MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac3195f7ced04d5042e462ff8253575143d75b2a1cc7b446002574b6df304475. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac3195f7ced04d5042e462ff8253575143d75b2a1cc7b446002574b6df304475
SHA3-384 hash: f8b65e4daf9bc185ab11a86563d855bf5f0e8d7dde1866e12854b2e1e4fa734b88e5085fd6e4ef8ab80a8209bcef914f
SHA1 hash: d9a544cade1305dd8632fa821d011120b5aedf6d
MD5 hash: 174034b96e679cc5560c181fb0aaac06
humanhash: yankee-vermont-social-echo
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:377'344 bytes
First seen:2023-01-12 10:00:26 UTC
Last seen:2023-01-13 07:37:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash aa60e70795d973723830cf7229b55a64 (11 x Smoke Loader, 6 x RedLineStealer, 2 x DanaBot)
ssdeep 6144:gHkLWRYYbNus2E/dknEQ0l8EVLFgWXrKQ6naaG28Rrq5gq+:gHk6aYb0EGnEQ0ltZH7KQ6naafOq5
Threatray 7'986 similar samples on MalwareBazaar
TLSH T18E84DF117691EE66F30AF6B12D26CAE8267EFCA04964464733543B7F7A703B0953A30D
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9a9acececee2cee6 (2 x Smoke Loader, 1 x CoinMiner)
Reporter andretavare5
Tags:exe Smoke Loader


Avatar
andretavare5
Sample downloaded from https://mudaongoc.xyz/setup.exe

Intelligence

File Origin
# of uploads :
411
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-12 10:03:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3472344-eefa-42c8-ac4a-1fc7ef800b87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352220/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3434.10366.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63bfda5ec6ceb04e0778d848/reports/f6a4960c-73c1-4431-a3f2-5fd9595830f7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/08d4df9a-17e9-4ba6-8f3d-6e22f2d3ea19
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1150211
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782943 Sample: file.exe Startdate: 12/01/2023 Architecture: WINDOWS Score: 80 23 Malicious sample detected (through community Yara rule) 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Machine Learning detection for sample 2->27 7 file.exe 3 2->7         started        11 svcupdater.exe 2->11         started        13 svcupdater.exe 2->13         started        15 2 other processes 2->15 process3 file4 21 C:\Users\user\AppData\...\svcupdater.exe, PE32 7->21 dropped 29 Detected unpacking (changes PE section rights) 7->29 31 Detected unpacking (overwrites its own PE header) 7->31 33 Uses schtasks.exe or at.exe to add and modify task schedules 7->33 17 schtasks.exe 1 7->17         started        signatures5 process6 process7 19 conhost.exe 17->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac3195f7ced04d5042e462ff8253575143d75b2a1cc7b446002574b6df304475/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2023-01-12 10:01:06 UTC
File Type:
PE (Exe)
Extracted files:
68
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqyzl56o2bgvaqxeml7yeu2xkfb5owzkdtd3irqaev2lnxzqir2q._file
Verdict:
malicious
Similar samples:
1e2900a2e5335d8e39efbe152f5b885c9a4a2e44361b85038e96c9eee3da8cbd
Smoke Loader
2f2c73a52b2c9975df2b1f9ccde2a8eb77493bc5d3e91a16d5d0eb3eb3ca9942
Smoke Loader
3f577a96247e908ae5812fc07c3fea0673ff0f5ca47c0bdaf74920ae849d4147
Smoke Loader
723f833a06244d7601591949fae724e0176ca30ae9582f86848d20ffe0e33b77
Smoke Loader
922260358cff0b48e0098db3eb36065cfae990c0bddb75b21e2fa8ed9c1edb3e
Smoke Loader
9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b
Smoke Loader
bf01948b8e3994d7e97124604495e7f0277fe622fa9bea301f161db71c6d5b90
Smoke Loader
eec693b1859baf23d3fba5ceb3fe43825803114ff524606ae4ad57c4ce4990b4
Smoke Loader
f225e43f3103ad25557eeb0c40be9958ec49d6b857f1ba571027f506c0a0e081
Smoke Loader
f59b4d323a8a84c1d584b34762081f40900ef81022b6c7a6be0e7f09061da809
Smoke Loader
+ 7'976 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230112-l175saff74/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/861caf0e-dfa1-45e3-925c-a3efe1239aee
Unpacked files
SH256 hash:
6b3a7b3c4f97e9113a7b170c762a30a586494e61739a3dd176ca4e0132d03d8e
MD5 hash:
261ff5b4d666e2243053d55618e6efb1
SHA1 hash:
bfbc8609ff34b95cda6b0a6f3b5ea5ba6337161d
Link:
https://www.unpac.me/results/edc50fae-2131-4bf0-95b9-af34a6786071/
SH256 hash:
ac3195f7ced04d5042e462ff8253575143d75b2a1cc7b446002574b6df304475
MD5 hash:
174034b96e679cc5560c181fb0aaac06
SHA1 hash:
d9a544cade1305dd8632fa821d011120b5aedf6d
Link:
https://www.unpac.me/results/edc50fae-2131-4bf0-95b9-af34a6786071/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac3195f7ced04d5042e462ff8253575143d75b2a1cc7b446002574b6df304475

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/352220/

Comments