MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94ff4e97196284c9e00726860f888276b1470ca9e0d47a19d7b917de927829b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94ff4e97196284c9e00726860f888276b1470ca9e0d47a19d7b917de927829b5
SHA3-384 hash: 79b4cdecc2268e5e0eacb8dbafe3ec091f8f4cfd60444842cf1f09c0859d78a84068eef8f349e38eeda9d1554b73df5a
SHA1 hash: 8c2418788690bbdfcc4f07861653a871328459b6
MD5 hash: dca881c5f7bc04e6bdd77dedafd8335a
humanhash: mars-don-alpha-speaker
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:190'976 bytes
First seen:2023-02-12 16:45:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 66371b98ea4d8c3d9668fd350065be37 (8 x Smoke Loader, 5 x RedLineStealer, 1 x RecordBreaker)
ssdeep 3072:l7BM+rGmY5iPomJT+X/eHS//ajIU76KRaUV5a2TzZY/:hGLaPoOmGy/y56KF5a6Y
Threatray 20'360 similar samples on MalwareBazaar
TLSH T1F814CE1179A2D0F2F19645749835FEA46AFFF8A1936BC1C723C81E2F0E203D15A7935A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3465697170606060 (1 x Smoke Loader)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://www.mzeducacao.com.br/systems/ChromeSetup.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-12 16:46:22 UTC
Tags:
trojan loader smoke
Link:
https://app.any.run/tasks/cc4719b0-5ea1-464f-a36b-7cdeb18a2097

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/364514/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Creating a process from a recently created file
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68607/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63e917cc6ea97adc8fc01a3a/reports/ccf5b646-b22f-404e-a20e-cb9776a74faa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/94ff4e97196284c9e00726860f888276b1470ca9e0d47a19d7b917de927829b5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df0a27fa-6b92-4ff6-b7b8-6afa39ec7b28
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1172674
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 805464 Sample: file.exe Startdate: 12/02/2023 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 6 other signatures 2->52 8 file.exe 2->8         started        11 grhtbbi 2->11         started        13 grhtbbi 2->13         started        15 D306.exe 2->15         started        process3 signatures4 68 Detected unpacking (changes PE section rights) 8->68 70 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->70 72 Maps a DLL or memory area into another process 8->72 17 explorer.exe 3 12 8->17 injected 74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 78 Checks if the current machine is a virtual machine (disk enumeration) 11->78 80 Creates a thread in another existing process (thread injection) 13->80 process5 dnsIp6 40 95.158.162.200, 49738, 49745, 80 VIDEOSATBG Bulgaria 17->40 42 138.36.3.134, 49751, 80 TEXNETSERVICOSDECOMUNICACAOEMINFORMATICALTDBR Brazil 17->42 44 8 other IPs or domains 17->44 30 C:\Users\user\AppData\Roaming\grhtbbi, PE32 17->30 dropped 32 C:\Users\user\AppData\Local\Temp88F.exe, PE32 17->32 dropped 34 C:\Users\user\AppData\Local\Temp\D306.exe, PE32 17->34 dropped 36 C:\Users\user\...