MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 181e8199c373271be6ab13287d4722e60d6839d4611893d1748d69d939097900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	181e8199c373271be6ab13287d4722e60d6839d4611893d1748d69d939097900
SHA3-384 hash:	b2ba76a478e63d6571e139acd4515b05ec2aea03eab4cc78752414c7d513d8db8ecce1024b03b41fe553567639bb2d59
SHA1 hash:	c0d578901b8e986bc57f9bf7a341b7adc3a883b6
MD5 hash:	5adf87a964f3f98312bfab8f30fb70d8
humanhash:	montana-mexico-princess-ack
File name:	0001.xll
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	580'096 bytes
First seen:	2022-03-15 23:18:06 UTC
Last seen:	2022-04-20 09:48:54 UTC
File type:	xll
MIME type:	application/x-dosexec
imphash	f20a8db3e4a8c03c1ab177b2660fdd78 (4 x Smoke Loader, 3 x AgentTesla, 2 x Gozi)
ssdeep	12288:azLjlZHAt+AZrkOCH8bzbBSreMOi1uWD242S6+4W:azLhltAdkjcX1XDWeS6ZW
Threatray	74 similar samples on MalwareBazaar
TLSH	T1FEC4AE57F6E77A65E6AEC1BAC6F1C92D62B3309602B0C3CE774055492D22392483DB1F
Reporter	Racco42
Tags:	Smoke Loader xll

Intelligence

File Origin

# of uploads :

6

# of downloads :

278

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

Statement -February 2022.xll

Verdict:

No threats detected

Analysis date:

2022-03-15 16:57:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/edd29733-6339-458a-bdf2-5038d3a9b1e7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL.TrojanDownloader.Agent.KOL.21355.14570.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/181e8199c373271be6ab13287d4722e60d6839d4611893d1748d69d939097900/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62311ee8b94fb38cb4892504/reports/3286f569-500e-4a9f-b032-79ec26a61aad/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/181e8199c373271be6ab13287d4722e60d6839d4611893d1748d69d939097900/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2022-03-15 21:14:57 UTC

File Type:

PE+ (Dll)

Extracted files:

3

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dapidgodomtrxzvlcmuh2rzc4ygwqooumemjhulurvu5soijpeaa._file

Verdict:

malicious

Similar samples:

06062b94f5122b8e90cca9c672de8d16f9ea095d4f0888549583d280426b7940

11709f42889d6f9ab8ce1b9f64784a547282c48c0ce8c893b75e7d0def8dd36f

288bdb52e7a511af92d68c3baec8d10ff18c2bde1d973a7ed1e947f56abdf2c0

3cd28f853fc7116ece78fbd0be25344d3831c89feba1658412a7dbce529ebab7

876b4427b613ceebe5a4fa5a8d15e2d9473756c697db0c526dc84eb9bc7a3149

aa05432e0dd1c60d444b4809a8cb0f212cb5b7955ca7042f5af43c011a82a126

ca5b42fc1bbeea762b2170cc94b124ebb3731c68e445e78881fb2cc8fa6b1ccd

cd856b20a5e67a105b220be56c361b21aff65cac00ed666862b6f96dd190775e

d76182aef0d25dcc9d6ddfffc5578d42ace4a7525ead3e4fa2070c33f142f042

f62a1c42d31a2665f1fe2ecec1895645750529f6eb9ce4a3421439bd1bff3171

+ 64 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor trojan

Link:

https://tria.ge/reports/220315-3at9nsgdg8/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

SmokeLoader

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/181e8199c373271be6ab13287d4722e60d6839d4611893d1748d69d939097900

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xll 181e8199c373271be6ab13287d4722e60d6839d4611893d1748d69d939097900

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample