MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a17ab1cf1bf7e5d54d6eb7939b1c9db98829e16d3aa5e5b53aa2474e8ac04484. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a17ab1cf1bf7e5d54d6eb7939b1c9db98829e16d3aa5e5b53aa2474e8ac04484
SHA3-384 hash: 496488901fb69dc5c29b9fd7e56302d171ff2f7bcee8f1f786f967d16c25bc268d86f95029b8923d042b9a7ecb4749ab
SHA1 hash: 1d3518939156b7f1d8f6642060ba399f4169bb3c
MD5 hash: c0a29ba7239037b7c42bb681c26a1c16
humanhash: lima-one-twelve-bulldog
File name:Eymnsvpmirandusbuild_s.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:31'744 bytes
First seen:2022-10-15 08:13:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:cItwdUuBLoPpL5LwL/LwJffVGk+yT3B9V7Wt5pp4cMtobsaOQb4zX7o8N48REKis:cI21w90zgrT3rVqVhMtovzby68J
Threatray 15'628 similar samples on MalwareBazaar
TLSH T1AEE25DC3F71A89B6CC360433D99743C05A3FAD2385724B091EE475D66AFB621DB21B86
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 79fc96a292b0e060 (1 x Smoke Loader)
Reporter iamdeadlyz
Tags:exe FakeMirandus fortuitousopportunities-com manctelayaller-com megalinkbj-com-br Smoke Loader


Avatar
Iamdeadlyz
From mirandus-game.com (impersonation of mirandus.game)
Smoke Loader C&C:
-> fortuitousopportunities.com | 173.236.189.74:443
-> manctelayaller.com | 188.116.36.174:80
-> megalinkbj.com.br | 191.6.208.9:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320568/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634a6bcb455bf4ac5c711db2/reports/e045e73e-73df-4379-a6c8-3f0b89e15de3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/48511a24-a622-4609-b1e5-0055870b228b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1091159
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 723769 Sample: Eymnsvpmirandusbuild_s.exe Startdate: 15/10/2022 Architecture: WINDOWS Score: 76 21 Snort IDS alert for network traffic 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 .NET source code contains potential unpacker 2->25 27 3 other signatures 2->27 7 Eymnsvpmirandusbuild_s.exe 15 3 2->7         started        process3 dnsIp4 19 fortuitousopportunities.com 173.236.189.74, 443, 49696 DREAMHOST-ASUS United States 7->19 29 Encrypted powershell cmdline option found 7->29 11 powershell.exe 16 7->11         started        13 powershell.exe 11 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started        17 conhost.exe 13->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a17ab1cf1bf7e5d54d6eb7939b1c9db98829e16d3aa5e5b53aa2474e8ac04484/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-10-15 05:44:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
18 of 41 (43.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uf5ldty367s5ktlow6jzwhe5xgectylnhks6lnj2ujdu5cwaisca._file
Verdict:
malicious
Similar samples:
0a869d139f509a45998437cb390ae80c9d5581bf615666e0535b0dd157f9e0aa
Smoke Loader
413df54020a07f08c1f1155d3a6673354016fc5c2cc000639a5d0f2927818635
Smoke Loader
4bcabec27b62127148e5a986ab1d36d6485e686f03ab012d3631be04b82c29f5
Smoke Loader
6a674b99bd769a8d3192367622ad61a7eb6f4b005c67a65508a5e99791fe526c
Smoke Loader
9579f141b148827a8307419bfe076a7e9ab2f21665b8dd8467ca480be1365d49
Smoke Loader
959ea8a8a70894ff36a9d299ec85a93312193987c72716e73bb47840dbeef3a2
Smoke Loader
aee569aea573e28a8f1463fcf8adee607449633bc2e16974b3d5e529b84c9d12
Smoke Loader
f8e71f18713a21ba7b1f935a745a5321f9bdaadb565cb40b7055e3dc25b43d3e
Smoke Loader
+ 15'618 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221015-j4zxgafdc6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9120e1c4-27ad-43db-a280-ead0f7b12670
Unpacked files
SH256 hash:
a17ab1cf1bf7e5d54d6eb7939b1c9db98829e16d3aa5e5b53aa2474e8ac04484
MD5 hash:
c0a29ba7239037b7c42bb681c26a1c16
SHA1 hash:
1d3518939156b7f1d8f6642060ba399f4169bb3c
Link:
https://www.unpac.me/results/54e76fed-dae0-4c31-99ab-d0025e0e1efc/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a17ab1cf1bf7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a17ab1cf1bf7e5d54d6eb7939b1c9db98829e16d3aa5e5b53aa2474e8ac04484

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

zip 544e9e426c9cfc511359a949e018d4b367067879a5a997d3e6eae534b88c7093

Smoke Loader

Executable exe a17ab1cf1bf7e5d54d6eb7939b1c9db98829e16d3aa5e5b53aa2474e8ac04484

(this sample)

3d2424ba850b1295c0bd8e224d7644a60732d1b0a584efa4f33ebbf64e3a5402

Smoke Loader

Executable exe 65974a49b0f427641f96866baacf2ab54717f613adc747812061bb05e4dde779

  
Dropped by
SHA256 544e9e426c9cfc511359a949e018d4b367067879a5a997d3e6eae534b88c7093
  
Dropped by
SHA256 06e5ab41104fa1bbf541a9ef179536c3b594bde142e78826f96287f817fe8c56
  
Dropping
SHA256 65974a49b0f427641f96866baacf2ab54717f613adc747812061bb05e4dde779
  
Dropping
SHA256 3d2424ba850b1295c0bd8e224d7644a60732d1b0a584efa4f33ebbf64e3a5402
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/320568/
  
URLhaus
https://urlhaus.abuse.ch/url/2375805/
  
Dropped by
MD5 32d0d56051872664d6b4e2be1886550b

Comments