\grhtbbi:Zone.Identifier, ASCII 17->36 dropped 54 System process connects to network (likely due to code injection or exploit) 17->54 56 Benign windows process drops PE files 17->56 58 Deletes itself after installation 17->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->60 22 E88F.exe 1 17->22         started        26 D306.exe 17->26         started        file7 signatures8 process9 file10 38 C:\Users\user\AppData\Local\Temp\Dfsoeq.dll, PE32 22->38 dropped 62 Detected unpacking (changes PE section rights) 22->62 64 Detected unpacking (overwrites its own PE header) 22->64 66 Machine Learning detection for dropped file 22->66 28 rundll32.exe 1 22->28         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94ff4e97196284c9e00726860f888276b1470ca9e0d47a19d7b917de927829b5/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-12 16:46:08 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=st7u5fyzmkcmtyahe2da7ceco2yuodfj4dkhugoxxel55etyfg2q._file
Verdict:
malicious
Similar samples:
3aad9088c93796cf13eeb357ecf6d436934ce913967f041053fe8e984d3892d4
Smoke Loader
3aafba19afb4de9ec7c350e364099ae2b321d0521485238a27611a75069f8c89
Smoke Loader
5805c23899dfad2a84e063f4f34539b5b4916c862079187f4aea834d38079cd5
Smoke Loader
8d15ef3e35287b10838ab173f7c600cd9cf08fda68c295e3a885f546701fc5cf
Smoke Loader
a22f80e8a44964171e4b48de6097515b60b831b9af49230cb9bb3c176453d16a
Smoke Loader
a80e06ee22c8e2de0cdf1c8da1308dce4bb23bec725146b39bd5db4444bbf1e5
Smoke Loader
af2edb431e026575bf1b73f79bb4145af87586a594635075a470636a7e78b1dd
Smoke Loader
f26f96e09abbc77ca03bf7c1b884e455eb68f53c02854410ab5904802c92fed1
Smoke Loader
fd99ddb07c2d6a4f4df3135cacad2bb5b973bff45a11e83e218404cb50334b5f
Smoke Loader
+ 20'350 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/230212-t9y78sfb85/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Executes dropped EXE
Downloads MZ/PE file
Detects Smokeloader packer
SmokeLoader
Unpacked files
SH256 hash:
b8c138127a493332b964dcf0f19b2011c902cd23a672827816d3d88618076a97
MD5 hash:
a936220cf66ecc8594b53fbd94ca7253
SHA1 hash:
8ba7c23f5e46b697cb297c291153e0dfcc4eae2e
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/25a90acc-1998-447a-8bee-54d78fa1ed6e/
Parent samples :
695c14d27171f9d8606571fad11404b5cbda354b1e17cb014e3e2d95fd77fa36
51f9775a943c2a60a5a91a735db752920c2a5caad51ba190e4f7e3af3c7d144d
ebf3d58e41457acc722c1abec57661c7a8bbb580db62177a3d25ba4405f4dafc
d88d2826c07358bf80c09379121d77e21077f7261a6ac7bb3daaea95e7692cb8
9769412727355afacbe12462bf964f8f1f509ef80ed52783f1fbad5b3cfb8983
9ce9dffd37ec53a9834ca8176c8c8515cb6882fda39afa9dc748f427541b7922
323d285f670c92118fa148f0511a13c2d3fb12806a3c50e050946590ebc19881
084c0aa92e9a0cc7c14f9bf1215cc72f56aabb22d8ec7283abf77d4be03c7c98
