MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
SHA3-384 hash:	689be254445f999c0cde9009d05fafebbb7505105b82d388b5b698cb6353b162e5fad87eb080e929fd214ca5a56da430
SHA1 hash:	aedc15d5b30fd14e289f42eabf64bb0ba4815877
MD5 hash:	5cd06f4bdfb8cb137f9a2aae8abd3253
humanhash:	snake-washington-glucose-october
File name:	Wed19b7cd8faf1.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	279'552 bytes
First seen:	2022-07-23 02:33:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f6ee633166e72a1d10f4f54440093ac0 (4 x RaccoonStealer, 2 x FickerStealer, 2 x ArkeiStealer)
ssdeep	6144:5f3JE8LYFX8H5vSqTZUoe1XkwncZL4xZpHFn2:lJHQX8H5NTZUoeCwaGl2
Threatray	14'848 similar samples on MalwareBazaar
TLSH	T164549D30AAA1C039F5B712F845A683BCB53A7AB16B3450CF62D51AED07346E5EC30797
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	T9O4TsWMWYLLeXs
Tags:	exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

240

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

setup_x86_x64_install.exe

Verdict:

Malicious activity

Analysis date:

2021-08-26 02:25:37 UTC

Tags:

trojan stealer vidar evasion loader opendir rat redline raccoon

Link:

https://app.any.run/tasks/9df58aae-29e0-4636-b20f-beca09d090b9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293530/

Detection(s):

Win.Malware.Generic-9888454-0

Win.Malware.Fragtor-9888533-0

Win.Packed.Generic-9888540-0

Win.Packed.Generic-9888543-0

Win.Packed.Generic-9888547-0

Win.Packed.Raccoon-9888527-1

Win.Packed.Raccoon-9888532-1

Win.Dropper.Raccoon-9892961-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Reading critical registry keys

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP POST request

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed smokeloader

Link:

https://www.filescan.io/uploads/62db5e590e298a94f3f0d73f/reports/406f2922-7249-49e9-af14-02566881503d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1cf7b14b-ad73-46b7-8ccb-7ee19c0afae5

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1039556

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-08-25 22:51:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5fxqqovrqgm5nj2fwd5tvccsxbr3ssuqmzsfoamyzatxvpsbsxda._file

Verdict:

malicious

Smoke Loader

0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e

Smoke Loader

296cb7c456c55688de080e9940722307f1ee92acbfec61696e21ec985794a3ff

Smoke Loader

5e1a4b9ced78b15872e2723b231e3934c4874c6ea28ebf6c983a61f5040b5f96

Smoke Loader

9f154115fa8045aa05f15f7cd1de9623ebe32e8ea400279ecb5dfa3596952e3b

Smoke Loader

b7915e2c423abfd40c013439cc726587a44fc207696637b2a431abce68963dd4

Smoke Loader

edf6beb88780fb3085332f843b73418f52bbf095265dad631cf8e187644cb565

Smoke Loader

+ 14'838 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220723-c1w8vabdf8/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Unpacked files

SH256 hash:

38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2

MD5 hash:

33600475b2cc5445df2d3809c3798311

SHA1 hash:

3cb60432de30b82e87b8b607e0180a7843128b5a

Detections:

win_smokeloader_a2

Link:

https://www.unpac.me/results/cc8e8b6b-ef1d-4a51-99f2-d6d1e4168d8d/

Parent samples :

aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc

SH256 hash:

e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6

MD5 hash:

5cd06f4bdfb8cb137f9a2aae8abd3253

SHA1 hash:

aedc15d5b30fd14e289f42eabf64bb0ba4815877

Link:

https://www.unpac.me/results/cc8e8b6b-ef1d-4a51-99f2-d6d1e4168d8d/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e96f083ab181/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/293530/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample