MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5661acc8929a180b9c38ce7e49bfeb3f75fdd7bd4ec96e28531aa51db4b2926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5661acc8929a180b9c38ce7e49bfeb3f75fdd7bd4ec96e28531aa51db4b2926
SHA3-384 hash: fc6a3ad67f72b4d87b252ca510a4ab83632e147e4128a1e0ffbdf0516683cab2fabc62a0af355e46873d68fdf3a62bd9
SHA1 hash: 99d917a1f93ce430ea26c139c3c0132634f910f5
MD5 hash: 229e4cf2ee9edf5e0afbffc209319751
humanhash: mountain-cat-fanta-spaghetti
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:1'156'608 bytes
First seen:2022-12-02 15:34:12 UTC
Last seen:2022-12-02 17:36:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash adf05e4ae4084c6bf3a2c6a5da309837 (25 x Smoke Loader, 15 x Amadey, 1 x RecordBreaker)
ssdeep 24576:LUFqlmaQ5mTReNr2wPhkNtR72SkVsgySgQcvF:LUFLUsVvPWNtl2jVs/rv
Threatray 29 similar samples on MalwareBazaar
TLSH T1A6351234F865E4F5E0E502FD9431C7ACAB6BA5329A24D50E23596F2E6DF73E011223C9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8f8b4b4b494ddc1 (8 x Smoke Loader, 1 x Tofsee, 1 x Amadey)
Reporter jstrosch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-02 15:35:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/296455ea-6347-4b0a-9df3-69ba0b9fd288

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341942/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.25946.10246.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/638a1b271241e6c742997ebb/reports/b038b149-69d2-4588-a222-cf99745e92cf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/727ad25e-9ab3-4efc-bc6c-faf12eab9650
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1126615
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5661acc8929a180b9c38ce7e49bfeb3f75fdd7bd4ec96e28531aa51db4b2926/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2022-12-02 15:35:10 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvtbvtejfgqyboodrtt6jg76wp3v7xl32twjnyufggvfdw2lfeta._file
Verdict:
malicious
Similar samples:
0aedafe02dfc6eb2c72ce586ba7fbd0ccfc8eaeb41c526d5f113b13868a3402f
Smoke Loader
33e5fba229cd60c6dec8badd3d0f647d35073e8d26e50179fd2b0273a96103c9
Smoke Loader
ae75ea24367ee8472c936fd70cbc4428fb83ec546f2cc17def3c95cbf6abd67e
Smoke Loader
cda8ffa2a84daf8097f5ca919b6b350cd30b697565bbae6d8adbfab217d476e8
Smoke Loader
dd48b654a29ffa4f76904123aeb256369e77d202f7d21773999c2258078ae947
Smoke Loader
f15537b765f14194f81e9c422e942e9e04cf49a776a7385ef2c855757a14ec43
Smoke Loader
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/221202-szvavsba42/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Drops desktop.ini file(s)
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e01533f-aece-4934-8122-cb76dd2216de
Unpacked files
SH256 hash:
18bf2c13aa96e608c582a727eddca16ef7d90f240be59331db0d61349d5fc51c
MD5 hash:
9ac992e6aa4aa697f968da7adfbc9246
SHA1 hash:
f0f23ef0a5139099917a7987e58ade4f247422a6
Link:
https://www.unpac.me/results/3a21dd84-4dbb-464d-b49c-692d69bb71d9/
SH256 hash:
18287e96b79386a58927ee0eda50c42b938041a8dec5e6436783511e7fba7fe2
MD5 hash:
d74f62714b0a09b8ce856d87831a9c4f
SHA1 hash:
d8baac4aa96365fdac6ee0a328fed97ef5594490
Link:
https://www.unpac.me/results/3a21dd84-4dbb-464d-b49c-692d69bb71d9/
SH256 hash:
a5661acc8929a180b9c38ce7e49bfeb3f75fdd7bd4ec96e28531aa51db4b2926
MD5 hash:
229e4cf2ee9edf5e0afbffc209319751
SHA1 hash:
99d917a1f93ce430ea26c139c3c0132634f910f5
Link:
https://www.unpac.me/results/3a21dd84-4dbb-464d-b49c-692d69bb71d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5661acc8929a180b9c38ce7e49bfeb3f75fdd7bd4ec96e28531aa51db4b2926

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe a5661acc8929a180b9c38ce7e49bfeb3f75fdd7bd4ec96e28531aa51db4b2926

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2423260/
Cape
Cape
https://www.capesandbox.com/analysis/341942/

Comments