MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eab4ab96040ded1fe958283ce5d9433629a64633397e8d1fd07e42d91c1f574c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eab4ab96040ded1fe958283ce5d9433629a64633397e8d1fd07e42d91c1f574c
SHA3-384 hash: e5814d30d3edbbd150807bd241c9621b64c6b078d0c423bf3822f544368464f28d8306023dc6cb0dd2651f60ac7a5ee4
SHA1 hash: c62e78dde702fa45a8de39b7a68d09feca86346e
MD5 hash: bffc6e2e6a57a20ea2e9b3055fb97a2c
humanhash: neptune-vermont-dakota-crazy
File name:bffc6e2e6a57a20ea2e9b3055fb97a2c.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:7'920'304 bytes
First seen:2022-11-15 11:22:06 UTC
Last seen:2022-11-15 13:54:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bca6eef833a3a9c7d08eeaa3fa5b1e34 (3 x DarkCloud, 2 x a310Logger, 1 x Smoke Loader)
ssdeep 98304:aIHJuwFzXeZlnQN3/Wh756hILflzy3G5oIH8K7M/k7cACDJqABnYaQ/Ipdl5iICV:hswElnIBhIlsqxtVllt
Threatray 15'530 similar samples on MalwareBazaar
TLSH T1C4867DA1760EF2DFE58E1A75E85BCE43956D13FB42105803DCAD78BE6D63C422187E28
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
8322e07c26f7c6e100e5b2be34080db4.exe
Verdict:
Malicious activity
Analysis date:
2022-11-14 19:13:27 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/d84b2a45-e526-47f7-bae2-805d7d1b35b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/334195/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.31502.24430.6473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Searching for analyzing tools
Searching for the window
Creating a file
Сreating synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/637376992445ecec3cc4adba/reports/80efe807-6339-44f1-9f6a-24f0d8965f47/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b32c58b5-399b-4ef5-8177-817a5ec8d93d
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1113705
Signature
Antivirus / Scanner detection for submitted sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potential malicious icon found
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eab4ab96040ded1fe958283ce5d9433629a64633397e8d1fd07e42d91c1f574c/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 00:20:06 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5k2kxfqebxwr72kyfa6olwkdgyu2mrrthf7i2h6qpzbnsha7k5ga._file
Verdict:
malicious
Similar samples:
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b
Smoke Loader
614d8a0cfd93b3ab2f4e01ea490ba9d350f7ea786a18b54785581777df71b371
Smoke Loader
71542a9dd0da516b5599228ace4fc9028ce2d389ec0fc1e68e9089ba174afe80
Smoke Loader
88f86b01cb6078c58fd2d5ab9f1beb7c24fa1e4b71e1ca558678d7718c418b66
Smoke Loader
a3ab078df870be2b8552699a13d47a05c3078958ec76d582baf0a2ca47e9505f
Smoke Loader
b3952d5a517987c91deaf47757cdb7051db5e7f7af71e12eb42db4bc65e20552
Smoke Loader
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3
Smoke Loader
+ 15'520 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor bootkit evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/221115-ng577ahd4v/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects Smokeloader packer
SmokeLoader
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b557dcdd-7408-40c5-ae13-15fa65a9e8d8
Unpacked files
SH256 hash:
62cbce734f665549b5a19c128839bfcc8d2972e9302ab8fc554950db7fbe790f
MD5 hash:
54a0de26ef005653eaade5c3fb8ae374
SHA1 hash:
68f5419243a2af2bad3ef9348e2c1107193b4b9f
Link:
https://www.unpac.me/results/2770eea5-6c11-4748-a6b6-07745ae411b4/
SH256 hash:
0c72f2f74b75507bb9f5613d6a9313eb92f636940c7167dbb8019b5265b343f0
MD5 hash:
e7e45d45e526ca6f1dae90315953986a
SHA1 hash:
b8cf2aa6d4568172f79da0f2a27b1518f4eb48cb
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/2770eea5-6c11-4748-a6b6-07745ae411b4/
SH256 hash:
9b847edf5e190c66929fac5fa8a33c33adb6fcd05fdacf8be8b219e783e56428
MD5 hash:
2f61aef2132e9965572776bfe0e9b769
SHA1 hash:
0d1be3e68e818b7959dd912323493de86eecbed0
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/2770eea5-6c11-4748-a6b6-07745ae411b4/
SH256 hash:
2c937b190ee66d750bf9c3329809d590d64e9b732edc6666dc5b26268b180b2e
MD5 hash:
ea1786a929831205504c8545799db3f9
SHA1 hash:
4ce1fb69f91c68c0b693ac4babebacca1e1e33b9
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2770eea5-6c11-4748-a6b6-07745ae411b4/
SH256 hash:
05485a7f8394212df78504d625b71ce1538d8909b3766d7b2459c11ba3248c65
MD5 hash:
dd8daefcc9168a0d2a30a76503f37bd4
SHA1 hash:
a477e06faf573670f37f489319d70e547ec58cd9
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/2770eea5-6c11-4748-a6b6-07745ae411b4/
SH256 hash:
d2abdc9b23b086e477f6cee70a71578a02adf14108917e11dce71717373de6a9
MD5 hash:
0c03964243bb21e3657575ae3985da3e
SHA1 hash:
9cada23a398029692e90b9847c009d2eaf2fd20d
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/2770eea5-6c11-4748-a6b6-07745ae411b4/
SH256 hash:
eab4ab96040ded1fe958283ce5d9433629a64633397e8d1fd07e42d91c1f574c
MD5 hash:
bffc6e2e6a57a20ea2e9b3055fb97a2c
SHA1 hash:
c62e78dde702fa45a8de39b7a68d09feca86346e
Link:
https://www.unpac.me/results/2770eea5-6c11-4748-a6b6-07745ae411b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/eab4ab96040ded1fe958283ce5d9433629a64633397e8d1fd07e42d91c1f574c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_KB_CERT_028aa6e7b516c0d155f15d6290a430e3
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe eab4ab96040ded1fe958283ce5d9433629a64633397e8d1fd07e42d91c1f574c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2412743/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/334195/

Comments