MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 21

Intelligence 21 IOCs YARA 2 File information Comments

SHA256 hash:	fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb
SHA3-384 hash:	85ec62c9aaecd501cda01c12e28aab9a7eb2096a03145f3fc6890e65f02813feed2eb5fc77236744837af3304d5327d3
SHA1 hash:	82930fe20587a65c25763c867d3a6b747691187b
MD5 hash:	d0afd781ce8872358047a5857f4dcb8a
humanhash:	magnesium-earth-alpha-charlie
File name:	hpwdv.exe
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	2'658'724 bytes
First seen:	2025-12-07 06:25:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9514ea1f6b76796d84439e43008aa7f1 (3 x Smoke Loader, 1 x LummaStealer, 1 x Rhadamanthys)
ssdeep	3072:TD8qOVO6HzqC1fCwNQrRLwY8xzIbbTDnxG5JU1DAY2L0a5M6:n8qOVOjtwNQrRLwY8x8bbTD0Oa5
Threatray	19 similar samples on MalwareBazaar
TLSH	T18FC5F71386E33D54E927CA729E2ED6FC770EB6508E997769121AAB2F04F00B3D163711
TrID	39.5% (.EXE) InstallShield setup (43053/19/16) 28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.6% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	amznemu
Tags:	exe Smoke Loader SmokeLoader

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

AceCryptor SmokeLoader

Details

AceCryptor

an extracted payload

AceCryptor

an extracted shellcode loader component and a TEA decryption key

AceCryptor

an extracted shellcode loader component and the ms_c_rand-XOR seed

SmokeLoader

an extracted component

SmokeLoader

c2 urls and a version number

Link:

https://research.acce.ciphertechsolutions.com/results/36c0f43c-a815-4986-ae64-5e9ed54d419a/

Malware family:

smoke

ID:

File name:

_fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb.exe

Verdict:

Malicious activity

Analysis date:

2025-12-07 06:26:36 UTC

Tags:

loader smokeloader smoke

Link:

https://app.any.run/tasks/c6a3d233-334a-4344-8e97-b20423a614ef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/42888/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69351ddf920336450abc1083

Tags:

gandcrab phishing mint

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/69351dd0ff25e40750d6243e/reports/eacc34a0-199c-4cac-9e14-823b31857d1e/overview

Verdict:

Malicious

Labled as:

Mint.Titirez.Generic

Link:

https://www.hybrid-analysis.com/sample/fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-05T20:34:00Z UTC

Last seen:

2025-12-07T05:46:00Z UTC

Hits:

~10

Detections:

Backdoor.Win32.Mokes.sb Backdoor.Win32.Mokes.c Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Dapato.sb Trojan.Win32.Zenpak.sb Trojan.Win32.Yakes.sb Trojan.Win32.Yakes Trojan.Win32.Strab.sb Packed.Win32.Redpill.sb Trojan-Downloader.Win32.Upatre.sb Trojan.Win32.Zonidel.sb Trojan.Win32.Chapak.sb HEUR:Trojan-Downloader.Win32.Bitmin.gen Trojan.Agent.HTTP.C&C PDM:Trojan.Win32.Generic Trojan.Win32.Packed.sb

Link:

https://opentip.kaspersky.com/fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb/results?tab=lookup

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/509995ee-9906-474d-9706-7850673c0499

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/d0afd781ce8872358047a5857f4dcb8a

Detection:

smokeloader

Link:

https://mwdb.cert.pl/sample/fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb/

Verdict:

Malicious

Threat:

Family.SMOKELOADER

Link:

https://tip.neiki.dev/file/fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb

Threat name:

Win32.Trojan.Stopcrypt

Status:

Malicious

First seen:

2025-12-06 02:24:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7p6ztys7xjkezmohzrbaweorasbitlqc3tcq5ncfm2uvtqlvrhfq._file

Verdict:

malicious

Label(s):

smokeloader

shellcode_loader_002

Smoke Loader

66cee30a999770e51c8a80b6aa279607cbbb27bb581bf8763421777559869281

Smoke Loader

8f20020d5b0669c889435750b00452672cb17fc2a87225a5341040bc05afc008

Smoke Loader

aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

Smoke Loader

bca26771b9c277eb8babfaf06af7dae3f8b063b1b91b090691bf69d265dc0ff8

Smoke Loader

error

Smoke Loader

f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34

Smoke Loader

fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb

Smoke Loader

+ 9 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor discovery persistence trojan

Link:

https://tria.ge/reports/251207-g6rb1ahp5t/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

System Location Discovery: System Language Discovery

Deletes itself

SmokeLoader

Smokeloader family

Malware Config

C2 Extraction:

http://polinamailserverip.ru/
http://lamazone.site/
http://criticalosl.tech/
http://maximprofile.net/
http://zaliphone.com/
http://humanitarydp.ug/
http://zaikaopentra.com.ug/
http://zaikaopentra-com-ug.online/
http://infomalilopera.ru/
http://jskgdhjkdfhjdkjhd844.ru/
http://jkghdj2993jdjjdjd.ru/
http://kjhgdj99fuller.ru/
http://azartnyjboy.com/
http://zalamafiapopcultur.eu/
http://hopentools.site/
http://kismamabeforyougo.com/
http://kissmafiabeforyoudied.eu/
http://gondurasonline.ug/
http://nabufixservice.name/
http://filterfullproperty.ru/
http://alegoomaster.com/
http://freesitucionap.com/
http://droopily.eu/
http://prostotaknet.net/
http://zakolibal.online/
http://verycheap.store/

Verdict:

Malicious

Tags:

Win.Packer.pkr_ce1a-9980177-0

YARA:

n/a

Link:

https://app.threat.zone/submission/42983187-a3c9-4811-8f4a-ca22f8f02933

Unpacked files

SH256 hash:

fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb

MD5 hash:

d0afd781ce8872358047a5857f4dcb8a

SHA1 hash:

82930fe20587a65c25763c867d3a6b747691187b

Link:

https://www.unpac.me/results/b8093af4-4251-4881-ad16-6026da705a5f/

SH256 hash:

d3fe939abc37519cf9968874270d356abd8b10887ce7e78a5fb1624d288f14b8

MD5 hash:

42ab13a5f832f542d18083839671b340

SHA1 hash:

891e8820dd0e4d1b9d47bc34ed92538f5081bca2

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/b8093af4-4251-4881-ad16-6026da705a5f/

Parent samples :

6667500156d0b0d81fb98d32794c8c50de82fc915d2a59780e9b6e1b9f78ada7
f892a86d4af2c61bf9284c3cf6608eb003b6a5570829ed3dbecb28eb69bc50d2
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330
fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fbfd99e25fba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fbfd99e25fba544cb1c7cc420b11d1048289ae02dcc50eb44566a959c17589cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/42888/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample