040cc65fc020e5dffdecec34bf324991
f8240f83a9ee488242a787d18a49f1fe7fa4ff8eadf8b9a991c9952cb4a2a6a9
2ef5a24a26c31f7354dfedf1fe3479fd404033790eba2592f3ee4f5a5a3f687e
7211f119a19a735056b60fd43deeebcb49354f3bf68b445938b301d61502c7e7
421598a5b3994cd97d39509c4a09207bd2b8ed3deeab1338ebfded4d502aeaae
a131b5cb6dd4b0daeea80eda409b3957fc9d7d33b0a4058e19d28b9cdebb51b6
4e1e7978279a0ae65856db0180a0fde56b17572d1483f15bf56a6875ac0c045a
ef23ff8a80325edc27eb986c68f8737eef07742ed585fbb49ca0c3fb1690ee7c
3bb4266482ffb1bafa94082f9f98831a2367c103185437770908d9179d0d1a59
bda02fb8758de2721d45b4e65c94bc281718b96f031f0c4e986972451f476977
4ea02cfc5dee244e50128bd84562f0356b8b58ad3bb1410a8d4d924a3a3e310f
225e87f4a47b380ad07553d8fcea19bc8a686ea6be15a07a54677e2b067ead09
7b99eb0693073004b828f0ac63bb71d05ed9cca91991ad630005c3f455da1c21
9bd5bd6891d1c38900c158fd3013543e4c35bdef04a56886849cd2ccc6335996
1aec625544d7297ef76db7df096e0d63d4b2705bbeeb1ad1aa4bec20c7a93d22
c86acfef833e45c28717304e0fbaf8407c9e319d570f5e5fb0f303347ebc24fc
63cc875b5edd3a9f771fbc43e0e2235a8e840f99ea02514bfc8d694f6406081d
bd9339f6b96d7c1ca13a10f70fcddf951f80ff1233afab93d1a5cd8a1956c49b
3cace41bacb82f01060f9defee75a5d2a31e9bc2a7613348f40efc44dc39ddf5
cc58ad1f7a097f077f06b78e21c1f5a01007cd98613b602bb22b95751920ba80
5f00a3e3aed705d4a8c32713a26070d82b8df4db04e1bbe33bf4526f62c367bb
eb87cc7e5c1fccdc6289e874375a259c15a7da612d4ddd24c1e1920277f16017
9559d9c18f1f21cb011d6c20a269528879916787c65e3f26f0a4a3c75eb191c2
440d10f656b983b2fdb491de044f3b653094dc6c6e624ffdc8841faeab997515
a0daf680f08dfa7bdce07a5530cbb05149208bf4c1e4b438dec354c549429be7
dab65ddf9abb092aaf3fa22d50d9ca6312b97defea1265ce0ddb5f95e28dafde
d0d4c39556123434d9ea63aa64f4912575db739f34cb2498f4a0971f646d500c
401840c36336f6fc88e312b927f8bee2d35f2c847734b67d4bf934b6044ee672
dd3af4ccaf956ecae50e8e37cb7815de4348c60d5cc985b212739868c380b698
8337b90fc5a37cdb13bbe31c992f9fb3fb769451efd97fc5f8f24d449fae7b26
c48c025004e72306ea5c9f9a98dcc65f682a359fe0e00dc6229cf8f6a1b0019e
cc4d763568a1fc082f9fa7c7f8aebf175aa86bf8f3c871eff075d61bf0406a5c
6014609d8cc2cc246bdbbbefc55c695187a5398de6b4cc159e2f9a2de149309e
bb504236d94c731d1c7c1792b6abc6f995d15aaf77807cb8ac70f53762d50c2e
40ef33f14fb36cc5d6fbea94f39b081255e17467b4f426ddb78152afe434d4c1
446302adbf60d1b83c6d9ea50bead0caf193c4ce3d3ac8726c77299f3aa3b967
1d49b08208b5bed704b8a3375b23acd7ef70ebb72d201435082ba0d64572ea58
7dbd0622a6607f9b0e660a3cb5ba15e7937ed5f8158e73e7be0297deea0aec14
a41de1f0b56377bb462a66bda76a0009c3e1a5526a970aa53f3c70bcdfd9303a
fc3fa9a5c6083893dd564dc45dfb736ebefbb529d27758501f9a29e0d727339f
3d3e9030a7f18d10d9a89b9d25ac519fd62fd307d098113d477c7a0e92f02382
c84537973b86166aa9be5395f16c7669bf92b3e83abfe8f714fd2a75e8635bea
050013d717665040dd10226b304f8bcce5ce041b1439d18b3bfa0092624a6374
cdb95d02df827debe9f841bfd5cb361a8a2d634e2f8ca4bd8c5c767d0d7b17e8
20a32c84351434f658a3afcbfc2619272b34319db69e28ee80d96ade9a90baca
3b944039d60e3df7103088844f66a6000032d806bd8673a6bbdef4023adb6652
a1da11e6d5799b905f7f39799a63be6c9f1b9eaf7166737ac384c843fc0db448
4057f33885b360e27e1dd37296a0a5579f55c90e9c6c0d75cf38ee46b3fe6bee
d385c8dd8a2242e7601b85230d605a49568cddfbcaa890f54859de7e4b6cd894
d6170783f0f121c452c5d140ea9692c8e96906acedb7f774d814160a22a312b7
151754b17a295353911712a405a969650c46a56a980913a99d9a99b23b55f1ac
141398e4cab2c24c9df53d19f3310a31c5edbc39e8dc64fec46003b2f6255f4e
4a8e7710aad3b1a23f3a8255f1327c53301856f18ba4291efd7c06da109658c1
e24594aea71eb049bfe6bca5a8288426f0b20076d45c18fc06486843c9f6b16a
0a8651b6e9d4332c65157c102d6f75a9fb73b082587fb94e0707a15030d27825
9104e853db817d29672ee5ad05e06415466efc0fbb5529449a178414695f0114
554543925d158b12b6034fc16203122545d01d345a709f1bfded57a79ec2cb3b
7e36265ad76fa6f482fdc09bcf491768d50a06a81fdb932f5b0b995d7af2bb40
cc81fd50c7c8174f158219f8d0d01e07b320af642961687a0b9e8aaffbb97964
670c762d3acd0b07376b7b0575d82c565214adc39fef918b0a394a17444f19dd
5e56bcd39242f8d48c804eec6f29aad9b21a99ac371cbc9b400c19883b1229aa
750bc1c8fab8e36ae31a59d447a0c4c13dde41c0a95bf79def846fd98ba759df
50ca44cd9e6ad637a5d72c02971497d62f3ac9b6b50acf8c66a3fe2f75e1ec9a
60a853a08df950675c661f9ca5dac39932e025b7cdb9a558534645d0a6e5dc41
SH256 hash:
926979379368085e561b9bd88832bd7fe93927dad7eb254b63c66622e0664623
MD5 hash:
b63f4cc6fbe0f2e53e842b5a95c91940
SHA1 hash:
c3f3f7775a4d4a29e81521db05fd309b7ed04c78
Link:
https://www.unpac.me/results/72f34213-cf3b-4859-a909-a6df852912c4/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/926979379368/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/926979379368085e561b9bd88832bd7fe93927dad7eb254b63c66622e0664623

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/449559/

Comments