MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d45566376f6d2724f2a799784589f52751abf462064bbfb9f5bab134ecd120c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	5d45566376f6d2724f2a799784589f52751abf462064bbfb9f5bab134ecd120c
SHA3-384 hash:	49ec94aebd72a427acad67fe4bfd8fd368b9a97f749cf8fa4d8d9d397b68818605b6ea41ccf31126654c0a03a51591e2
SHA1 hash:	40961b3f3fe534a2406bec6450f8ac091e5ea2a0
MD5 hash:	a8999030ecf89567824477c92449d323
humanhash:	august-nevada-montana-triple
File name:	MegaPaymentAdvice0023022022.xll
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	650'240 bytes
First seen:	2022-02-23 12:13:30 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep	12288:I0Ws7IMsR4yVld8bzbBSreLBY4ZyrE7K3yl8PeVooA/AB2LEJZsAQPUqjr:I0bskX17BY4ZyrE7K3yl8PeVooA/AB2f
Threatray	47 similar samples on MalwareBazaar
TLSH	T1F6D46D55BECA6EA1EFBF47B78361DA2D1126736D03A0A6CF6603019D3951FC2453EA03
Reporter	abuse_ch
Tags:	Smoke Loader xll

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MegaPaymentAdvice0023022022.exe

Verdict:

No threats detected

Analysis date:

2022-02-23 09:28:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5d90f00a-0ae2-4c8d-a637-ca53b33d7619

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Generic-9939833-0

SecuriteInfo.com.Trojan.DownloaderNET.312.27193.19952.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/5d45566376f6d2724f2a799784589f52751abf462064bbfb9f5bab134ecd120c/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware packed packed

Link:

https://www.filescan.io/uploads/62162516875593a3cc0a495a/reports/2004da4b-2967-4930-a3d0-1a455e921c44/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5d45566376f6d2724f2a799784589f52751abf462064bbfb9f5bab134ecd120c/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2022-02-23 08:17:32 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lvcvmy3w63jhetzkpglyiwe7kj2rvp2gebslx647lovrgtwnciga._file

Verdict:

unknown

Smoke Loader

12b746c0b5556ef44be803c0ebb7dbfccbacd3a4f8df1b783d4730a311209cdd

Smoke Loader

1bf8c12c3dadffb6d0b9dfbebd78a15bed670640830c0f41369ea6137c2aeb1d

Smoke Loader

4a9683f3b6658f4895cd3d44c4920d77db5dfd410cf0dc188e4f4d2740c24539

Smoke Loader

727f124333294aaba156840955cbfc6ac7470768c65c1582c5e0dbfcb6f8722f

Smoke Loader

864b3cc362f84975007a63ae6f7fa6b4bdcc06f4459195896ebee385443ed44a

Smoke Loader

9b682330445e8eb6445cc43968e21ae3ffe1b9d8c3ae5210c9a8d12416315d5d

Smoke Loader

c61b6512d455398c2ff7fa4450c488e7eaeb8aacc01f732d8204ae302e2cc868

Smoke Loader

d724eef097700915a348d42dcfa0255e3edb3c644cf8740fd052cddab2c81b54

Smoke Loader

dcb880afbaa7e57f574b4e08595ef2c1ac7100a695359c1edc9af535d7f9e64f

Smoke Loader

+ 37 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:guloader family:smokeloader backdoor collection downloader trojan

Link:

https://tria.ge/reports/220223-pebq8sbchk/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks QEMU agent file

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

Guloader,Cloudeye

SmokeLoader

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5d45566376f6d2724f2a799784589f52751abf462064bbfb9f5bab134ecd120c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample