MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9ab515e88d92c37d31ae33b0c3fa49eaf81f75d6d259080de8a04c6cadddb89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9ab515e88d92c37d31ae33b0c3fa49eaf81f75d6d259080de8a04c6cadddb89
SHA3-384 hash: bc711946a81f4ac1ddb6d66688faacfa08313fe2c99f35d3d453990c05442cab43a146a792d9f5d12e83ff322eb97f6a
SHA1 hash: cf18177d472633dd135c7c43492d4e831439d312
MD5 hash: 9f472e5c47f63d675b9789790ace2ad1
humanhash: earth-blue-tennis-stairway
File name:iTunes64Setup.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:107'520 bytes
First seen:2022-12-27 15:26:47 UTC
Last seen:2023-08-25 17:56:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:+OdTSj2BFrxkE3HHUYwmLpUTZtCNh0OCQ+clc8PVgz:3Wkx13H0YcrgWQ+3muz
Threatray 318 similar samples on MalwareBazaar
TLSH T1F0B3AD0DA7C89F33D2AE2A3F94D395A50338D86A9903D34F24C81A3A6D677D64C532D3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 84b4e0e870fce470 (3 x RedLineStealer, 1 x DCRat, 1 x Smoke Loader)
Reporter r3dbU7z
Tags:exe Smoke Loader SmokeLoader

Intelligence

File Origin
# of uploads :
5
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
iTunes64Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-12-27 15:28:24 UTC
Tags:
trojan loader smoke stealer
Link:
https://app.any.run/tasks/4492865a-cd0d-4ebc-bd7c-c80c6c2d507c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64479173.6503.3714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/63ab0ec60e926711fd74fc22/reports/5aa25add-01de-4d84-8001-9fd842d33039/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7d98c9f-1682-4f41-94b0-04f4a3e2d2db
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1141621
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9ab515e88d92c37d31ae33b0c3fa49eaf81f75d6d259080de8a04c6cadddb89/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-12-23 16:24:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gvvcxui3ewdpuy24m5qyp5et2xyd525nuszbag6ricmnsw53oeq._file
Verdict:
malicious
Similar samples:
17210a04459730b46e0d1dd08f94e8027cdf4b8c12b5407aaed38aedcb35997e
Smoke Loader
186bbf590210d8fd02e981a002c05ab018aaec5ecd9b6ba4a37b16ba2f47b61e
Smoke Loader
2de5fe686b665d9aeb98b075fb139e33fffe278986a15622ea90bcad2f760ab1
Smoke Loader
3a99389b880ae3f89214477a855bb16090ca2b50816c864527ea9bf97f1ef182
Smoke Loader
513e3dc85e0bf7f545473fc6c7585aa35cd457eb34373618251610609e98ebc6
Smoke Loader
73d2a3e816c731410ee8b4b6cb0fd06bfd8dd8463caa9924f717da8bac0d34f0
Smoke Loader
b63350aad8b78b989c052c8bdae2ea691108e8e15f4b9b6c864ad86b1c300e36
Smoke Loader
e09089c81e67c38f93188d52d0fde98a587c59264cf7730a449886ad40eef52c
Smoke Loader
+ 308 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/221227-svq3msfa83/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detects Smokeloader packer
SmokeLoader
Unpacked files
SH256 hash:
a995ab54d1b767adabb9ab0221d6eb0b6f0241d21b7c1c84fcfdaab99cfbd54f
MD5 hash:
dedfe89c7514aedb32511e3c1a9a8ffb
SHA1 hash:
fa507f6bf3deb82b69a97c47e733efaa7dfa6f27
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/17746aa7-4782-47b1-896e-b437dc996dc7/
SH256 hash:
85bac57a56902fc9f0fa0f6a6ef4d4c3a06ce83690534154f1389e6726da9700
MD5 hash:
65c0eb2c24fe74a2fe52a83f7ed592bf
SHA1 hash:
1da267df6f956ed9ea37d4d4f0030eb1dedab202
Link:
https://www.unpac.me/results/17746aa7-4782-47b1-896e-b437dc996dc7/
SH256 hash:
d9ab515e88d92c37d31ae33b0c3fa49eaf81f75d6d259080de8a04c6cadddb89
MD5 hash:
9f472e5c47f63d675b9789790ace2ad1
SHA1 hash:
cf18177d472633dd135c7c43492d4e831439d312
Link:
https://www.unpac.me/results/17746aa7-4782-47b1-896e-b437dc996dc7/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9ab515e88d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9ab515e88d92c37d31ae33b0c3fa49eaf81f75d6d259080de8a04c6cadddb89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe d9ab515e88d92c37d31ae33b0c3fa49eaf81f75d6d259080de8a04c6cadddb89

(this sample)

  
Delivery method
Distributed via web download

Comments