MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18cd059c6141fcff83f1a715a3599a35e18ee0e41500844ae9691f62df264d6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18cd059c6141fcff83f1a715a3599a35e18ee0e41500844ae9691f62df264d6e
SHA3-384 hash: e87df21efe6538115175620a3b8a6f41821f2a3d1a914982dd8b00037009ef8c8746ee32e2eae1bbc981bab2bc2ee305
SHA1 hash: e5ae4098dd36b9ffbfde1330fb677cc819ffe0ea
MD5 hash: 1ec121f8346019ea6983e09c0e95988b
humanhash: kansas-muppet-pizza-coffee
File name:PO# MOR-19BC1-055 & Design Images_PDF.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:644'096 bytes
First seen:2021-05-10 07:12:23 UTC
Last seen:2021-05-10 08:08:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Mp7fMmbjeBw4Y+OIKh37ekaUEKR9FgIKNdpHaag:2fnsOI0SkaDKRTdKztaa
Threatray 147 similar samples on MalwareBazaar
TLSH 89D4AD2533999F49E8FFB7F50470500057F178079B25E64DBDF2A48A1AA2BC08A27B5F
Reporter abuse_ch
Tags:Dofoil exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153786/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Osiris AveMaria SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779610
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Detected Osiris Trojan
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412008 Sample: PO# MOR-19BC1-055 & Design ... Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for dropped file 2->73 75 11 other signatures 2->75 9 PO# MOR-19BC1-055 & Design Images_PDF.exe 4 2->9         started        13 fegvujca.exe 2 2->13         started        process3 file4 59 PO# MOR-19BC1-055 ... Images_PDF.exe.log, ASCII 9->59 dropped 89 Adds a directory exclusion to Windows Defender 9->89 91 Injects a PE file into a foreign processes 9->91 15 PO# MOR-19BC1-055 & Design Images_PDF.exe 9->15         started        18 powershell.exe 9 9->18         started        93 Multi AV Scanner detection for dropped file 13->93 95 Machine Learning detection for dropped file 13->95 signatures5 process6 signatures7 121 Maps a DLL or memory area into another process 15->121 123 Checks if the current machine is a virtual machine (disk enumeration) 15->123 20 explorer.exe 3 8 15->20 injected 25 conhost.exe 18->25         started        process8 dnsIp9 63 mynah505.com.kz 176.119.1.100, 49720, 49721, 49722 WS171-ASRU Ukraine 20->63 65 192.168.2.1 unknown unknown 20->65 67 www.msftncsi.com 20->67 51 C:\Users\user\AppData\...\fegvujca.exe, PE32 20->51 dropped 53 C:\Users\user\AppData\Local\...E3E.tmp.exe, PE32 20->53 dropped 55 C:\Users\...\fegvujca.exe:Zone.Identifier, ASCII 20->55 dropped 77 System process connects to network (likely due to code injection or exploit) 20->77 79 Benign windows process drops PE files 20->79 81 Injects code into the Windows Explorer (explorer.exe) 20->81 83 2 other signatures 20->83 27 EE3E.tmp.exe 2 20->27         started        31 explorer.exe 20->31         started        33 explorer.exe 20->33         started        35 8 other processes 20->35 file10 signatures11 process12 file13 61 C:\Users\user\AppData\Local\...\Liebert.bmp, PE32 27->61 dropped 97 Multi AV Scanner detection for dropped file 27->97 99 Detected Osiris Trojan 27->99 101 Machine Learning detection for dropped file 27->101 37 EE3E.tmp.exe 27->37         started        103 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 31->103 105 Hijacks the control flow in another process 31->105 107 Changes memory attributes in foreign processes to executable or writable 31->107 41 UfYlJFksdMttlSCLwl.exe 31->41 injected 43 UfYlJFksdMttlSCLwl.exe 31->43 injected 45 UfYlJFksdMttlSCLwl.exe 31->45 injected 109 Writes to foreign memory regions 33->109 111 Maps a DLL or memory area into another process 33->111 113 Creates a thread in another existing process (thread injection) 33->113 47 sihost.exe 33->47 injected 49 taskhostw.exe 33->49 injected 115 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->115 117 Tries to steal Mail credentials (via file access) 35->117 119 Tries to harvest and steal browser information (history, passwords, etc) 35->119 signatures14 process15 file16 57 C:\ProgramData\Winx.exe, PE32 37->57 dropped 85 Increases the number of concurrent connection per server for Internet Explorer 37->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->87 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18cd059c6141fcff83f1a715a3599a35e18ee0e41500844ae9691f62df264d6e/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-05-09 23:38:29 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddgqlhdbih6p7a7ru4k2gwm2gxqy5yhecuaiisxjnepwfxzgjvxa._file
Verdict:
malicious
Similar samples:
2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
Smoke Loader
67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3
Smoke Loader
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
Smoke Loader
8f32a2bc4817137939fbd615fbcbab4c93dd0305e9d407ec6de706483c50556e
Smoke Loader
9420352e6f0bd18b2e3cd99144ab76c1fca76b96bdba6e07b83bd5d1d2fb790b
Smoke Loader
b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903
Smoke Loader
c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
e91568f40d148d2bdf04cf14156febbbb0d72e10b876c38d0900e0a66cb8706f
Smoke Loader
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Smoke Loader
+ 137 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210510-h5vpweemca/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
SmokeLoader
Malware Config
C2 Extraction:
http://mynah505.com.kz/mynah/
http://mynah506.com.kz/mynah/
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/e7ad5c82-46af-41b6-91a5-6155850516ea/
SH256 hash:
18cd059c6141fcff83f1a715a3599a35e18ee0e41500844ae9691f62df264d6e
MD5 hash:
1ec121f8346019ea6983e09c0e95988b
SHA1 hash:
e5ae4098dd36b9ffbfde1330fb677cc819ffe0ea
Link:
https://www.unpac.me/results/e7ad5c82-46af-41b6-91a5-6155850516ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18cd059c6141fcff83f1a715a3599a35e18ee0e41500844ae9691f62df264d6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153786/

Comments