MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbeaaccaa20daeb7e6bedae3a651dcc34f6bb55d382827a867627497da0fde07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments 1

SHA256 hash:	fbeaaccaa20daeb7e6bedae3a651dcc34f6bb55d382827a867627497da0fde07
SHA3-384 hash:	1fa2512a0c15688a87325cc738805e4d688b3e69c29ac1e76fd7fd5f43e361d40a80d5dd4f4b19f2f25526d5c64ccf06
SHA1 hash:	6cc46eb5fd6360c55f7f8953c4dd8b8ef2cc2fed
MD5 hash:	892f809cc55547c77cb06de196283340
humanhash:	september-michigan-georgia-vegan
File name:	892f809cc55547c77cb06de196283340
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	286'720 bytes
First seen:	2023-08-03 19:11:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	724ad9571755841c2e0f4aa3cd09706a (1 x LaplasClipper, 1 x Smoke Loader, 1 x UACModuleSmokeLoader)
ssdeep	3072:g+KCiHyfoSA0MCLJwaRnxfIReI2tBJTrDPVNeO5fBEauGHKp8WaUwwY3:xieot0MCLVRnxbI29TreO5ZPuD8WXO
Threatray	702 similar samples on MalwareBazaar
TLSH	T10D549E127291D872D6264A358D1ACBF46A3FB8708F596BC777443B2F19313E2DA72342
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	00041111000b2122 (1 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe Smoke Loader

Intelligence

File Origin

# of uploads :

# of downloads :

285

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

25d035a712153aaf9fc3fd6bc23bf269.exe

Verdict:

Malicious activity

Analysis date:

2023-08-03 16:43:39 UTC

Tags:

rat redline amadey trojan clipper loader stealer arkei vidar risepro evasion smoke

Link:

https://app.any.run/tasks/d9fd53f1-4d25-423c-bee0-e7c0ed1a1905

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/440140/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64cbfc02539838c2be522392/reports/ffa2f9ee-e652-471b-9f88-e2ef12635a9c/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/fbeaaccaa20daeb7e6bedae3a651dcc34f6bb55d382827a867627497da0fde07

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a96f8ea8-b0a7-4976-93a4-c5e860140441

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1285319

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if browser processes are running

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to compare user and computer (likely to detect sandboxes)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fbeaaccaa20daeb7e6bedae3a651dcc34f6bb55d382827a867627497da0fde07/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-08-03 19:12:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 38 (84.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7pvkzsvcbwxlpzv63lr2muo4ynhwxnk5haucpkdhmj2jpwqp3ydq._file

Verdict:

malicious

Smoke Loader

2d069be4278adc145301b5a0fe3871b0a111c2649965eb7a646f5ccd82f49c13

Smoke Loader

459c657cb3ebf8b8ac1233ab4544f8b497b68cb1ee7a471a6a111367cbf5de6f

Smoke Loader

50e1f9d1d7917bdea9173cb5588008574a0f62f71445ea1e67d9b7edb420f7db

Smoke Loader

9a34f51bda3056e9f9f721277cf9f6b9c890afc4196b590d016edbb45753b505

Smoke Loader

a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2

Smoke Loader

a52921112e0ccf922d4dbf38d241e5d03fb77bf9940354b37581d4d1c6d86054

Smoke Loader

e0193765c9e157028a992d2c76b8d3b717cc4390ddb4d6a972351ec9d39981e9

Smoke Loader

e20f55052a678cb46b022c4a2fe842df103dede80a9ca81afa917a95d3f2286a

Smoke Loader

eeda861f847c8e1965617979471e1983b9fa1838fb804e4d67c7c22b36b9b462

Smoke Loader

+ 692 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/230803-xwgmtaha3s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

https://anydesk-my.com/faq/
http://anydesk-my.com/faq/

Unpacked files

SH256 hash:

ac6204b4448ca4be5bf2c2ea19c391550624e81cb7fb866f7003afa40c4f78ec

MD5 hash:

e35e42f83a21437d167a11f3ab4053d1

SHA1 hash:

bd0e63a0ad2b398e25d5ec6f837766b5999887c6

Detections:

SmokeLoaderStage2

win_smokeloader_a2

Link:

https://www.unpac.me/results/59d0e33f-dba1-4b96-b727-326f3375c587/

Parent samples :

eeda861f847c8e1965617979471e1983b9fa1838fb804e4d67c7c22b36b9b462
fbeaaccaa20daeb7e6bedae3a651dcc34f6bb55d382827a867627497da0fde07
b048a1bfca1c0f1a364faeef88c9decda4fa71a66e3dd3225abe70e267b0b36b

SH256 hash:

fbeaaccaa20daeb7e6bedae3a651dcc34f6bb55d382827a867627497da0fde07

MD5 hash:

892f809cc55547c77cb06de196283340

SHA1 hash:

6cc46eb5fd6360c55f7f8953c4dd8b8ef2cc2fed

Link:

https://www.unpac.me/results/59d0e33f-dba1-4b96-b727-326f3375c587/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fbeaaccaa20d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fbeaaccaa20daeb7e6bedae3a651dcc34f6bb55d382827a867627497da0fde07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.