MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942
SHA3-384 hash:	2ae3946b0b9917a5e4303cdd57bd94c874154da74eb3c8f0efca671ead7b1448c3b1cb9324fe29629a8de919ce87e41b
SHA1 hash:	a6c33fa5270472b83ae0d1befca27992d9818bed
MD5 hash:	2cf8e266b09bd2f4010b7357616241e4
humanhash:	purple-solar-high-mango
File name:	Setup.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	1'733'632 bytes
First seen:	2026-04-02 21:28:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (99 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep	49152:zawM5dOa4jE3G/5vpRz9cgufOfOCNVjJRz2+J:2JIoWogKcOCNVjLz
TLSH	T11985120706D52862E6B11674C1E34396D332FC560F31669B2AC07CB8FD77AC96632B9E
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	3369d0b6b6f07022 (1 x Smoke Loader)
Reporter	burger
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2026-04-02 21:26:54 UTC

Tags:

autoit

Link:

https://app.any.run/tasks/2dd7cb1f-5037-4285-b0f1-aa0885f69c3f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/60289/

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Connection attempt

Sending an HTTP POST request

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-04-02T15:04:00Z UTC

Last seen:

2026-04-03T00:57:00Z UTC

Hits:

~10

Detections:

Backdoor.Win32.Agent.myxeww Backdoor.Agent.UDP.C&C

Link:

https://opentip.kaspersky.com/9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/03a51b8c-5df3-4c3c-bc3d-1aa0a681fd2f

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1893079

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Uses known network protocols on non-standard ports

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942

Verdict:

Malware

YARA:

6 match(es)

Tags:

AutoIt CAB:COMPRESSION:LZX Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 64 Exe x64

Link:

https://app.malva.re/file/2cf8e266b09bd2f4010b7357616241e4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942/

Verdict:

Malicious

Threat:

Backdoor.Win32.UDP

Link:

https://tip.neiki.dev/file/9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942

Threat name:

Win64.Trojan.Qwexlafiba

Status:

Malicious

First seen:

2026-04-02 21:29:04 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tmx2kdk7jaj2yc3x5bltx5tmvqbpotfdvfnokujacpi7ozmjhfba._file

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/260402-1byblsby5n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Unpacked files

SH256 hash:

9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942

MD5 hash:

2cf8e266b09bd2f4010b7357616241e4

SHA1 hash:

a6c33fa5270472b83ae0d1befca27992d9818bed

Link:

https://www.unpac.me/results/fe048005-4be2-4faa-be9a-03dbcf3502d4/

SH256 hash:

5d69a932a077fee044b193c28e84564143f5c7e51079ab48e88fef74ab0b77b7

MD5 hash:

80cdd5f19d704a001589976bae277bab

SHA1 hash:

96bb030389ac938c5ebc6bd2e9fcc86a10e5f2fd

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/fe048005-4be2-4faa-be9a-03dbcf3502d4/

Parent samples :

0f5e6d6347edaae85d0a523d7950ed4d669f1ba4394b68ddb205286ccfb7b08e
1e5f4b3055968c4c7ca140c4ffa06c318472481a1717a9887a62dc2a509859f8
9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942
7b56f314650a2b9042ad6cad383b71ba9d2a9cddb5edfc73d2100bb47c809786
c75b512cabcd93a14c3561deeb3a42c1437a12b20d46042a869bef99c2c252a0
c319582f5055ba85151a0c7c2d4a5705ae5fafe23f0427d91a269b200a0843d8
0d74b62b5c4ac836cc07493880d5be80e7f61443e4cc13d209ebb8932342c74c
2530e6273267a83c2e2d978aa4f915598d9ddf658aea2276d0df056d64c83f7e
6e9af975a383fd0377d120f73887661d13a9e24933e7ad2903e303b06e3a2571
f07a03da99b4539d1f9f83b9a39d3e26474ad0137d0a9e35ad57106331cd0bc5
9597f336130e6e7856244212fdee4a3a1c61026ff2db481f6955b15ebcf395a4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9b2fa50d5f48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b2fa50d5f4813ac0b77e8573bf66cac02f74ca3a95ae5512013d1f765893942

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/60289/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample