MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c72bf997c9a2c92574eab7a06490125dba02b9b8cb75142812213161da56496c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	c72bf997c9a2c92574eab7a06490125dba02b9b8cb75142812213161da56496c
SHA3-384 hash:	38887a2f63f73f47c3b75b7bf05d1000a1be7c982f9fd2a852c921379e75e5200f3e4a74fee5688f54788f722c9a726e
SHA1 hash:	1661a3e96283f9c75aa39197a28cea05e5f96ad3
MD5 hash:	7005fe7b65bcdd9182f0dc3a5f4d889e
humanhash:	angel-delta-eight-skylark
File name:	SecuriteInfo.com.Variant.Lazy.165907.13412.2467
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	112'640 bytes
First seen:	2022-08-21 04:28:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	28f40085b568eea37b6fc61d9e67ab95 (5 x RedLineStealer, 3 x Smoke Loader, 2 x RecordBreaker)
ssdeep	3072:s8UWhtZJXTl3knqPTWwPRgx+kI0Zjl9Bh52GRWmb:hdHR3ktX5ZjlHhRQA
Threatray	5'189 similar samples on MalwareBazaar
TLSH	T111B39D67B5D1C432E97249360864CAA1CA2FFC241D64DEA7378A177E8F701C1CE25E7A
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

353

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Lazy.165907.13412.2467

Verdict:

No threats detected

Analysis date:

2022-08-21 04:29:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/362a79ff-25e8-4629-bd3f-87b1d4bccb71

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/299991/

Detection(s):

SecuriteInfo.com.Variant.Lazy.165907.13412.2467.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware packed

Link:

https://www.filescan.io/uploads/6301b4973cbb13868a688386/reports/02f8b7e4-ec9b-4f50-922c-87c03b421e67/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/dda67743-a9b9-4242-9495-5a6cda997824

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1054966

Signature

Allocates memory in foreign processes

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c72bf997c9a2c92574eab7a06490125dba02b9b8cb75142812213161da56496c/

Threat name:

Win32.Trojan.Lazy

Status:

Malicious

First seen:

2022-08-21 04:29:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 39 (43.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y4v7tf6julesk5hkw6qgjeaslw5afonyzn2rikaseeywdwswjfwa._file

Verdict:

malicious

Smoke Loader

049ae382c00f3cbd42e9108966c445234ed5bccce0913dae44c313295879a6c2

Smoke Loader

30f5564e58d11d68bb6f8f01c745a9e60f2dd5362534c7c959868d9d554e86e5

Smoke Loader

572ceb288c34f070937cada71821e3f7aae5b3158cba6f1c0f82cb72a0ef0e72

Smoke Loader

5786b1e1dc5abbeb0c60e1b7b652c49af8152c2e923894feb56aee8ad4c0f629

Smoke Loader

5cd575c5fa62c375ac8f979a0231f39b1779122a277ce4a5c2faa9f5e69e1d11

Smoke Loader

7ed50d6cf6c9904f2392e39ac88e5e024c21746d794b9dca4b51cbbbd444df4a

Smoke Loader

9f811e7bbc6d4799de5647e11e35d4e681485840ff65dc8ced5f956729ac3058

Smoke Loader

b99300d00050e4a8b2b0873723a9783b172776ba8cb7500d65e6d93bc3d37147

Smoke Loader

c7946da08940de7da39c9bcd1417e1926616d7953974ef5f24aacc6de9b362c9

Smoke Loader

+ 5'179 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220821-e38e1afed3/

Unpacked files

SH256 hash:

c72bf997c9a2c92574eab7a06490125dba02b9b8cb75142812213161da56496c

MD5 hash:

7005fe7b65bcdd9182f0dc3a5f4d889e

SHA1 hash:

1661a3e96283f9c75aa39197a28cea05e5f96ad3

Link:

https://www.unpac.me/results/cf4ad594-b832-4a3d-8a39-6680794be77e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c72bf997c9a2c92574eab7a06490125dba02b9b8cb75142812213161da56496c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com