MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97784d55f348119ac397f0b22324efed0aa7b1c1c181bb2b6b4e740acfa02d0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97784d55f348119ac397f0b22324efed0aa7b1c1c181bb2b6b4e740acfa02d0a
SHA3-384 hash: dda99eacc319f43260f70072ea62ff125feb085312b4790d6dbc1a0f8b8a41123144ea5f724261d5a32c031390112fa9
SHA1 hash: 75f16dd59dbc0aac48dac8ec26ec98f8f2ddebbd
MD5 hash: 5834a3d00cd20b45bd3d905be087b982
humanhash: sink-beer-august-beer
File name:5834a3d00cd20b45bd3d905be087b982.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:856'576 bytes
First seen:2021-09-17 19:05:17 UTC
Last seen:2021-09-17 20:20:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e56b8f875592e725f8372fa466f75b12 (2 x RemcosRAT, 1 x OskiStealer, 1 x Smoke Loader)
ssdeep 12288:RNnBrnT39eHh9pAE6pPnrvQHOgJ8q//CS4/FZ4KPvnk6LHC7WWnMvwfHVBPggseA:35nReHhXknrvJ5K/vtKHngseB
Threatray 359 similar samples on MalwareBazaar
TLSH T16B055C6267C05CF5F03E0634CCC7AA64463EBDF02B58AEDB2EA05E595B34690793918F
dhash icon 4cca4c67d3261aca (6 x RemcosRAT, 4 x Formbook, 2 x AveMariaRAT)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
523
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c17fa92adb586b40b04cf238e627899.exe
Verdict:
Malicious activity
Analysis date:
2021-09-17 13:38:55 UTC
Tags:
trojan stealer raccoon loader rat azorult
Link:
https://app.any.run/tasks/33db85b5-c13a-4772-90c6-ad8564f21987

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188830/
Detection(s):
SecuriteInfo.com.W32.Delf.AMV.6552.27730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61753004db358dd15ed92bb7/reports/617fe227-73c9-4acb-b916-3f70fe0e2020/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3906af01-c27b-4ba1-ad0d-8bb736fd7837
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852969
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485406 Sample: PzdGGOrknQ.exe Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 70 Found malware configuration 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->74 76 3 other signatures 2->76 8 PzdGGOrknQ.exe 1 24 2->8         started        13 sqlcmd.exe 13 2->13         started        15 Abyqfts.exe 13 2->15         started        17 3 other processes 2->17 process3 dnsIp4 62 cdn.discordapp.com 162.159.129.233, 443, 49739, 49740 CLOUDFLARENETUS United States 8->62 60 C:\Users\Public\Libraries\...\Abyqfts.exe, PE32 8->60 dropped 78 Detected unpacking (changes PE section rights) 8->78 80 Detected unpacking (overwrites its own PE header) 8->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 8->82 84 Contains functionality to compare user and computer (likely to detect sandboxes) 8->84 19 PzdGGOrknQ.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        64 162.159.134.233, 443, 49741 CLOUDFLARENETUS United States 13->64 66 192.168.2.1 unknown unknown 13->66 86 Antivirus detection for dropped file 13->86 88 Multi AV Scanner detection for dropped file 13->88 90 Injects a PE file into a foreign processes 13->90 26 sqlcmd.exe 13->26         started        68 162.159.135.233, 443, 49742 CLOUDFLARENETUS United States 15->68 28 Abyqfts.exe 15->28         started        30 Abyqfts.exe 17->30         started        32 sqlcmd.exe 17->32         started        34 sqlcmd.exe 17->34         started        file5 signatures6 process7 file8 56 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 19->56 dropped 58 C:\Users\user\...\sqlcmd.exe:Zone.Identifier, ASCII 19->58 dropped 36 schtasks.exe 1 19->36         started        38 reg.exe 1 22->38         started        40 conhost.exe 22->40         started        42 cmd.exe 1 24->42         started        44 conhost.exe 24->44         started        46 schtasks.exe 1 26->46         started        process9 process10 48 conhost.exe 36->48         started        50 conhost.exe 38->50         started        52 conhost.exe 42->52         started        54 conhost.exe 46->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97784d55f348119ac397f0b22324efed0aa7b1c1c181bb2b6b4e740acfa02d0a/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 17:23:57 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s54e2vptjaizvq4x6czcgjhp5ufkpmobyga3wk3ljz2avt5afufa._file
Verdict:
malicious
Similar samples:
08c2e043056e5885236672d75e1f62ca87cffebb47457efc644611a065bfebcb
Smoke Loader
1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99
Smoke Loader
1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a
Smoke Loader
3ff150613fc6d76d5634ae77e3c7bddde0361478d25d11a1830da71910b391da
Smoke Loader
4b989ceef83817dd4a14c9322a2b127a14f98d85dafb99625fe3483cd58dc6dc
Smoke Loader
c5e3325814325c5f2f3d1df8c7d2885668afede1ea40c016266428a0e43b3d15
Smoke Loader
c9b74e819b296f329399e9867d40d7b87477be291ee5509bdde6a7d90778fc44
Smoke Loader
ceed0ebc3f52b44accb06cfe1828133c66665a27146a08dfca26fd77ad6e0474
Smoke Loader
e8f1da4741c215285d9b16ea376624110a1efd44d53d34502ce6386405cfdf31
Smoke Loader
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
Smoke Loader
+ 349 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210917-xr3pgsgcd9/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/dffd3751-5d9a-4d74-bacc-d24aa51b5727/
SH256 hash:
97784d55f348119ac397f0b22324efed0aa7b1c1c181bb2b6b4e740acfa02d0a
MD5 hash:
5834a3d00cd20b45bd3d905be087b982
SHA1 hash:
75f16dd59dbc0aac48dac8ec26ec98f8f2ddebbd
Link:
https://www.unpac.me/results/dffd3751-5d9a-4d74-bacc-d24aa51b5727/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97784d55f348119ac397f0b22324efed0aa7b1c1c181bb2b6b4e740acfa02d0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_SmokeLoader
Create hunting rule
Author:ditekSHen
Description:Detects SmokeLoader variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 97784d55f348119ac397f0b22324efed0aa7b1c1c181bb2b6b4e740acfa02d0a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1323338/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/188830/

Comments