MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdb56b7e346e7261d4c2c2d4875ed044a75960e19a1abc6b035bbdc49698a700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdb56b7e346e7261d4c2c2d4875ed044a75960e19a1abc6b035bbdc49698a700
SHA3-384 hash: ee02d6e6a78a18ea92d878449c6e652bb14aa9940629c067676a8d69f0ffa18079c25d5e624853e0998b9609a286d799
SHA1 hash: b6f68d89bd4cde4516a3c279d9dccfb80ecdf6a4
MD5 hash: 734d67d23ce6f824cb402fa625563104
humanhash: berlin-fourteen-cola-mexico
File name:fdb56b7e346e7261d4c2c2d4875ed044a75960e19a1abc6b035bbdc49698a700
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:6'158'336 bytes
First seen:2020-11-11 10:53:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 98304:ssvUGP1Gu7fJ9C3zLZgDaruZ4684jiRogZHE:NvU7u7fzC3zLZgDS24MuRvk
Threatray 3 similar samples on MalwareBazaar
TLSH 54563AE334C265ADC45AD67B8752FD7E924FB1364727E6E3605C62225E2ACC03A35F08
Reporter JAMESWT_WT
Tags:47.91.237.42 Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.MSShellcode-5
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdb56b7e346e7261d4c2c2d4875ed044a75960e19a1abc6b035bbdc49698a700/
Threat name:
Win64.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-09-20 15:45:21 UTC
File Type:
PE+ (Exe)
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7w2ww7runzzgdvgcylkioxwqistvsyhbtinly2ydlo64jfuyu4aa._file
Verdict:
malicious
Similar samples:
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
Smoke Loader
a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b
Smoke Loader
f8915227c25c5ac552d66f3708f615cd517363953829d3715f38666d7dfa9770
Smoke Loader
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit
Link:
https://tria.ge/reports/201111-hatysjqj6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
fdb56b7e346e7261d4c2c2d4875ed044a75960e19a1abc6b035bbdc49698a700
MD5 hash:
734d67d23ce6f824cb402fa625563104
SHA1 hash:
b6f68d89bd4cde4516a3c279d9dccfb80ecdf6a4
Link:
https://www.unpac.me/results/bffa7b7d-51a1-422f-9dbf-7669735b1bc8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments