MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cea4d8fdf4500dc9901412763db939e25fd3a798ae83425431930bfe006e1f45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	cea4d8fdf4500dc9901412763db939e25fd3a798ae83425431930bfe006e1f45
SHA3-384 hash:	af4e7f3a1a1325ad9a5476ddead62db9f8233650053a77ae279c21f74579d7505367da02987b6b88390c61028301c66a
SHA1 hash:	d0a8215a651d131614423e89f928d8a47ccca9f8
MD5 hash:	07b20c69e38a54399f8f1567fad0e4b0
humanhash:	dakota-salami-mexico-india
File name:	file
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	283'136 bytes
First seen:	2022-10-10 18:00:34 UTC
Last seen:	2022-10-10 18:50:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ae11519a6eac288b6a17a0c03e5a652c (10 x Smoke Loader, 2 x GCleaner, 1 x DanaBot)
ssdeep	6144:rZU3UqUAXEYKSUcvaPWwYZiAXrwVfquS:raXE1maKZ7d
Threatray	10'520 similar samples on MalwareBazaar
TLSH	T1AD54CF31B642DCB1C40521708826DFE12BBEED31596985973B683B6E6EB3380567731F
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00b0c4c8c8c4f010 (7 x Smoke Loader)
Reporter	andretavare5
Tags:	exe Smoke Loader

andretavare5

Sample downloaded from http://coin-coin-coin-2.com/downloads/toolspab4.exe

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318615/

Detection(s):

Win.Malware.Azorult-9949206-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Searching for synchronization primitives

Creating a file

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42335/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/63445ddf1ddf36bcc3f444c8/reports/f26bfa85-ddca-4b50-9520-2e96d44f28f8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d675f6cf-67fc-4f67-a167-ec05c9401ecb

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1087124

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cea4d8fdf4500dc9901412763db939e25fd3a798ae83425431930bfe006e1f45/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-10-10 18:01:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z2snr7pukag4teaucj3d3ojz4jp5hj4yv2buevbrsmf74adod5cq._file

Verdict:

malicious

Smoke Loader

1d99ddd268999f74dca4db86de66032f58dc3e4674f2af2b0ed0770eff565c11

Smoke Loader

4341a8545883c15a609e8ed0b76c28e2ba3a82192e895b1f82b64a1d3258bb15

Smoke Loader

4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a

Smoke Loader

59875a842587d6a4e76304ab84b621513b5f3714680ff3a5c71733fc5178865b

Smoke Loader

6f219b6db1cbae753d727d2c90a0699b36f2da08a7a27781e1757abae28d6777

Smoke Loader

742d2a8c9a56567941c05d9d55a29c25da0a5fc5737e5720e1bdb3a50912d1f6

Smoke Loader

88626ba260ddb895a68d546cfb33eac0bb9c598286f20d581a755439f014a66c

Smoke Loader

d675bcdbbbafe997bc10ac363266e76a8337901b4129e2401cb810c5ab561c55

Smoke Loader

+ 10'510 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/221010-wlvw1scfh7/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Detects Smokeloader packer

SmokeLoader

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cea4d8fdf450/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cea4d8fdf4500dc9901412763db939e25fd3a798ae83425431930bfe006e1f45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.