MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34
SHA3-384 hash:	a4e3f1eff882c82e6628586b0f569a2aa445ac5541a990666bce31e74f8cb173d1945a8c7b693cac4d9e78d6afde6469
SHA1 hash:	0c445a88f517ded7e11816e9aa6727d699fe4b03
MD5 hash:	02ce49901dea7f64e8944b48eb9d9e04
humanhash:	eleven-lake-kitten-november
File name:	autoruns.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	520'136 bytes
First seen:	2025-12-07 06:24:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b40453716ee76c427966432a258dc29f (2 x Smoke Loader)
ssdeep	6144:SsGckEKnZ6F0y8BQ+dLM+F2gPBH+3d6SrUgOR:HGcbKnZ6FaQ+NrBZetBOR
Threatray	14 similar samples on MalwareBazaar
TLSH	T1D3B4C3E311AC455ED13CCA304192A6BC46BB4DFED3EF059AEBC7BC5CA764A4D1A23019
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	amznemu
Tags:	exe Smoke Loader SmokeLoader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

smoke

ID:

File name:

autoruns.exe

Verdict:

Malicious activity

Analysis date:

2025-12-07 06:30:11 UTC

Tags:

loader smokeloader smoke

Link:

https://app.any.run/tasks/55f74b28-09a3-4e99-839a-6cff4c861312

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/42886/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69351dd9920336450abc1079

Tags:

shellcode sage hype

Verdict:

Malicious

Labled as:

Jaik.Generic

Link:

https://www.hybrid-analysis.com/sample/f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-30T21:23:00Z UTC

Last seen:

2025-12-01T06:59:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Packed.Win32.Redpill Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Dapato.sb Trojan.Win32.Zonidel.sb Packed.Win32.Redpill.sb HEUR:Backdoor.Win32.Mokes.gen Backdoor.Win32.Mokes.sb Backdoor.Win32.Mokes.c

Link:

https://opentip.kaspersky.com/f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5499cb33-dede-4344-95d2-ec246c39e69e

Score:

75%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/02ce49901dea7f64e8944b48eb9d9e04

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34/

Verdict:

Malicious

Threat:

Family.SMOKELOADER

Link:

https://tip.neiki.dev/file/f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2025-12-01 02:27:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6k2b4p2noeyvoefivh4uxhy7k27a43kimngsp37farnee5xizq2a._file

Verdict:

malicious

Label(s):

smokeloader

Smoke Loader

4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48

Smoke Loader

878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816

Smoke Loader

ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb

Smoke Loader

error

Smoke Loader

f1400947f65c4f4b6770ca97877b7e6bbfc97deef656e20a064e542e2cd31d79

Smoke Loader

f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34

Smoke Loader

+ 4 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor discovery persistence trojan

Link:

https://tria.ge/reports/251207-g6rb1axrg1/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Deletes itself

SmokeLoader

Smokeloader family

Malware Config

C2 Extraction:

http://atillapro.com/
https://atillapro.com/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d0fb8005-5e9c-4d1f-ad5f-a0b83121afee

Unpacked files

SH256 hash:

f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34

MD5 hash:

02ce49901dea7f64e8944b48eb9d9e04

SHA1 hash:

0c445a88f517ded7e11816e9aa6727d699fe4b03

Link:

https://www.unpac.me/results/f3092eb5-5e93-4236-896b-7930a4d41e2b/

SH256 hash:

c507ee1d3efd0c74eccc1b822c1c7659212cd02146af3a56b1d2987147cb5029

MD5 hash:

b59d5d6c2f679afb0b65b861945cd946

SHA1 hash:

26f4bde35829437d86dc27d221633d84c8b50ecc

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/f3092eb5-5e93-4236-896b-7930a4d41e2b/

Parent samples :

4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48
f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f2b41e3f4d71/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/42886/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample