MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f
SHA3-384 hash: f7b9ca5ea455a6bc971180794368614c0fed9309c66def734080b6b42a94fff91846fe4aa55097d5bb38ef058582e424
SHA1 hash: 678d81248b3057914df972c47b9dcc77b789c9bc
MD5 hash: 14787312f0ea4d42b19f81059fae2bac
humanhash: spaghetti-floor-arkansas-east
File name:14787312f0ea4d42b19f81059fae2bac
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:3'916'800 bytes
First seen:2023-01-06 09:22:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c04ffca633d3f392be3844220f4e6e4f (9 x Smoke Loader, 7 x RedLineStealer, 5 x Stop)
ssdeep 98304:7Q6Na8x1h0nAEBq4Ej/L5SViLd6l5KZy4qy9yb:USauhWdq4EP56iR62ZN10
Threatray 449 similar samples on MalwareBazaar
TLSH T1C00633A17620EC5DE65740750891FFA86DBAED308B03D50F3364A61F4AB12DE82FF265
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon bcfc94b494948dc0 (1 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
14787312f0ea4d42b19f81059fae2bac
Verdict:
Malicious activity
Analysis date:
2023-01-06 09:26:03 UTC
Tags:
danabot stealer
Link:
https://app.any.run/tasks/63911a8d-0127-4d31-9f69-e7e462e188fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349913/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63b7e87a0e926711fd7735c5/reports/6b5bccf8-4adb-4ab2-82f1-0650d2748b51/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d0081ce-f583-4cd0-a96d-7843e6d9e32c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.expl
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1146154
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2023-01-06 09:23:10 UTC
File Type:
PE (Exe)
Extracted files:
60
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jbpn2dkpq6fzpvgpgpdot36wbog5o7gdcqutfqwdf62lpdpin7q._file
Verdict:
malicious
Similar samples:
045d257fff1a2678715e67b6ce278456bd264514598fd51a3fc8023d58f64c3a
Smoke Loader
0909322dede6d2639bc5aba3de6bbe4a6b9552df002547378c35629b1ceefedf
Smoke Loader
2ee350a3c3c03283a1458ff5e3e142d91b46a8fecd846ec8df0d1edca7c1e4cf
Smoke Loader
3b19c8396a1294f52170ad5af4db3282f81a46445789ef94983ba891038c4cec
Smoke Loader
4ba96ecdcdfa746de28a0ee3ef474842e829917c9486ace35ec4cc2fa1ad956f
Smoke Loader
728de9789af5f2ebc9ac2fac80fee25b186bc5b3acb960650934377f0c77726d
Smoke Loader
81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d
Smoke Loader
c1caac58e614931c517666747eec84548ca762fff9744c47ed6cfe162c511331
Smoke Loader
c44b3b7ff81213a270ea2e6e76105211c9c4a9a8eb0f612031fbfcb1f0e03f91
Smoke Loader
fbd172f7f6c9e4b8c915d7ff24d40ddcad456223407e383b2230f24e046031bb
Smoke Loader
+ 439 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/230106-lcgmxsbc3z/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0345bdcc-24b0-4728-a1c5-58e4306abac8
Unpacked files
SH256 hash:
ff4c52048225575b90750a8cb1b964d5c762e634491670880f0c4d197b39a4a8
MD5 hash:
be2d5d90485e25199667d5ab32bf29a4
SHA1 hash:
488678bbb50f18ec73ca661569708478562eb5bc
Link:
https://www.unpac.me/results/ac0340a1-d337-43cb-b535-a78cdac91d13/
SH256 hash:
99b54a624533de917de05cb502e2728e2b26acc50309509629973fd45b495ffe
MD5 hash:
cc0d91aee8251089d578f2f633e963bf
SHA1 hash:
711cf88e690d48392ffe47f370272dd52b46cb64
Link:
https://www.unpac.me/results/ac0340a1-d337-43cb-b535-a78cdac91d13/
SH256 hash:
fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f
MD5 hash:
14787312f0ea4d42b19f81059fae2bac
SHA1 hash:
678d81248b3057914df972c47b9dcc77b789c9bc
Link:
https://www.unpac.me/results/ac0340a1-d337-43cb-b535-a78cdac91d13/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa42f6e86a7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349913/

Comments


Avatar
zbet commented on 2023-01-06 09:22:29 UTC

url : hxxp://172.93.193.37/amd.exe