MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8aeaf935d69a1da8e8838c9744b0e6df06472abc0120c223c6424833f2ee17e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	e8aeaf935d69a1da8e8838c9744b0e6df06472abc0120c223c6424833f2ee17e
SHA3-384 hash:	f5844578baa15b4b6610da3d0c4a459873625d8815e0fba5c32936ab4e64a6b8d7d7264b1180709a2b908f12bf70908b
SHA1 hash:	0d6d8d67eba672b69a8849b5f8fca6e4c3c9d6dc
MD5 hash:	9f57823da63888bd65a62908f6d16004
humanhash:	double-papa-pluto-kilo
File name:	9f57823da63888bd65a62908f6d16004.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	4'000'256 bytes
First seen:	2023-01-20 19:30:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d2f7aaeea760c1e4ae9275156c5a08c2 (3 x Smoke Loader, 1 x Tofsee, 1 x CoinMiner)
ssdeep	98304:dqPCGUGa5IzByziGKYoVGzDUZg/FL5wjqXpI7H:kaGUGaCt03o4zQZg/FUsk
Threatray	460 similar samples on MalwareBazaar
TLSH	T19C0633329AE07989D74ADF33CD086FD4E2AFF100FE11A34B2D615A8F5AB0A51C56F194
TrID	39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.5% (.SCR) Windows screen saver (13097/50/3) 13.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	2c3c8c80848484c0 (1 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9f57823da63888bd65a62908f6d16004.exe

Verdict:

Malicious activity

Analysis date:

2023-01-20 19:36:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/27a81869-86e4-4f05-915d-97049b33baac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/355073/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63caebfc416d38777a79d746/reports/9fba136d-029b-45ec-98e1-58f91336bb64/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c5b16369-4f74-4205-97cd-9a184e71d950

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

63 / 100

Link:

https://www.joesandbox.com/analysis/1155776

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8aeaf935d69a1da8e8838c9744b0e6df06472abc0120c223c6424833f2ee17e/

Threat name:

Win32.Trojan.RaStealer

Status:

Malicious

First seen:

2023-01-20 19:31:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5cxk7e25ngq5vduihdexisyonxygi4vlyajayir4mqsigpzo4f7a._file

Verdict:

malicious

Smoke Loader

3b19c8396a1294f52170ad5af4db3282f81a46445789ef94983ba891038c4cec

Smoke Loader

428c1c48e636421a85235a35b5228472e5441ca9b60eb9bd776a182fbaa9f1b7

Smoke Loader

486bc2ba757742ef08537abf2d8169945565cf78db2a2a847dafb286d961f290

Smoke Loader

4ba96ecdcdfa746de28a0ee3ef474842e829917c9486ace35ec4cc2fa1ad956f

Smoke Loader

81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d

Smoke Loader

927a4dddb1e5ffe4ba3a9a8ba4183c092eb350fb07ea79fecd84042c812f6dbc

Smoke Loader

c1caac58e614931c517666747eec84548ca762fff9744c47ed6cfe162c511331

Smoke Loader

fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f

Smoke Loader

fbd172f7f6c9e4b8c915d7ff24d40ddcad456223407e383b2230f24e046031bb

Smoke Loader

+ 450 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery persistence spyware stealer

Link:

https://tria.ge/reports/230120-x8c56abd5w/

Behaviour

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Drops desktop.ini file(s)

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Sets DLL path for service in the registry

Sets service image path in registry

Unpacked files

SH256 hash:

b0d1abc9ba06d2166904b050e1f05d8289aee496541d9f6070e9174e8389c227

MD5 hash:

0cb83eddaee7d10c6776b78ba4a11aec

SHA1 hash:

07b49c3743889f7dd2e280572a04357ef92e62f9

Link:

https://www.unpac.me/results/295d394b-c4d5-4592-a1c5-140eca7d1e5e/

SH256 hash:

e850a01d9cd1e05d35f843673548bde67bab43f012f2d9bbc55ae00f46d975f7

MD5 hash:

21f2adb20b8dc50854b55c389fd50fef

SHA1 hash:

8cb355e33485e42d0698081b106b6d4263c68730

Link:

https://www.unpac.me/results/295d394b-c4d5-4592-a1c5-140eca7d1e5e/

SH256 hash:

e8aeaf935d69a1da8e8838c9744b0e6df06472abc0120c223c6424833f2ee17e

MD5 hash:

9f57823da63888bd65a62908f6d16004

SHA1 hash:

0d6d8d67eba672b69a8849b5f8fca6e4c3c9d6dc

Link:

https://www.unpac.me/results/295d394b-c4d5-4592-a1c5-140eca7d1e5e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e8aeaf935d69/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e8aeaf935d69a1da8e8838c9744b0e6df06472abc0120c223c6424833f2ee17e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/355073/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample