MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 278593e60722d691fe1b23b22cab15294662bbd2ef8ca1ba8e80ca78e872a813. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 278593e60722d691fe1b23b22cab15294662bbd2ef8ca1ba8e80ca78e872a813
SHA3-384 hash: b910f99b79f7205b6c82becf56a59878df264027771a7dd4c47dbdcd1d196bcb1d00c2bb065d0f98ae32541508757f8b
SHA1 hash: f582af904ec05a5b72aae3bc2eeffdc44988e457
MD5 hash: b3c71fca1351df0d352fe022db1a38dc
humanhash: quebec-south-double-nitrogen
File name:ldr.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:385'536 bytes
First seen:2020-04-16 15:07:16 UTC
Last seen:2020-04-16 17:39:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e8aa5126db9671c6e450cd0db2d3ee5 (1 x Smoke Loader)
ssdeep 3072:37HKmtpKxOgB4agjbyLKAfaxuRMaQo+UX2JHv+xk+TA/64tVHTxrfQBU51:3zb2oljby04GaQo+UXWH2xk++5FQGn
Threatray 1'137 similar samples on MalwareBazaar
TLSH C584084E960244BBE92225B080DFEB79011059BD6E63CF77FE08FA13F9327E55163629
Reporter abuse_ch
Tags:COVID-19 Dofoil exe Smoke Loader SmokeLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing SmokeLoader:

HELO: i15.mxout.mta4.net
Sending IP: 5.196.146.142
From: MCCOY Kimberly <health@covid-center.gov>
Subject: CorVirus problem!
Attachment: CoVid_2019_Check_A4372.doc

SmokeLoader payload URL:
http://45.147.231.107/ldr.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
905
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Worm.fm.15570.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Ligooc
Create hunting rule
Status:
Malicious
First seen:
2020-04-16 15:35:31 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6czhzqhelljd7q3eozczkyvffdgfo6s56gkdouoqdfhr2dsvajq._file
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
08f3b51c8493c5ed8948ab35c956a465e0043094248d2f27a5d8fa9a696e3cbf
Smoke Loader
27c3f84dd3101c302afb523ee2c5b728c1fc34cfb8430c314d1f2df5ed79c28c
Smoke Loader
302b22ef958f04eeef47eaef2fe2d2fd062a17c16683ec8f2cf0b899f19c2acb
Smoke Loader
3700f2c5fe27c80e41984b2a55f236655a09f0781c05b265bccb26165318d78a
Smoke Loader
5bd66c88148005029d20c92e1d793f8d41f47a273a9334f9a85ec31148d0b040
Smoke Loader
8d1b83eff1b3c604365fd29de1bb43204852de842c0bb148975fe7a7485310e4
Smoke Loader
927a8d1445750400db3850d0b2dc3522b0f373098385373efa3d7762120f3689
Smoke Loader
aea1d064fb75706dd261f1097f91574050216410ce840e9c7523c46aca53c5f9
Smoke Loader
e94e31beaf1c2a6c24f0973a621c8715faf91a18e8c7acdab8a832021c7ce5f5
Smoke Loader
f3ba5d0b27ff406dcd1c624aee919f394d231b878f040ec23e36c7f0cf81df99
Smoke Loader
+ 1'127 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

Word file doc 0da1163a00143901f52c50317fe036c83efca8680d1e1d5702a0118a10b35d7d

Smoke Loader

Executable exe 278593e60722d691fe1b23b22cab15294662bbd2ef8ca1ba8e80ca78e872a813

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/341409/
  
Dropped by
MD5 6f1f70d8b7d62a7b8dce59ebf077f429
  
Dropped by
SHA256 0da1163a00143901f52c50317fe036c83efca8680d1e1d5702a0118a10b35d7d
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments