MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a04acbc25f52864d80fd101aee07ba1817750087610620f57196319a8f0f5bf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	a04acbc25f52864d80fd101aee07ba1817750087610620f57196319a8f0f5bf1
SHA3-384 hash:	02db8947ed8faf0a7ec5d5aaadc63627d55d8350734a4463d57a10c17669f66a5a3aba5a8b38635f6a1447d5a5a27ead
SHA1 hash:	7872b2f738e67e99576058f933f0a2dd8eb8ee75
MD5 hash:	70ca8c33c69fb1b3fedfe4ddef54931f
humanhash:	charlie-eighteen-grey-iowa
File name:	file
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	1'337'840 bytes
First seen:	2022-11-14 10:30:24 UTC
Last seen:	2022-11-14 13:05:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	abf17bbb1d234cebb6ddea72cf750325 (2 x RemcosRAT, 1 x Smoke Loader, 1 x LgoogLoader)
ssdeep	24576:fvqLcwiBDDnlp1N0P3dqLgt9TFDlveX+/Z/TXbxixVJ2kbPjez:fvocpDDnZN4dW89TFJTVXlUr2kGz
TLSH	T14355CF7145F54AEFFAE7183D4906EEAD1E16FA502B63CA03A141DB457A2EC80CCEED44
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0c8e8d0e0b2cccc (1 x Smoke Loader)
Reporter	andretavare5
Tags:	exe signed Smoke Loader

Code Signing Certificate

Organisation:	www.priceline.com
Issuer:	GlobalSign Atlas R3 DV TLS CA 2022 Q4
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-11-04T15:42:31Z
Valid to:	2023-12-06T15:42:30Z
Serial number:	018c2f0e06fbf6023b046d193db7bf4b
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	faeff73ee6fc74b5a05da3d97202d31ea0d68e9712afce883f1f3889b98f2a62
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://195.133.40.10/files/tpApIfKmcFln.exe

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-14 10:33:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/354ad414-5f3e-432b-915f-6b5acc4feddc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/333685/

Detection(s):

SecuriteInfo.com.Win32.BackdoorX-gen.31163.21962.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Launching a process

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/52285/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/637218e807c3f5e84a010a54/reports/2056cc19-a123-4851-82e7-ae5f6218713b/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66a6ce12-8753-4271-8cde-79867fb833a8

Result

Threat name:

lgoogLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1112769

Signature

Allocates memory in foreign processes

Contain functionality to detect virtual machines

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

Yara detected lgoogLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a04acbc25f52864d80fd101aee07ba1817750087610620f57196319a8f0f5bf1/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-14 09:45:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ubfmxqs7kkde3ah5cano4b52dalxkaehmedcb5lrsyyzvdyplpyq._file

Verdict:

malicious

Result

Malware family:

lgoogloader

Score:

10/10

Tags:

family:lgoogloader downloader

Link:

https://tria.ge/reports/221114-mkdfxabh5y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Detects LgoogLoader payload

LgoogLoader

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d0aacacd-dfa9-403e-b16a-6389a7a027d1

Unpacked files

SH256 hash:

d511e4dc550471db89d14a6b22d79306d25781ab573b7ebfeaa06f0d71c3b749

MD5 hash:

9eff463f7598eeeb0ad0ef0ca552ab42

SHA1 hash:

c5a417643556c2725a7a630999e16224a964d4c8

Link:

https://www.unpac.me/results/7f0879cf-5d63-4b35-a03e-9faa2789e2ac/

SH256 hash:

a04acbc25f52864d80fd101aee07ba1817750087610620f57196319a8f0f5bf1

MD5 hash:

70ca8c33c69fb1b3fedfe4ddef54931f

SHA1 hash:

7872b2f738e67e99576058f933f0a2dd8eb8ee75

Link:

https://www.unpac.me/results/7f0879cf-5d63-4b35-a03e-9faa2789e2ac/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a04acbc25f52/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/333685/

URLhaus

https://urlhaus.abuse.ch/url/2410526/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample