MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc
SHA3-384 hash: 7b01736651b259dfe954c59b940960b6dde014c91b099712d6e5292cdeb5495c2368e32c4c76e99764feaf54e98d4d42
SHA1 hash: cb4eac4a578c291cab95c80c489c496d19c3bc31
MD5 hash: 21f60a6eb01232b2b632119d0e780a64
humanhash: four-saturn-oregon-fanta
File name:shipment_detail_DHL.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:850'944 bytes
First seen:2022-02-14 16:10:56 UTC
Last seen:2022-02-14 17:36:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:CJRYS0X6XwUDGMHdOTji/XUC0K3QMZCYTSJfBcN6Cx3wakBsP:cRYCXwwGkEXKUC0K3QZhB63MA
Threatray 9'512 similar samples on MalwareBazaar
TLSH T1E005CE03B7AE9B2EC66A0E76B4B182315670DF075016DB3AB4D0FEAC0CA635D1A711F5
File icon (PE):PE icon
dhash icon 6ccccc9cc4dce8f4 (4 x Formbook, 3 x Smoke Loader, 3 x AsyncRAT)
Reporter abuse_ch
Tags:DHL Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
457
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241426/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1197.24236.29571.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/620a7f2854047500bb5446f3/reports/4948b5f9-13b5-4169-b7e5-0572261eb18e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29095d65-bdb2-439d-90db-ecbc54d8bfdb
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939521
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Remote Thread Created
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 571996 Sample: shipment_detail_DHL.exe Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 10 other signatures 2->47 8 shipment_detail_DHL.exe 3 2->8         started        11 trcabcc 2 2->11         started        process3 file4 35 C:\Users\user\...\shipment_detail_DHL.exe.log, ASCII 8->35 dropped 13 MSBuild.exe 8->13         started        16 conhost.exe 11->16         started        process5 signatures6 65 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->65 67 Maps a DLL or memory area into another process 13->67 69 Checks if the current machine is a virtual machine (disk enumeration) 13->69 71 Creates a thread in another existing process (thread injection) 13->71 18 explorer.exe 2 13->18 injected process7 dnsIp8 37 seq8ueceqoxy.com 194.135.33.16, 49796, 49798, 80 ASBAXETNRU Russian Federation 18->37 33 C:\Users\user\AppData\Roaming\trcabcc, PE32 18->33 dropped 49 Benign windows process drops PE files 18->49 51 Injects code into the Windows Explorer (explorer.exe) 18->51 53 Writes to foreign memory regions 18->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->55 23 explorer.exe 8 18->23         started        27 explorer.exe 18->27         started        29 explorer.exe 18->29         started        31 2 other processes 18->31 file9 signatures10 process11 dnsIp12 39 seq8ueceqoxy.com 23->39 57 System process connects to network (likely due to code injection or exploit) 23->57 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->59 61 Tries to steal Mail credentials (via file / registry access) 23->61 63 3 other signatures 23->63 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 12:35:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7h3nmufpbpcgsmj2cqnsskfuumlggxuuh7iunzdr63bsefgfpoa._file
Verdict:
malicious
Similar samples:
01b7ecba4c040bd3c352b2023e1f7f38c2b2ef741f23a91301153f03760d3505
Smoke Loader
03735ed519d86a5d8456393b63d97be01c426c4b441c49efd2fd010c5faf78ce
Smoke Loader
0bd7846422b31c85b3828c45257233f0264c2867690fe884be749d0c776858c2
Smoke Loader
1e1885766a2d50045f07b07ef4d8f989a578e7cae4696054ff60c0341537d371
Smoke Loader
7a8f5dbcd00d364145d28a29b058adc75da8041fe35d852ad9cf9ae439b51cfa
Smoke Loader
a3c57266f4f2f229c35a60c0c07914b8029d22f4e258288b296b3e2669e1d566
Smoke Loader
acf07e3a8e5eab40aaa587590fe81ec7a98b0eb238d5640a857495500a9df71a
Smoke Loader
d1fea52507fc97ff419f8dd2ea8ecf689fb7c066cf8f18453378e95bf399c3d6
Smoke Loader
+ 9'502 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection trojan
Link:
https://tria.ge/reports/220214-tmx2naaac5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
SmokeLoader
Malware Config
C2 Extraction:
http://seq8ueceqoxy.com/
Unpacked files
SH256 hash:
3ca74eb4ce4c2c5604dc298949ae47996d93063abfde0682d689205561d17d44
MD5 hash:
4e35b541f3d9162d0ac93d336df67779
SHA1 hash:
bb9e65761186806d4bada659e9d5db0c070501d4
Link:
https://www.unpac.me/results/96ac4933-dd35-49e9-b720-09d23180f725/
SH256 hash:
ac78fa29013d4a8f64c8d8bab64bc011ea1855ae361890386f279037f80b1a8b
MD5 hash:
d5e0597fde755b20928a2a421b82f65c
SHA1 hash:
b8a7f88e45df3cb524e978e2b8cea9262b344392
Link:
https://www.unpac.me/results/96ac4933-dd35-49e9-b720-09d23180f725/
SH256 hash:
7cbefa1ef20e7e3ae48832432a4962a85f2a6daab0b10e26fb29165df70c4647
MD5 hash:
cc052e992091e56c5e4473b6756f0b9e
SHA1 hash:
a76a1b286d6f44d7220f05010633c24f509b966c
Link:
https://www.unpac.me/results/96ac4933-dd35-49e9-b720-09d23180f725/
SH256 hash:
f2d3b969a90bc35857354ce4ca7d558b61ac1a1c07efe43cfa1aba72c1d6b672
MD5 hash:
bd3648b8838fdb35126b58e69e01836e
SHA1 hash:
67cd27ceeb282e0194bf05b13164acce19ad408c
Link:
https://www.unpac.me/results/96ac4933-dd35-49e9-b720-09d23180f725/
SH256 hash:
07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc
MD5 hash:
21f60a6eb01232b2b632119d0e780a64
SHA1 hash:
cb4eac4a578c291cab95c80c489c496d19c3bc31
Link:
https://www.unpac.me/results/96ac4933-dd35-49e9-b720-09d23180f725/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/07cfb6b28578/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dofoil
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

Executable exe 07cfb6b285785e234989d0a0d94945a518b31af4a1fe8a37238fb61910a62bdc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241426/

Comments