MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b678af056fb5ba8a60e4cfe7b6710fb128962214da26f723ea46bdbc9c978a1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b678af056fb5ba8a60e4cfe7b6710fb128962214da26f723ea46bdbc9c978a1c
SHA3-384 hash: fcde81f26afe1d8ad469536672673e42d7e1c3fcaad408254db020b364faca60818b7bc6b9dad9c14cb637732b7a8974
SHA1 hash: 05d2b2e060f23f660bf074684ed4eaced14a52d7
MD5 hash: b2f54b512a7a662ebf9b59bf2aa6b6c4
humanhash: missouri-stream-nuts-december
File name:b2f54b512a7a662ebf9b59bf2aa6b6c4
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:3'998'720 bytes
First seen:2023-01-20 20:58:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f59055ddf5d9b2bfdec5b43ba63509a2 (12 x Smoke Loader, 5 x CoinMiner, 3 x Tofsee)
ssdeep 98304:cFLRui1fvqa7UmTiZ84MQoxeHUs++Upy0FkH:4pq2UVZXMQR0Vy1
Threatray 573 similar samples on MalwareBazaar
TLSH T11606332279A17590E61A8E73ED1987E0E17E7D41FB2C63071635672F0EF42E3861B781
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3c5c949494948cc0 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
b2f54b512a7a662ebf9b59bf2aa6b6c4
Verdict:
Malicious activity
Analysis date:
2023-01-20 21:01:04 UTC
Tags:
danabot
Link:
https://app.any.run/tasks/8f767ba9-2adb-406c-b2c2-2ac10400fe0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355154/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
glupteba greyware lockbit mikey packed
Link:
https://www.filescan.io/uploads/63cb0097447edb203afffaab/reports/027136e8-2eb1-4267-8dfc-951c12cbe5d1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b98e58c9-5277-4808-b528-1602840df661
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
63 / 100
Link:
https://www.joesandbox.com/analysis/1155860
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b678af056fb5ba8a60e4cfe7b6710fb128962214da26f723ea46bdbc9c978a1c/
Threat name:
Win32.Trojan.RaStealer
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 20:59:10 UTC
File Type:
PE (Exe)
Extracted files:
90
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wz4k6blpww5iuyhez7t3m4ipweujmiqu3itpoi7ki263zhexrioa._file
Verdict:
malicious
Similar samples:
1f984f06dd4dba858766fd2e8d81877e9738f8b9dc6706ce69b7b6e596c466d6
Smoke Loader
3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f
Smoke Loader
51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
Smoke Loader
5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
Smoke Loader
81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d
Smoke Loader
8f6df7df63e769169784c8909e9138c0aa632cc23a24ecb61496fa152230ae07
Smoke Loader
b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d
Smoke Loader
e8aeaf935d69a1da8e8838c9744b0e6df06472abc0120c223c6424833f2ee17e
Smoke Loader
fbd172f7f6c9e4b8c915d7ff24d40ddcad456223407e383b2230f24e046031bb
Smoke Loader
+ 563 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/230120-zsp6wsbf9w/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops desktop.ini file(s)
Loads dropped DLL
Blocklisted process makes network request
Sets DLL path for service in the registry
Sets service image path in registry
Unpacked files
SH256 hash:
46a21f08348863ffb386d5f63d862996dd4582b26f6c50d9f6cdab060783728f
MD5 hash:
92eb072abe9516f311af4d55412b4245
SHA1 hash:
91c0872cffa4a750438f14c3938bb4decf738ef9
Link:
https://www.unpac.me/results/852b689f-aba0-4517-a44a-8668cbd1a7aa/
SH256 hash:
162bccae78f2f9cc6269cf0efb47932c2c960605d7566efc74406fcb4d5e12bd
MD5 hash:
45362b82ed9eca7194a8d7eb608ac19d
SHA1 hash:
2f392ff53338448731f65ad4679e686fefd1ac52
Link:
https://www.unpac.me/results/852b689f-aba0-4517-a44a-8668cbd1a7aa/
SH256 hash:
b678af056fb5ba8a60e4cfe7b6710fb128962214da26f723ea46bdbc9c978a1c
MD5 hash:
b2f54b512a7a662ebf9b59bf2aa6b6c4
SHA1 hash:
05d2b2e060f23f660bf074684ed4eaced14a52d7
Link:
https://www.unpac.me/results/852b689f-aba0-4517-a44a-8668cbd1a7aa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b678af056fb5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b678af056fb5ba8a60e4cfe7b6710fb128962214da26f723ea46bdbc9c978a1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe b678af056fb5ba8a60e4cfe7b6710fb128962214da26f723ea46bdbc9c978a1c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/355154/
  
URLhaus
https://urlhaus.abuse.ch/url/2513703/

Comments


Avatar
zbet commented on 2023-01-20 20:58:25 UTC

url : hxxp://195.133.192.11/japan.exe