dcbd0a559aa1138a8e2330c5590c96f791217bac951a6c7c1ba4ff7419cb525d
90988c815a0d7bca3e0e8cc3ebde74d55e3eda874687ed7b92bb3528c2745d57
daefa1992110b9e7aadbf7364e36e621e389a3b92ea9f6b4f3c4debe9f7cc7d8
2735371bbffec3c5d97b7b5f060485920a152a70629215cba0d66c91142009f0
158004c34b25ef3e94f1664151012731bcb029a905205f16c42c4f3087f129ee
88354b37427492c5730a4d0d8576c612ae355dcbddc8e3260e1aa5e5f429909c
32cb8276e6a47e5ab898033755df317af903c775ad2ee52b393a306f9e01b77c
be943cff3ddc8fddaba89b354a54c6097cc4182be24253bf5edfd06565ad5f90
e2145cb74caf435887344832b31954afd855e60d07cfa5fe2a0bcc4a32b8c363
30c06bafae44cd57f824a3c46aa9e0422e03d0c768b5c3b677b1fffb3eb39c57
5805c23899dfad2a84e063f4f34539b5b4916c862079187f4aea834d38079cd5
332614b22c53277ac5dbb94592ebf8c15ea7e680eb27dc518b4e7dd5687bf293
fd99ddb07c2d6a4f4df3135cacad2bb5b973bff45a11e83e218404cb50334b5f
dd31b8c887812dd8728b473eea574b42c73d73920986de404acc41659b0fe274
59a741423dbe977bb9d2bcf02b14d5670c20fffbba23facdb75cd737f5dea148
6a70b03b40e70adfb5612dd2f02d82203629c77240dbe0dc67b062f0ba49876d
f332476a37fa86870eb0563e638376f6bc3e17956c7839aecb133596548e743b
1d7021756ccaacb34ee59cf131e3b1b3ae688edd103fcef18c60606b5e14b21e
526c981f4e061a5053f223166f3a26109a70e5a74abc3954f5ca352a98584d6a
9e957c5a40fbf1fc5f2db25e0529fa95ca80a72897c32fd97736927a0b9eb174
94ff4e97196284c9e00726860f888276b1470ca9e0d47a19d7b917de927829b5
1a28123e32b8df8688f8311cd6f01776ef8a1208ac28501529322ae2ea951e0d
ea90e9a64e47feec4e20a41bc22ea2aca6fb0d16eb133d8ac6265d9d71981425
661311e040b8c7b47c81fd052c3a5f55d8822f9a92d8074fcc542966c8cebda7
b77629961b948cdbdbdeaf4784369e272580973ca0a2c835a6519c68497c0704
43886c06b5cb90a79919994b9304522c3c75b18b75d3aba5d8feddc2511b5b2e
6feb91b9bb98df912f9f63b2197d9998c3e89b86bc25f3f9b69f2b0271224eb4
d5007c6ee5d4b18a54eadb54235c7bebdfc94c73aa8755a1e26a5dd72fda4aa4
f985c99e9c17fdafd802183eccd0bb408ce549206a0e0ee61dff5b3609b822ff
82e4aaa11c00142ac6392578d23f3b60e64328fb62a0234687f0abbe05b09413
fd5d62e0dadeb6b5689315787863b19fef9b6902eff93cc93a8ffe8cbc7eef10
750530f9eed2ba0aa0c26003d2e4b8f038f897bee6cf64682db8ef1727828e2a
c8584c11e28e28971df30f5420845b122b3c95cb8ebe7dc770b3f8bb0e3df08f
b6e2d6fe05a317b2597e3660c2c923fa9e2a78154b6232727d3c7ac576118d5e
488747c95f1b20ada2e4b0760bbe1612fb8d919ed94d1f6afc50edab170e23d0
c38b5c389f8a644d14a328ca4bfb0281dd641d6002f4614e7398ac9845288e16
060208ea4e6c1ca1d59ca879f1444b261d1df8e60d082305978ae3343325f5ec
62b09d92565241be83096a78a7dcd5a550c25788e711cef9d52bf95e9bfeb60c
f53c98f2df049ee0dcc4ac46eb7bad1c911ae5133b3c2fb6132437699595399e
dd320e81674ac8fbce7a800948e73dcf854372cfc803091e81a6424086c543ec
b3676dc3ed909078174a8c2a7a19180b801d7018dada81e43cc56678b8392239
455bcfc3c5a58b6092fd6cba0874c4f8146cc1488914553c9cdace1aa25bb436
2e38d79d03f31bc45af06b97dabb3cdf3044a104445e381e9ea1d2861baeb326
73023c7983cb881182a5b6374a0aa00c6717f80ab86dbb5eb7444618a57091ac
dc721c83e8f5229c968ed884a629b0c685618c8323f3b9781575938e3ee8e7cd
