MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f23bf048e15eb819af71c70acfb23c1cb4f2812d68eef9f53c326662e3b68225. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	f23bf048e15eb819af71c70acfb23c1cb4f2812d68eef9f53c326662e3b68225
SHA3-384 hash:	3ab7d733991cf47a9f0ae050835569b1f8cb42b38e86bd0d819d4b8912dac6d637a081fad5ae802e3838529f3b91e693
SHA1 hash:	b85dc340b793bf52d8c73ae63b777191ae588204
MD5 hash:	cfc568115bb0d4a53868911df3c52943
humanhash:	kansas-foxtrot-hydrogen-wisconsin
File name:	cfc568115bb0d4a53868911df3c52943.bin
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	231'936 bytes
First seen:	2023-02-20 08:31:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ed191fd45aaa30104c7d529493e68118 (6 x RedLineStealer, 1 x Smoke Loader, 1 x Stop)
ssdeep	3072:Y+RahcBfL91P5VOa0k0DlyElWYhZWQ6QCKVL67QiTtHAMHl8FyFLf5ZBfBh2s:vycBfLNVOlD0GFVdVLMQixHXukLLdH2
Threatray	1'155 similar samples on MalwareBazaar
TLSH	T19334AF03F2E17C61D4164A719D2E96E47A6FF5218E597BEB13284B2F19702F1C2B3722
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	411edec6a68c8e8c (1 x Smoke Loader)
Reporter	abuse_ch
Tags:	bin exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cfc568115bb0d4a53868911df3c52943.bin

Verdict:

Malicious activity

Analysis date:

2023-02-20 08:34:39 UTC

Tags:

stealer loader

Link:

https://app.any.run/tasks/198992b1-40b6-4fd0-ba93-9165d6aa1dbe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/368319/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Sending a custom TCP request

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/71784/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63f3300442bf85850e3e36e9/reports/510d8a32-3657-49ec-af4f-c8a74c513389/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/f23bf048e15eb819af71c70acfb23c1cb4f2812d68eef9f53c326662e3b68225

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/62e33455-256f-4410-8cb3-46ee617d44f9

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1179016

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f23bf048e15eb819af71c70acfb23c1cb4f2812d68eef9f53c326662e3b68225/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-02-20 08:32:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6i57ashbl24btl3ry4fm7mr4ds2pfajnndxpt5j4gjtgfy5wqisq._file

Verdict:

malicious

Smoke Loader

77570db1195a42024717d6223e0c55bc77e0246080b2fa7de24eac97391cdeda

Smoke Loader

86c349ad1aecf41f402adad10ff1c7a8e34b2f9f733db02bfd88bb1abac8128a

Smoke Loader

934be33621f60d5c6026af662631a4de2c054ccd0f132b268e721c73afc8aa37

Smoke Loader

9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

Smoke Loader

bf566a0e924a5567391242c61c0070a09ee3bca04a02e4f0170040b90e5b73e5

Smoke Loader

cbfca62676f5f4653e7151e00a3fabc91fae98e1c8beab6b2e05eb79cd3b342d

Smoke Loader

ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746

Smoke Loader

d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944

Smoke Loader

+ 1'145 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/230220-kfas4sab75/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

3a654dd8061978d7d2800b33c4742e343beca929a340524cbe837357e1828e49

MD5 hash:

fc9f032c2d44cd9a9bd56130f439311f

SHA1 hash:

cd9e0744f3420f1498dde539ffd42fd002518d25

Link:

https://www.unpac.me/results/0a792d81-1aa2-4a2a-8a76-77c589ec3264/

SH256 hash:

f23bf048e15eb819af71c70acfb23c1cb4f2812d68eef9f53c326662e3b68225

MD5 hash:

cfc568115bb0d4a53868911df3c52943

SHA1 hash:

b85dc340b793bf52d8c73ae63b777191ae588204

Link:

https://www.unpac.me/results/0a792d81-1aa2-4a2a-8a76-77c589ec3264/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f23bf048e15eb819af71c70acfb23c1cb4f2812d68eef9f53c326662e3b68225

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/368319/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample