MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7bfd0ecc11d4b3aa7b6130b46bcb7b72cba8917e17c5bbd57cb15ad668c7b38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7bfd0ecc11d4b3aa7b6130b46bcb7b72cba8917e17c5bbd57cb15ad668c7b38
SHA3-384 hash: 8f2073ae6fd51a305c662b8d3434b3bc01b49852c11794d47d2a635f86441d81e2a6f2b9a9a28c1a335305a69b363dbe
SHA1 hash: d0ea9f51add9e14d55e601922105ff5c9d26e518
MD5 hash: 8d5f24a56ea25eac8902cb894310ce54
humanhash: network-whiskey-kitten-mississippi
File name:Loader.vbs
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:105'631 bytes
First seen:2025-01-30 08:51:11 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:huGSHxttOY23B0d+asdLtMO2vY4kKsDKMvrX97e:MrV23ia2O2gaRMTN6
TLSH T1AEA37EA9C7349E48333F79A370CE81A054ADC9D1C1F887FB9DE8A8A51CB5E1D12D40B6
Magika vba
Reporter JAMESWT_WT
Tags:156-253-250-62 Smoke Loader SmokeLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b3f3729ae628cf42b7c79
Tags:
dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
monero obfuscated powershell
Link:
https://www.filescan.io/uploads/679b3db5a2886cdc5ac6af3b/reports/deff1f2b-17b2-4bf8-800b-e7bdef46d211/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b7bfd0ecc11d4b3aa7b6130b46bcb7b72cba8917e17c5bbd57cb15ad668c7b38
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1602860
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1602860 Sample: Loader.vbs Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 106 0x0.st 2->106 112 Malicious sample detected (through community Yara rule) 2->112 114 Yara detected SmokeLoader 2->114 116 Yara detected AntiVM3 2->116 118 11 other signatures 2->118 11 wscript.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 signatures5 134 VBScript performs obfuscated calls to suspicious functions 11->134 136 Wscript starts Powershell (via cmd or directly) 11->136 138 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->138 140 Suspicious execution chain found 11->140 20 cmd.exe 1 11->20         started        23 cmd.exe 14->23         started        25 conhost.exe 14->25         started        27 cmd.exe 16->27         started        29 conhost.exe 16->29         started        142 Loading BitLocker PowerShell Module 18->142 31 conhost.exe 18->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        37 3 other processes 18->37 process6 signatures7 120 Suspicious powershell command line found 20->120 122 Wscript starts Powershell (via cmd or directly) 20->122 124 Uses cmd line tools excessively to alter registry or file data 20->124 126 Bypasses PowerShell execution policy 20->126 39 cmd.exe 2 20->39         started        42 conhost.exe 20->42         started        44 powershell.exe 23->44         started        46 powershell.exe 23->46         started        48 conhost.exe 23->48         started        50 reg.exe 23->50         started        52 powershell.exe 27->52         started        54 conhost.exe 27->54         started        56 2 other processes 27->56 process8 signatures9 128 Suspicious powershell command line found 39->128 130 Wscript starts Powershell (via cmd or directly) 39->130 132 Uses cmd line tools excessively to alter registry or file data 39->132 58 powershell.exe 14 36 39->58         started        63 powershell.exe 39->63         started        65 conhost.exe 39->65         started        67 reg.exe 39->67         started        69 csc.exe 44->69         started        71 cmstp.exe 44->71         started        73 WerFault.exe 46->73         started        75 csc.exe 52->75         started        77 cmstp.exe 52->77         started        process10 dnsIp11 108 0x0.st 168.119.145.117, 443, 49700, 49885 HETZNER-ASDE Germany 58->108 98 C:\Users\user\AppData\...\iemmtsqa.cmdline, Unicode 58->98 dropped 144 Loading BitLocker PowerShell Module 58->144 79 csc.exe 3 58->79         started        82 svchost.exe 58->82         started        84 cmstp.exe 8 7 58->84         started        110 156.253.250.62, 49822, 49985, 49986 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 63->110 146 Found suspicious powershell code related to unpacking or dynamic code loading 63->146 86 WerFault.exe 63->86         started        100 C:\Users\user\AppData\Local\...\z5uq5ymu.dll, PE32 69->100 dropped 88 cvtres.exe 69->88         started        102 C:\Users\user\AppData\Local\...\vczdcf4i.dll, PE32 75->102 dropped 90 cvtres.exe 75->90         started        file12 signatures13 process14 file15 104 C:\Users\user\AppData\Local\...\iemmtsqa.dll, PE32 79->104 dropped 92 cvtres.exe 1 79->92         started        94 WerFault.exe 82->94         started        96 WerFault.exe 82->96         started        process16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b7bfd0ecc11d4b3aa7b6130b46bcb7b72cba8917e17c5bbd57cb15ad668c7b38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7bfd0ecc11d4b3aa7b6130b46bcb7b72cba8917e17c5bbd57cb15ad668c7b38/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w675b3gbdvftvj5wcmfunpfxw4wlvcix4f6fxpkxzmk22zumpm4a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250130-ksqebswpct/
Behaviour
Kills process with taskkill
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Visual Basic Script (vbs) vbs b7bfd0ecc11d4b3aa7b6130b46bcb7b72cba8917e17c5bbd57cb15ad668c7b38

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3420635/
  
Delivery method
Distributed via web download

Comments