MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA3-384 hash: ba7513b549a83277f8dea26145a0488d8d5c4a59ebb6f8e493ddea5663c040143a905c0f5ab94732b36daf0986b55909
SHA1 hash: 2056ee8482eaac060e050e15441999cfdf4385b3
MD5 hash: a551bc7c95ea5dd39255a0fc48033f89
humanhash: finch-grey-autumn-kentucky
File name:a551bc7c95ea5dd39255a0fc48033f89.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:707'072 bytes
First seen:2021-08-05 15:18:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f1f21c88e9cb261ec581191bb4c538e3 (2 x RemcosRAT, 1 x Formbook, 1 x BitRAT)
ssdeep 12288:cLJ8IaEF3CbhMemzpeVhpEj7c0DFtImnuf:cLJRaElQMePyNtI
Threatray 229 similar samples on MalwareBazaar
TLSH T194E44B92F2D0803AD01A653E4C29AF64A66DFED14C28588B6BFD3A4C5776F01743E49F
dhash icon fce5d39a543434c4 (3 x RemcosRAT, 2 x Formbook, 1 x BitRAT)
Reporter abuse_ch
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fb10b8ea68c1e0064730018fca3cb39.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 10:35:34 UTC
Tags:
trojan stealer vidar rat azorult raccoon loader
Link:
https://app.any.run/tasks/9663e505-8851-4b1a-8c1f-94cb9b6703d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176710/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.28528.20709.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a1c0f46-a1d5-4881-90fa-f79983da59f5
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827512
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459943 Sample: w9VkWpjfOS.exe Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected Clipboard Hijacker 2->70 72 Machine Learning detection for sample 2->72 74 Sigma detected: Execution from Suspicious Folder 2->74 8 w9VkWpjfOS.exe 1 24 2->8         started        13 Ceutdxb.exe 13 2->13         started        15 sqlcmd.exe 13 2->15         started        17 2 other processes 2->17 process3 dnsIp4 60 cdn.discordapp.com 162.159.133.233, 443, 49709, 49710 CLOUDFLARENETUS United States 8->60 58 C:\Users\Public\Libraries\...\Ceutdxb.exe, PE32 8->58 dropped 76 Detected unpacking (changes PE section rights) 8->76 78 Detected unpacking (overwrites its own PE header) 8->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 8->80 82 Contains functionality to compare user and computer (likely to detect sandboxes) 8->82 19 w9VkWpjfOS.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        62 162.159.134.233, 443, 49717, 49719 CLOUDFLARENETUS United States 13->62 84 Multi AV Scanner detection for dropped file 13->84 86 Machine Learning detection for dropped file 13->86 88 Sample uses process hollowing technique 13->88 26 Ceutdxb.exe 13->26         started        64 192.168.2.1 unknown unknown 15->64 90 Injects a PE file into a foreign processes 15->90 28 sqlcmd.exe 15->28         started        66 192.168.2.4 unknown unknown 17->66 30 Ceutdxb.exe 17->30         started        32 sqlcmd.exe 17->32         started        file5 signatures6 process7 file8 54 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 19->54 dropped 56 C:\Users\user\...\sqlcmd.exe:Zone.Identifier, ASCII 19->56 dropped 34 schtasks.exe 1 19->34         started        36 reg.exe 1 22->36         started        38 conhost.exe 22->38         started        40 cmd.exe 1 24->40         started        42 conhost.exe 24->42         started        44 schtasks.exe 1 28->44         started        process9 process10 46 conhost.exe 34->46         started        48 conhost.exe 36->48         started        50 conhost.exe 40->50         started        52 conhost.exe 44->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 10:09:34 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
Smoke Loader
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
Smoke Loader
30cb921e390d2803e09b9539c667392add61365ecd0d3ff6dd1f2641884891d4
Smoke Loader
7f7af3d03481bb68e11a68e958ce6d8e96701a053eaa458e7010a4a85643cad3
Smoke Loader
88b1766ff9c749387b51b47bde3e387393a01d10133a04c5afb763fd9670926a
Smoke Loader
88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c
Smoke Loader
a846b19ee029394012dc19a190096807497edb4ea4096c30550dbc3cbaa5435f
Smoke Loader
fc797838f2b0bda1a1e3bbf85609a2d795dc35a52940a2aaeca5500aae2564e4
Smoke Loader
+ 219 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210805-l3dhkqgw7a/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
c873bd224bbf6f82aa169f079016ebdf7690b40a7db5dd8cfefd26404a9d50ca
MD5 hash:
d328f4ade4dd3cd77b3c055c6a7a7937
SHA1 hash:
5d2437502c20efaadd44d27bd5f2f748bdb48512
Link:
https://www.unpac.me/results/6d2be7a4-6827-49e1-9759-650184e97210/
SH256 hash:
eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
MD5 hash:
a551bc7c95ea5dd39255a0fc48033f89
SHA1 hash:
2056ee8482eaac060e050e15441999cfdf4385b3
Link:
https://www.unpac.me/results/6d2be7a4-6827-49e1-9759-650184e97210/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_SmokeLoader
Create hunting rule
Author:ditekSHen
Description:Detects SmokeLoader variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1323338/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1475907/
Cape
Cape
https://www.capesandbox.com/analysis/176710/

Comments