7c0dd6ad5b191a2698e31344e0beae2a2547f09096ab2490a232f8545f13767f
d0fc3833c4afe9b5ff6bada0b6ff6f59cd82b0a16f69cdcee9ad85505880bead
fd39d2e48518f2af7f710b62ccea1b5990269a07066663f9b4e0e637b98791c1
8a2df8d3e911f07d376b95581aef69926656faa9180e706bffd1c01af84341c7
4177d0b3bd33718071bb18ed5d457c9080df26b2d1b60242ef08eb68c0f457ef
aa7af3189c969ce9228c0ec3cf7eda0ffcd908b46d99c416be6c8e65386cf22d
770f7c319c044756f5c8c405e29f880a2f4dee039a755bbd5b48a28351568472
3278b88e722066e5a1a1a78c1b5ef956b8a624afafa239b832f02ce5ea4124f4
e4f665bed3b5df1f87aa3cb30989c69f252fb889a3e26884e5e9858d3d9cb656
2c265e4069a993ec44021ed7750ca9bd7c1f43cdfac38a8c7bdd10ec5e2e320b
51c5649c6dfa46f694fa3aa6e80ea015d8f3a9b66e016dfc0d19022bdf937263
cd2d82d5bda0b80eb94f06fbb47f1d7e2f57e7b9fc71cadc703917575eb72521
7d14ed924cd3b950a852070e34d4f8e82ba8304aed64ab99e4ae06c4873678ed
1d0f1e5c28621d7f32c9306a48400f3f69cf0bdde0042d33ebae1db190592d01
adc2da3b4abfed5a1459303456fe4b4743d91800d22cb108143ff2031e7b5206
fb4950bff0a9a33d985477a59208c9dc05198d186cc0009f0ebba58a3ecc8046
4a04657c18dbaa3713aa99369d42b6a6e2995dcf3af2e083730c78d56701e08b
b466be611c7dcbda603596a11d17aeaea5f717fa8eb7e450adf8dac4e58ec9f5
ce53672ed18824b09e7d87ba9bb9e3fbdb6ab6309d301c3ca97be97cae5c7551
c5d28844e1e9f1a0eea2542d279ec7b55b75a065df5ddc26a2c1be4395b53bdd
f9e4b629bbdd2e3ffc36787f6ecd53a20f6aab23587af2057aa8dbf7c406dcd0
f3023985d6f2ad22cfb6cb0635aef04b002a38e6da8b83ba970c9e34bcd8fdfe
cbbf203f9cdaccef593ec50a4ab2738a21fbb3850c0c74ea531bbb219a55af20
0e4722653d9d917e35cd403924899bf3d66515b4e7d9d2000ff0ace516b7d95d
78248761477b304110999b2001fd5af367c907c699d39a27380d1690ca476115
77b57f2918cad8432979891872b6ee6951aa17fccf7596d5897e629b47fefed9
ccd6abd200a65c6a88127b7f03c7dbb84887d250206f79ad37353ae014a7cb84
1b1f39a21ca69164e2a39114e310192867b49cdfcf042fc8def9b6842e0fd88a
0ef0b37c1e90843380634dc1dddc087a1c556f8ff4dca1c17842dfef8d35fc42
18a5a4af0467d0f0eeb9420d2654d518a7eeda6faf5198fd04bf10a401970d43
1f2acb47387b977fdc156664571219ac6ad0bf11c47bfc15b243b17215c43912
4c9c65c2399e6dec22bbf1a84a3289ea5dbce81676511fdb265f06f479f7da22
8b3b4feb7e618ca90501b51baf15bc9e7b210c8a7cdc12dff5a1a3af1b27215d
fda645481f01db3d67ee5b42d6a46a1b14b106eaa5e46e218056eca7249aba73
7e34427c5e75c608f0dab76a16cda2cd905ca138d05cfde4b544b9f7b1d55da6
d7af0e72cf1229d0b6012ca312ae05c3d96e31539ebbc6125e7cbac7a5ec0704
9c0b09a6e1486495472b4ddab3cc9f9e362ffe1843c2f4b40b1174d7b0e85110
SH256 hash:
94ff4e97196284c9e00726860f888276b1470ca9e0d47a19d7b917de927829b5
MD5 hash:
dca881c5f7bc04e6bdd77dedafd8335a
SHA1 hash:
8c2418788690bbdfcc4f07861653a871328459b6
Link:
https://www.unpac.me/results/25a90acc-1998-447a-8bee-54d78fa1ed6e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94ff4e971962/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94ff4e97196284c9e00726860f888276b1470ca9e0d47a19d7b917de927829b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/364514/

Comments