MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0a56c3843305f9661b8b64a4f75485c2d107b7d0f7390f959c273a6be74add8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0a56c3843305f9661b8b64a4f75485c2d107b7d0f7390f959c273a6be74add8
SHA3-384 hash: b4c8e595f9351fdb5f5818cbf2d316da670baa73d518c26868d7be20fc5df1e175a19dcc740d3baaecf920bf3a24c484
SHA1 hash: 1b97eb339c49d903eb4beb6947c99fc2472c6e34
MD5 hash: 76c960f9c6f1a032b7c4b56f85d4d5f9
humanhash: xray-asparagus-cup-washington
File name:b0a56c3843305f9661b8b64a4f75485c2d107b7d0f7390f959c273a6be74add8
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:972'704 bytes
First seen:2022-09-07 13:00:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 48c28d9f3783f0e32815b0b4c57a60a9 (73 x RecordBreaker, 23 x RedLineStealer, 21 x ArkeiStealer)
ssdeep 24576:QUGY5srGsBHCqdp1sbtVXsqaC0f7sfzfCV:QyWBHCqdp4cVf7srfCV
TLSH T190259E2139D58532EDE3607A42ECBA23062EF8F007294ACB5688D7EEC6346D17F36557
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter adrian__luca
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
405
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
http://cusara.xyz/f/3.exe
Verdict:
Malicious activity
Analysis date:
2022-08-28 10:59:00 UTC
Tags:
trojan loader rat redline
Link:
https://app.any.run/tasks/c7b3635f-237a-4c0d-9855-d5daa31fcc61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308520/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.91331.15732.14272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36956/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63189616e73fb79b7afdb476/reports/2b0b5590-99cd-4901-b9bc-9185ce9841c6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a01dce00-d5d4-4f28-a7fc-17b87348d913
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066408
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 698941 Sample: hfYfbChbKF.exe Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Multi AV Scanner detection for domain / URL 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 4 other signatures 2->39 7 hfYfbChbKF.exe 2->7         started        10 jrvfbtj 2->10         started        process3 signatures4 49 Contains functionality to inject code into remote processes 7->49 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 55 Injects a PE file into a foreign processes 7->55 12 AppLaunch.exe 7->12         started        15 WerFault.exe 23 9 7->15         started        process5 file6 57 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->57 59 Maps a DLL or memory area into another process 12->59 61 Checks if the current machine is a virtual machine (disk enumeration) 12->61 63 Creates a thread in another existing process (thread injection) 12->63 18 explorer.exe 1 12->18 injected 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->25 dropped signatures7 process8 dnsIp9 27 ilab69djqhdac.top 127.0.0.127 unknown unknown 18->27 29 ilabv8j4mfd8g.xyz 18->29 31 7 other IPs or domains 18->31 23 C:\Users\user\AppData\Roaming\jrvfbtj, PE32 18->23 dropped 41 System process connects to network (likely due to code injection or exploit) 18->41 43 Benign windows process drops PE files 18->43 45 Performs DNS queries to domains with low reputation 18->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->47 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0a56c3843305f9661b8b64a4f75485c2d107b7d0f7390f959c273a6be74add8/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-08-28 16:18:51 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcswyocdgbpzmynywzfe65kilqwra635b5zzb6kzyjz2nptuvxma._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220908-fwpvraahcq/
Unpacked files
SH256 hash:
3225bf99864a7d9cd2ed9c997373855d9b453f04ec0f150bba1db2d89466f546
MD5 hash:
fbdfcc2c8cd6c28500c40c791d8759db
SHA1 hash:
8c244ceba76cdc8e5d5946f0e7d0657837e963d4
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2b89127d-7065-4dc9-bfa8-c520d0574e68/
Parent samples :
1224cff781af46afddb80f91b55c4a78d6e452dedddcf54369ed29927586c29a
160fe152cf7fa7ed9fcfff18247c8035916074991c6cb376cb45b515ffe4ef55
7f8bada5abf58a6af13bcfd8a25f260c39003d75c4e946a6c1ddba03e54f2338
91c7ea32b2138f53f659fbcd228f0f26750d6b274bf931ae879a5e10c6c26cc3
f9716dbf790a96f3d63bc5e5f012706e7a78f2e58b045f4cfcec6483ffed7dda
19f3e5cab44c7310b94afb38dbe5d1a55ae69bf95bd69ec6bcb4c339100d7d69
b0a56c3843305f9661b8b64a4f75485c2d107b7d0f7390f959c273a6be74add8
SH256 hash:
b0a56c3843305f9661b8b64a4f75485c2d107b7d0f7390f959c273a6be74add8
MD5 hash:
76c960f9c6f1a032b7c4b56f85d4d5f9
SHA1 hash:
1b97eb339c49d903eb4beb6947c99fc2472c6e34
Link:
https://www.unpac.me/results/2b89127d-7065-4dc9-bfa8-c520d0574e68/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b0a56c384330/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b0a56c3843305f9661b8b64a4f75485c2d107b7d0f7390f959c273a6be74add8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308520/

Comments