MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891
SHA3-384 hash:	2994742a3d38a850b665fd6b8aa6b1907bf785ce50140405cc10455d448a1be0d7cd0ce5a7de222d9072ef12db35f987
SHA1 hash:	8a7f87f5da38e8b80f9a12b2cda135cff3b7d271
MD5 hash:	3c25c82959bd7080ffa4c31642d37bc8
humanhash:	social-avocado-georgia-alanine
File name:	3c25c82959bd7080ffa4c31642d37bc8
Download:	download sample
Signature	Smoke Loader Alert Create hunting rule
File size:	248'832 bytes
First seen:	2023-06-12 23:17:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0e4b3a5d9cc3d6ed1b5c0b9f8a440aa6 (2 x GCleaner, 2 x Smoke Loader, 1 x RecordBreaker)
ssdeep	3072:PbEpKscjIkzeZQHlA+BEfjPqwwGP4PcR2bXw1HNzr1es7P:IpK7jIkna+ibPqR8gxbwnN
Threatray	553 similar samples on MalwareBazaar
TLSH	T1DC34F853EEA17F60E6354B32AE2EC6F876CEF6504E197B6A1228DA1F04B0171C563770
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	016066626a626652 (1 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe Smoke Loader

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

331

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN smoke

Malware family:

smoke

Alert

Create hunting rule

ID:

1

File name:

3c25c82959bd7080ffa4c31642d37bc8

Verdict:

Malicious activity

Analysis date:

2023-06-12 23:20:08 UTC

Tags:

loader smoke trojan

Link:

https://app.any.run/tasks/284011e8-fb12-4c00-a90e-41892cf527af

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox SmokeLoader

Detection:

SmokeLoader

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/398110/

ClamAV Detected

Detection(s):

Win.Packed.Zusy-10003906-0

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Сreating synchronization primitives

Creating a process from a recently created file

Setting browser functions hooks

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Unauthorized injection to a browser process

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90396/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6487a7aac6414862d206bb50/reports/0f07137c-c8af-4c5d-be19-67dc97282083/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9a8c82fb-5fab-4165-9f8e-99136d44f560

Joe Sandbox SmokeLoader

Result

Threat name:

SmokeLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

bank.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1253287

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if browser processes are running

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to compare user and computer (likely to detect sandboxes)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891/

ReversingLabs TitaniumCloud Win32.Trojan.SmokeLoader

Threat name:

Win32.Trojan.SmokeLoader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-12 23:18:06 UTC

File Type:

PE (Exe)

Extracted files:

55

AV detection:

19 of 24 (79.17%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w6gwnxspst6wrix2kga7rmvimxkd6rh3udx37565hkbbltqvhciq._file

Threatray malicious

Verdict:

malicious

Similar samples:

51d2456ed49b7b235750aab87f9bd7d6528e842a284b9b2cec81a58bf8cc37f8

Smoke Loader

60a9e65cdfe4df3b81c70eedff235fcfae330d85b346412c962efa6ad877a4c7

Smoke Loader

6fae76c5a5b11cf96e9f4577b8e3355807696e9462226f4826da83c0107be114

Smoke Loader

7e883ac0d52e2740a28e0c19fb1a6c9490d00d302b934f5b5f2b69b8957c20d8

Smoke Loader

acd063c502b1957bdb4e19c2f677128ff3ba956940a702aa1760e1d2362ff0eb

Smoke Loader

ade81e5ce6c50a24074a17a06b4d4b6625a135ee08d2f505b71a691c5930a3cb

Smoke Loader

b47e9bc0fdba5ddfa2b30048ef6fa2e7dd3f6bd5314d6593d614bd748c970b92

Smoke Loader

d526ffd226eee592efae6c03e95837cb3cb57a3d6f49d93f6aea5eb3747395e3

Smoke Loader

e041ffe88f51cb80473d15d87095bccd986e42697e6e0085b103b25bec5f471a

Smoke Loader

f1c03c81d08462808d190ef79abdd5e55c01f14e406881f5a3f8205801f891e5

Smoke Loader

+ 543 additional samples on MalwareBazaar

Hatching Triage smokeloader

Result

Malware family:

smokeloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:smokeloader botnet:summ backdoor trojan

Link:

https://tria.ge/reports/230612-299b7sea92/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Executes dropped EXE

SmokeLoader

Malware Config

C2 Extraction:

http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/

UnpacMe SmokeLoaderStage2 win_smokeloader_a2

Unpacked files

SH256 hash:

48b6a4785f1dc9f33c51c2e588c7f9edf76e551cff8759ac5622cf995330ff14

MD5 hash:

d9cde58139fef6bf75141230f9662d97

SHA1 hash:

