MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6
SHA3-384 hash:	cdc441bf404819918dad3ec62d16f36b6081c07256f57a28fadcd3ea4fcf61786a40aed5dea8823110d683618bd23aec
SHA1 hash:	27bbb0630c6a2249dedf0c057d4532f298a6c79c
MD5 hash:	7feeaa2ae078adb6e16237dcacf5af80
humanhash:	artist-november-sodium-happy
File name:	efianswrhenlni4.dll
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	448'184 bytes
First seen:	2026-05-19 08:52:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0533a57ed8da28fef6c6273af538a067 (1 x Smoke Loader)
ssdeep	12288:kIB7TJSTCcVDcdExGlF2QxLI795gqDAsS:5FmVDcdqGs79iE
Threatray	382 similar samples on MalwareBazaar
TLSH	T10C94E1C8DDB7A6B5E29E56BC0469E34BE47F8853342720C9470CA89F064B17F2AD458F
TrID	32.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.9% (.EXE) Win32 Executable (generic) (4504/4/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	SquiblydooBlog
Tags:	exe signed Smoke Loader

Code Signing Certificate

Organisation:	Alilab Interaktif Teknolojiler Oyun ve Film Prod. Ltd. Sirketi
Issuer:	SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-03-16T21:08:15Z
Valid to:	2027-03-16T21:05:19Z
Serial number:	279d96e8e4827c806a3fcee7d39a05d6
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	bd1476587d54a34e4b5f3166b9a6d1ad5d8f78660fb3ae8d8906303f014bb193
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6.exe

Verdict:

Malicious activity

Analysis date:

2026-05-19 08:55:44 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/c7755f9c-8fef-4dd6-89d7-b4dde59642c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/66418/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a0c250d4f2b29ce04012834

Tags:

injection extens virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug evasive masquerade packed signed

Link:

https://www.filescan.io/uploads/6a0c2505861ee596e63d3967/reports/906de5b1-2566-4b07-bd3e-b7ccf89910fd/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-15T14:33:00Z UTC

Last seen:

2026-05-21T05:27:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Kryplod.sb Trojan.Agent.HTTP.C&C Trojan.Win64.Zenpak.sb Trojan-Dropper.Win32.Demp.sb Backdoor.Win32.Mokes.c Backdoor.Win32.Mokes.auhb Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Zenpak.sb Trojan-PSW.Win32.Coins.sb Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Dorifel.sbd Packed.Win32.Redpill.sb Backdoor.Win32.Mokes.sb

Link:

https://opentip.kaspersky.com/b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6/results?tab=lookup

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/945c8ce7-76c9-4faf-a192-7de9eaa30f96

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6/

Verdict:

Malicious

Threat:

Trojan.Win32.Mokes

Link:

https://tip.neiki.dev/file/b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2026-05-15 17:06:00 UTC

File Type:

PE (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w2nibx5uzewstqfvoz6ls4l4ksmm6j3zjwoknm4u33wjq46obtla._file

Verdict:

malicious

Label(s):

smokeloader

Smoke Loader

1f73971eec969fa57692f037335896163ba0fcd78011bcbdb530e4212513ff75

Smoke Loader

2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0

Smoke Loader

387c0b928b4211897c14214aa84cfcb8203a4724a120db336748f1752c4068a4

Smoke Loader

51ed46f160d65398fdc21c866c817b58c85d3e5ddf772983e41e5f20b156bee8

Smoke Loader

6da36358a6d614bd0c98973ee18b7963054c7ef085414e7e45f110fa9308ef74

Smoke Loader

729e593c24f402e38408308ff4f3dac564c9d159788d39941680048b84b35ec0

Smoke Loader

9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02

Smoke Loader

error

Smoke Loader

+ 372 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor collection discovery persistence spyware trojan

Link:

https://tria.ge/reports/260519-ks94qsdt9k/

Behaviour

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Deletes itself

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Detects Smokeloader version 2025 payload

Family: SmokeLoader

Malware Config

C2 Extraction:

http://144.31.203.24/
http://144.31.203.12/
http://144.31.158.255/

Unpacked files

SH256 hash:

b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6

MD5 hash:

7feeaa2ae078adb6e16237dcacf5af80

SHA1 hash:

27bbb0630c6a2249dedf0c057d4532f298a6c79c

Link:

https://www.unpac.me/results/bf274f5d-d33e-4a87-a9d3-25caf594da87/

Malware family:

QNAPWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b69a80dfb4c9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.66

Link:

https://yomi.yoroi.company/submissions/b69a80dfb4c92d29c0b5767cb9717c5498cf27794d9ca6b394deec9873ce0cd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/66418/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample