MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 243915f58ee0b47ad8f4972192a2634781e7beb3cec92999f2d48fba3ee08b2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 243915f58ee0b47ad8f4972192a2634781e7beb3cec92999f2d48fba3ee08b2b
SHA3-384 hash: c4ddaa73c87a23c3d0f04b4f3cf51a359fed62d4954dcf2011effba69d1a2119dbabb8d2f80629682967c13fdcba4a2b
SHA1 hash: 6e2042d7e7bb4eabee4cd68820d74a96ae84437c
MD5 hash: 33eb55a002f0da6c775958fbefd39a3a
humanhash: high-missouri-tennis-july
File name:inquiry 7000pcs.scr
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:471'552 bytes
First seen:2020-10-27 16:49:03 UTC
Last seen:2020-10-27 18:37:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Ya+XwNiB5rd6i9CkJPEcXgqAY2+o8z/78:SgNiDrIiRJ/PrRzw
Threatray 61 similar samples on MalwareBazaar
TLSH 1FA49D2177A86B98E1BEA3786150420097F8F95BF339D65D3DA840DD6D64F82C3B3B12
Reporter abuse_ch
Tags:HostGator scr Smoke Loader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway24.websitewelcome.com
Sending IP: 192.185.51.59
From: Grace <jane@t-shirtsworld.com>
Subject: RE: New PO's 331971 & 330183
Attachment: inquiry 7000pcs.rar (contains "inquiry 7000pcs.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/80053/
Detection(s):
SecuriteInfo.com.Artemis33EB55A002F0.12515.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Deleting of the original file
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/514013
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
Binary contains a suspicious time stamp
Changes memory attributes in foreign processes to executable or writable
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 306118 Sample: inquiry 7000pcs.scr Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected AntiVM_3 2->96 98 Yara detected SmokeLoader 2->98 100 4 other signatures 2->100 9 inquiry 7000pcs.exe 3 2->9         started        12 agigivr 3 2->12         started        14 regsvr32.exe 2->14         started        process3 signatures4 102 Injects a PE file into a foreign processes 9->102 16 inquiry 7000pcs.exe 1 9->16         started        19 inquiry 7000pcs.exe 9->19         started        21 inquiry 7000pcs.exe 9->21         started        23 inquiry 7000pcs.exe 9->23         started        104 Multi AV Scanner detection for dropped file 12->104 106 Machine Learning detection for dropped file 12->106 25 agigivr 1 12->25         started        108 Creates processes via WMI 14->108 process5 file6 68 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->68 70 Renames NTDLL to bypass HIPS 16->70 72 Maps a DLL or memory area into another process 16->72 28 explorer.exe 4 16->28 injected 58 C:\Users\user\AppData\Local\Temp\65B3.tmp, PE32 25->58 dropped 74 Checks if the current machine is a virtual machine (disk enumeration) 25->74 signatures7 process8 dnsIp9 62 emona66.com.kz 176.119.1.100, 49735, 80 WS171-ASRU Ukraine 28->62 64 192.168.2.1 unknown unknown 28->64 66 www.msftncsi.com 28->66 60 C:\Users\user\AppData\Roaming\agigivr, PE32 28->60 dropped 110 Benign windows process drops PE files 28->110 112 Injects code into the Windows Explorer (explorer.exe) 28->112 114 Writes to foreign memory regions 28->114 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->116 33 explorer.exe 28->33         started        36 explorer.exe 28->36         started        38 explorer.exe 12 28->38         started        40 explorer.exe 28->40         started        file10 signatures11 process12 signatures13 76 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 33->76 78 Hijacks the control flow in another process 33->78 80 Changes memory attributes in foreign processes to executable or writable 33->80 42 vUqMYdjDZtwFzjBxNNXBOxZjsPHQ.exe 33->42 injected 44 vUqMYdjDZtwFzjBxNNXBOxZjsPHQ.exe 33->44 injected 46 vUqMYdjDZtwFzjBxNNXBOxZjsPHQ.exe 33->46 injected 54 6 other processes 33->54 82 Writes to foreign memory regions 36->82 84 Maps a DLL or memory area into another process 36->84 86 Creates a thread in another existing process (thread injection) 36->86 48 sihost.exe 36->48 injected 50 ctfmon.exe 36->50 injected 52 taskhostw.exe 36->52 injected 56 2 other processes 36->56 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->88 90 Tries to steal Mail credentials (via file access) 38->90 92 Tries to harvest and steal browser information (history, passwords, etc) 38->92 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/243915f58ee0b47ad8f4972192a2634781e7beb3cec92999f2d48fba3ee08b2b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 15:18:27 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eq4rl5mo4c2hvwhus4qzfitdi6a6ppvtz3estgps2sh3upxarmvq._file
Verdict:
malicious
Similar samples:
082433d5a03c1b8d3afcddfd4dade5d0d14366ad0d1e8d04c2f70fb40558b9cf
Smoke Loader
402c9bc187a50f0f180e3dbefa02af49d88b9d12f0a7e6810bc90f0fc5f9e99f
Smoke Loader
4e9725c1d27ec7cf15d2b159b703764c59ee647a76060e937fbfca3a73ecf889
Smoke Loader
6ed38f127b3a25cff62c0855aeba85a7134a400b1dd4ef06412c2a96729b9991
Smoke Loader
76021aea3ce29a8755d97b4c13d16a7bcb9eb0bd6e1a2d1df62ffeb8fb9397cd
Smoke Loader
92be89b620f61dba7a3c69c6e597787a02b9b8f7e0de333c589ce5048cbd8e6e
Smoke Loader
a7ed52eaed3c431823109509515c36b6bf45aab634606980509950674f018f88
Smoke Loader
b4ce84d44b0a1fc50208163e1922cce8671210aa3a0528b8a061ec2bfbf5a5f3
Smoke Loader
b8860da111fd60fd6bcb2d6ffd3f1a62357d1da8888b766726bcf0919ba25e3e
Smoke Loader
ffd4e843982551c8900daf559ee27a07c7fdeeb6a63e5075fbb8e98c8280f605
Smoke Loader
+ 51 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/201027-g45nrdj1xx/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
SmokeLoader
Malware Config
C2 Extraction:
http://emona66.com.kz/nonso/
http://emona667.com.kz/nonso2/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/243915f58ee0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/243915f58ee0b47ad8f4972192a2634781e7beb3cec92999f2d48fba3ee08b2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

rar b552d42fc5b11d09944d0ff68e477752a4a92526be934dc2303ee978536c95d8

Smoke Loader

Executable exe 243915f58ee0b47ad8f4972192a2634781e7beb3cec92999f2d48fba3ee08b2b

(this sample)

  
Dropped by
MD5 19e38d7c53cd5ca1d2a9a921dbc77905
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b552d42fc5b11d09944d0ff68e477752a4a92526be934dc2303ee978536c95d8
Cape
Cape
https://www.capesandbox.com/analysis/80053/

Comments