68ac6ee1b78dfa15bfe49229640a0929438029af

Detections:

SmokeLoaderStage2

Alert

Create hunting rule

win_smokeloader_a2

Alert

Create hunting rule

Link:

https://www.unpac.me/results/70405f95-1f93-4d22-ae03-e14b39f392c7/

Parent samples :

dfa65f33e16205d8c072ba1fb3d0f419f0af2e25f1c251d2b1ef83dd822dc476
aa4938085915798a5b6a03db3a04f6b2927d108db0bfac32ca66462f6a406c36
e4ff3d138daf42cc71613a0b2b9131e672ab42e3fc8f12779efa2f882985c40c
240e33c28d618ba23fc7489c03dcc40e3e3d2c84ef959db800321d1946d3dbcf
65640ae45f81e5a0367d374193b9a7958e7e2cba9b4f7e448cd2545a70c2880e
b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891
b2c3517bb90933390df4eb01c6ba36f2a519a69b5bcee703f4889b8336cb7027
5ecd711693f12b243e84e97975eaf2f981016a7cf004841dceb7b9d720bc1f6d
a6e56a741e9aa67f861b574964a4999eb77ca586abf079c1891ca09c7900c713
2f526d3756e8f59616b5f69c9527d4751594ea82464c971eaadfc04216d0b27a
14a81d39c1a2260f7dde336245ab276a3416319e8bea2740107f8da6b5baecc2
57058dda63d287fb506d12c043fe1eb07abcaacb703fb2f8120edefb815bd1a8
9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee
954a8d78e97e2bb65568d4c5d692a2a9975a330eaa7fae20e4620d18ccbb5881
bfe83b5436233b54ba7808d535042708313d5ec62aece600d943798f5c62efda
fc5c1ed9df3db079ed9b1714c11b5fd8edd6f69498fe6150303ae160884d3c04
e59ad322f3178a7905a9a3c623e7b5d8132080ddc9d2d3797d64939a23611a00
e93e6d9ed58c2476607f4352c2fb03b5247276f5be99840b0db4d546457f20e5
c862c9ce5cc849f7e292a61984c11b3a61a137f71ce19b3e72b653932602a0fc
8c3f095428d5283ec57391611e24689e88aa93e0a6868d6994d2e26761740ce3
455cd1baccbf9b3abc59454a6d80ee72c2db5cb6ffb73a5102b5a1e6eb78599e
45395f6fad7289cb0f9599ed1f578140d5280f1769957c4bba4fb5f6798a41bf
d347eea452c0cd8f233db473bc2889ef05049a6bffef49184120c9d302fa74e6
cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
ef04fe325737cad04ca603cf3a72a71b86bc51786b696972e243cbd0612538b1
e58ebdf4702cc16c7b5626d7e5a169fda32ecb3df251c9f087c8ad7ad6897672
799c6f0780b063a98ca67e217ac920733e5ed59742300658a747457ef30a3ed8
a5cb5558a1fb53b177fd0a683da3e93c4c0149588c7b06b5b8f5570896bd79bc
5b6d6c1bf6cfc3f0c4b792a2416d52588c22701fc9484c7c0a40bfb75ced4c4e
fc70465d07b9f3eb64e7f5ada2c047cd54b1a10b2790264456c0f76a798b50fc
fd831bc88d1c08c8b8a2e3756569b8fc3c143d516f4a72ec6fbf3c456c6209bb
2cc7483f686c00278ce3dcda694baca322bfbe70e8cf4ec5dd8ec0f31a955625
c17336d7c543eef6427833e8a3f419dd02c7cd2fd7665725732c35e61a354f2c
2c43ca2ea57631cdd00d46b6d292ca82922c239c1ad400a4714134fed8f2a50e
4f2680a213e3345c83f3f0adc9bcf75af76e50eed035b2c54f54b071e115f694
b2f12a3ef735f92b67cf807fb8be7df8400c065318ad3b0f8cd144738db7b96b

SH256 hash:

b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891

MD5 hash:

3c25c82959bd7080ffa4c31642d37bc8

SHA1 hash:

8a7f87f5da38e8b80f9a12b2cda135cff3b7d271

Link:

https://www.unpac.me/results/70405f95-1f93-4d22-ae03-e14b39f392c7/

VMRay SmokeLoader

Malware family:

SmokeLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b78d66de4f94/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

exe b78d66de4f94fd68a2fa5181f8b2a865d43f44fba0efbff7dd3a8215ce153891

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2658724/

Cape

https://www.capesandbox.com/analysis/398110/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-06-12 23:17:50 UTC

url : hxxp://78.153.130.128/s.exe