MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c019c670f05ca8797454be6c73de265381e5fd9fc7ef921263e3f982c8004a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c019c670f05ca8797454be6c73de265381e5fd9fc7ef921263e3f982c8004a5
SHA3-384 hash: 537f7bdb699ee094dc5ae6e8de7b585ac3437cb9e14e002b5249b1036f40dceb18bafb5c421d00b3140c32a27076045c
SHA1 hash: 45b50040d03f5023b92e6fea757899763fd307ee
MD5 hash: 6326f671df5dbe2eef24b00f11961fed
humanhash: triple-alanine-wyoming-potato
File name:Invoice 00028408.pif
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:177'664 bytes
First seen:2020-08-14 08:12:11 UTC
Last seen:2020-08-14 09:02:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:gNZhjkVIgAOQ2IY+VPP71lKGNGhHfvECGGeeksakxROWlZGdVCzw:gNZhYhQa+Vn5CGeTakjlZGZ
Threatray 513 similar samples on MalwareBazaar
TLSH 6E04514B668C6FCFD47763B898A1582093EC7E3F8395E7693D11028E47E7E802FA5941
Reporter abuse_ch
Tags:pif Smoke Loader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hotmail.com
Sending IP: 27.254.32.17
From: R.E. DOWNES PTY LTD <sales80@redownes.com.au>
Reply-To: <office@redownes.com.au>
Subject: Invoice 00028408; From R.E. DOWNES PTY Ltd. ENNITPBLYE
Attachment: Invoice 00028408.rar (contains "Invoice 00028408.pif")

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45606/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilF.34152.km0@aSEur7h.20385.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Sending a UDP request
Launching a process
Changing a file
Creating a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connection attempt
Sending an HTTP POST request
Reading critical registry keys
Setting browser functions hooks
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/428920
Signature
Benign windows process drops PE files
Bypasses PowerShell execution policy
Changes memory attributes in foreign processes to executable or writable
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 266953 Sample: Invoice 00028408.pif Startdate: 15/08/2020 Architecture: WINDOWS Score: 100 84 Malicious sample detected (through community Yara rule) 2->84 86 Yara detected SmokeLoader 2->86 88 Executable has a suspicious name (potential lure to open the executable) 2->88 90 5 other signatures 2->90 10 Invoice 00028408.exe 15 15 2->10         started        14 bchhrssi.exe 2 2->14         started        process3 dnsIp4 68 pastecode.xyz 10->68 70 paste.ee 104.18.49.20, 443, 49742, 49743 CLOUDFLARENETUS United States 10->70 62 C:\Users\user\...\Invoice 00028408.exe.log, ASCII 10->62 dropped 16 powershell.exe 14 16 10->16         started        19 conhost.exe 10->19         started        21 conhost.exe 14->21         started        file5 process6 dnsIp7 66 paste.ee 16->66 23 MSBuild.exe 16->23         started        26 MSBuild.exe 16->26         started        28 MSBuild.exe 16->28         started        process8 signatures9 106 Maps a DLL or memory area into another process 23->106 30 explorer.exe 4 23->30 injected process10 dnsIp11 72 5by80.com 74.208.236.2, 49759, 80 ONEANDONE-ASBrauerstrasse48DE United States 30->72 74 www.msftncsi.com 30->74 64 C:\Users\user\AppData\...\bchhrssi.exe, PE32 30->64 dropped 76 Benign windows process drops PE files 30->76 78 Injects code into the Windows Explorer (explorer.exe) 30->78 80 Writes to foreign memory regions 30->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->82 35 explorer.exe 30->35         started        38 explorer.exe 30->38         started        40 explorer.exe 30->40         started        42 13 other processes 30->42 file12 signatures13 process14 signatures15 92 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->92 94 Hijacks the control flow in another process 35->94 96 Changes memory attributes in foreign processes to executable or writable 35->96 44 dViWwevoArFFrXynBBlInGgOxlBo.exe 35->44 injected 46 dViWwevoArFFrXynBBlInGgOxlBo.exe 35->46 injected 60 2 other processes 35->60 98 Writes to foreign memory regions 38->98 100 Maps a DLL or memory area into another process 38->100 102 Creates a thread in another existing process (thread injection) 38->102 48 dViWwevoArFFrXynBBlInGgOxlBo.exe 38->48 injected 50 dViWwevoArFFrXynBBlInGgOxlBo.exe 38->50 injected 52 sihost.exe 40->52 injected 54 taskhostw.exe 40->54 injected 56 SearchUI.exe 40->56 injected 104 Tries to steal Mail credentials (via file access) 42->104 58 ShellExperienceHost.exe 42->58 injected process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c019c670f05ca8797454be6c73de265381e5fd9fc7ef921263e3f982c8004a5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 08:14:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqazyzypaxfipf2fjptmoppcmu4b4x6z7r7psijghy7zqleaassq._file
Verdict:
malicious
Similar samples:
0c3ffcd5a7623471ea4ebd0df78300568f641bba314b956f5837c2b829c87334
Smoke Loader
50871371de6754f17507213f50bd7748814f8a99899599f835701c5a772c89c7
Smoke Loader
62b720cfb1c69f4b21f4bd55c8e7fa1cfd71da081db1afbbed005dfc010c9bfb
Smoke Loader
849af25a67d831b8e5d90cc6e4b51014a3a4d9f474f7363865cbd98c4dc0ea5a
Smoke Loader
96e4ab3ae8f4486ee0bab405d20c7e00b886072257e8b089ed2dccb39032bcee
Smoke Loader
b1cd81ef90363936ef04a6d5cabb539bbc4a89a25b6baf6777e1a3e373455f40
Smoke Loader
b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35
Smoke Loader
bdea2102c3465c5e71aa3a0e2d19d1d9f9ec7002e3775f4c7595361252fa96bc
Smoke Loader
d7a340421f260de130a285233b110130fbccd2f26f1f70fc1600bf2855073017
Smoke Loader
e942c853f791a2ebd37ae59344bf8878d9a02cdcb83848a68876c49497c642d2
Smoke Loader
+ 503 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor family:smokeloader
Link:
https://tria.ge/reports/200814-nzfkxqpbk6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Blacklisted process makes network request
SmokeLoader
Malware Config
C2 Extraction:
http://185.35.137.147/mlp/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/5c019c670f05ca8797454be6c73de265381e5fd9fc7ef921263e3f982c8004a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

rar fdf43da3ebe18a52cda9fedcc677b9266df348944ce1c2a9190da4c478d45dad

Smoke Loader

Executable exe 5c019c670f05ca8797454be6c73de265381e5fd9fc7ef921263e3f982c8004a5

(this sample)

  
Dropped by
MD5 6e39041b225a11623931830b491618ae
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45606/
  
Dropped by
SHA256 fdf43da3ebe18a52cda9fedcc677b9266df348944ce1c2a9190da4c478d45dad

Comments