MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d295d298b3eae41a3c84bf0d3263590fd853dab0eb7199d209e38442996cdc81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SmartLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	d295d298b3eae41a3c84bf0d3263590fd853dab0eb7199d209e38442996cdc81
SHA3-384 hash:	e34be1665da975061f9d6b8c2d9a3e0e724b9128cf139370f9830775157e9006bc24fdfc3a49003d7bbb6a3064503c48
SHA1 hash:	db26c2eca941754e8106cf87b95363a8ed644ef5
MD5 hash:	fc721c7295da1e54a0bac61ecc76655c
humanhash:	oxygen-august-december-mars
File name:	VALORAN_DRIVVE_Hack_Cheat_EF_nephrosclerosis.zip
Download:	download sample
Signature	SmartLoader Create hunting rule
File size:	578'949 bytes
First seen:	2026-03-18 09:58:08 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:VqwEDcCCXb6wlOMWROC/FTeHo22Qm7NzofOr/mShZ:igCCT4MQOC/gHozN7NzomLmy
TLSH	T10BC423443901C1DD874A6F3E9DD84EB46E7D80E79A5A790027CEBD827D85AB033C9D2B
Magika	zip
Reporter	tcains1
Tags:	SmartLoader zip

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:	App.bat
File size:	23 bytes
SHA256 hash:	a91b3308a7e9aa9fa660c72d27f226d8f50bfac2629f79a828fbecff323c0fe0
MD5 hash:	cabf147518b9751e928426cf30136872
MIME type:	text/plain
Signature	SmartLoader

File name:	buff.log
File size:	297'756 bytes
SHA256 hash:	c7b71a992c6ca1467164b643136d986c0eec28548f30533456a3ea0f442c85a8
MD5 hash:	abd194196578479f36fe6a71d7feb7a0
MIME type:	text/plain
Signature	SmartLoader

File name:	load.exe
File size:	872'448 bytes
SHA256 hash:	167b166e26dd44f580a00f2c879089c5362eff5120ac88e0701b11b1eb320ca9
MD5 hash:	b09254ee683d91d04d52d08731dba8db
MIME type:	application/x-dosexec
Signature	SmartLoader

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/7e4d9936-2fd6-4223-b16e-cab829529b31/

Detection(s):

SecuriteInfo.com.VBS.Obfus-141.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ba773a93b644ca466b4001

Tags:

virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc unsafe

Link:

https://www.filescan.io/uploads/69ba7737493cb7d62d03ffe4/reports/9dd091ad-5bd8-4868-a37f-7ed110b49163/overview

Verdict:

Suspicious

Labled as:

Trojan.Win64.Agent

Link:

https://www.hybrid-analysis.com/sample/d295d298b3eae41a3c84bf0d3263590fd853dab0eb7199d209e38442996cdc81

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/d295d298b3eae41a3c84bf0d3263590fd853dab0eb7199d209e38442996cdc81

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

66%

Verdict:

Susipicious

File Type:

Result

Malware family:

n/a

Score:

7/10

Tags:

execution persistence

Link:

https://tria.ge/reports/260318-mgngpsf12v/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in Windows directory

Contacts third-party web service commonly abused for C2

Looks up external IP address via web service

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d295d298b3eae41a3c84bf0d3263590fd853dab0eb7199d209e38442996cdc81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Capability_Embedded_Lua Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects embedded Lua engines by looking for multiple Lua API symbols or env-var hooks

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SmartLoader

zip d295d298b3eae41a3c84bf0d3263590fd853dab0eb7199d209e38442996cdc81

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3798629/

URLhaus

https://urlhaus.abuse.ch/url/3798630/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample