MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 278b7b56fbd477d441cc898216fd90c9fa1a84a143b4a2502770c205066a6622. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 278b7b56fbd477d441cc898216fd90c9fa1a84a143b4a2502770c205066a6622
SHA3-384 hash: d92397d88a72d7fda51362aaa5ea11bc7b57f98e684bef9d7fe730780b334e78508f23750624845a973e91d28ee90bf7
SHA1 hash: 9e51d39317fbb331e77437a1c51b74864bb3fc4a
MD5 hash: 8271a4695ba3e22e0b5e027918864f5e
humanhash: august-don-saturn-red
File name:Quotation List from Mynautos.com
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:780'288 bytes
First seen:2021-08-18 07:54:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:NUaDc9F3nC0Py3gAh5pJ1wAZDxANnIjhGxgzJJgzujPX/a8KFLsq82c418c7Yx3T:iE1d2yhG+JJBe8KFLqDLx3f/wG
Threatray 399 similar samples on MalwareBazaar
TLSH T1B7F4A2BC19B9B62791B9C725EBE18817F0409C9F3151AC65E4EE27B7032EA5234C723D
Reporter abuse_ch
Tags:com exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation List from Mynautos.com
Verdict:
Suspicious activity
Analysis date:
2021-08-18 07:57:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db31147c-28a0-493c-bb7e-5929ac849727

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180236/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.998-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Deleting of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41d04f89-d058-4299-a94c-7369f25ee459
Result
Threat name:
AveMaria SmokeLoader UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834937
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Powershell Defender Exclusion
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected SmokeLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467368 Sample: Quotation List from Mynautos.com Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 10 other signatures 2->84 10 Quotation List from Mynautos.exe 3 2->10         started        14 jrrwhdth.exe 3 2->14         started        process3 file4 64 C:\...\Quotation List from Mynautos.exe.log, ASCII 10->64 dropped 102 Injects a PE file into a foreign processes 10->102 16 Quotation List from Mynautos.exe 10->16         started        104 Machine Learning detection for dropped file 14->104 19 jrrwhdth.exe 14->19         started        signatures5 process6 signatures7 74 Maps a DLL or memory area into another process 16->74 76 Checks if the current machine is a virtual machine (disk enumeration) 16->76 21 explorer.exe 3 8 16->21 injected 26 WFngnIiLbwibhodnbLgF.exe 16->26 injected 28 WFngnIiLbwibhodnbLgF.exe 16->28 injected process8 dnsIp9 68 mynah505.com.kz 176.119.1.100, 49708, 49710, 49711 WS171-ASRU Ukraine 21->68 70 www.msftncsi.com 21->70 58 C:\Users\user\AppData\...\jrrwhdth.exe, PE32 21->58 dropped 60 C:\Users\user\AppData\Local\...\9EA8.tmp.exe, PE32 21->60 dropped 62 C:\Users\...\jrrwhdth.exe:Zone.Identifier, ASCII 21->62 dropped 86 System process connects to network (likely due to code injection or exploit) 21->86 88 Benign windows process drops PE files 21->88 90 Injects code into the Windows Explorer (explorer.exe) 21->90 92 2 other signatures 21->92 30 9EA8.tmp.exe 5 4 21->30         started        34 explorer.exe 21->34         started        36 explorer.exe 21->36         started        38 9 other processes 21->38 file10 signatures11 process12 dnsIp13 66 C:\ProgramData\images.exe, PE32 30->66 dropped 106 Antivirus detection for dropped file 30->106 108 Machine Learning detection for dropped file 30->108 110 Contains functionality to inject threads in other processes 30->110 128 5 other signatures 30->128 41 images.exe 30->41         started        44 powershell.exe 26 30->44         started        112 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->112 114 Hijacks the control flow in another process 34->114 116 Changes memory attributes in foreign processes to executable or writable 34->116 118 Writes to foreign memory regions 36->118 130 2 other signatures 36->130 46 sihost.exe 36->46 injected 72 91.193.75.183, 1014, 49717, 49718 DAVID_CRAIGGG Serbia 38->72 120 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->120 122 Tries to steal Mail credentials (via file access) 38->122 124 Tries to harvest and steal browser information (history, passwords, etc) 38->124 126 Allocates memory in foreign processes 38->126 48 powershell.exe 38->48         started        50 cmd.exe 38->50         started        file14 signatures15 process16 signatures17 94 Antivirus detection for dropped file 41->94 96 Machine Learning detection for dropped file 41->96 98 Contains functionality to inject threads in other processes 41->98 100 3 other signatures 41->100 52 conhost.exe 44->52         started        54 conhost.exe 48->54         started        56 conhost.exe 50->56         started        process18
Detection:
warzone
Create hunting rule
Link:
https://mwdb.cert.pl/sample/278b7b56fbd477d441cc898216fd90c9fa1a84a143b4a2502770c205066a6622/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 07:54:10 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6fxwvx32r35iqomrgbbn7mqzh5bvbfbio2keubhodbakbtkmyra._file
Verdict:
malicious
Similar samples:
18cd059c6141fcff83f1a715a3599a35e18ee0e41500844ae9691f62df264d6e
Smoke Loader
2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
Smoke Loader
67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3
Smoke Loader
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
Smoke Loader
8f32a2bc4817137939fbd615fbcbab4c93dd0305e9d407ec6de706483c50556e
Smoke Loader
9420352e6f0bd18b2e3cd99144ab76c1fca76b96bdba6e07b83bd5d1d2fb790b
Smoke Loader
b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903
Smoke Loader
c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e
Smoke Loader
cb76c19c178a71a5115ee308b51de416255de06d4e8226fdda8e59275a519c14
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
+ 389 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210818-bz26zeka96/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
SmokeLoader
Malware Config
C2 Extraction:
http://mynah505.com.kz/mynah/
http://mynah506.com.kz/mynah/
Unpacked files
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/64f4b175-f06b-48be-930f-99b9f8642843/
SH256 hash:
dcc2bb83a23013c646b926f5efaca27b2a653ed593ff02df9a41bb7f025baac3
MD5 hash:
76f4c56ec7897f402749edd4c7ada27b
SHA1 hash:
6cb4eebc381f3340a50095a767954a50d6c6dd32
Link:
https://www.unpac.me/results/64f4b175-f06b-48be-930f-99b9f8642843/
SH256 hash:
0bef680512b51843334daf6f9db30cda8a2ee267156bbecc490b8bb4575253f5
MD5 hash:
864e97a2476703dc4bf837a5c46e4664
SHA1 hash:
12a703759f7969f350875a0ca6ccd3e6e194a6e7
Detections:
win_smokeloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/64f4b175-f06b-48be-930f-99b9f8642843/
SH256 hash:
278b7b56fbd477d441cc898216fd90c9fa1a84a143b4a2502770c205066a6622
MD5 hash:
8271a4695ba3e22e0b5e027918864f5e
SHA1 hash:
9e51d39317fbb331e77437a1c51b74864bb3fc4a
Link:
https://www.unpac.me/results/64f4b175-f06b-48be-930f-99b9f8642843/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/278b7b56fbd477d441cc898216fd90c9fa1a84a143b4a2502770c205066a6622

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180236/

Comments