MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 62b720cfb1c69f4b21f4bd55c8e7fa1cfd71da081db1afbbed005dfc010c9bfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Smoke Loader
Vendor detections: 6
| SHA256 hash: | 62b720cfb1c69f4b21f4bd55c8e7fa1cfd71da081db1afbbed005dfc010c9bfb |
|---|---|
| SHA3-384 hash: | c04d940a9d69fd62e800d41ad66b6204bb6d2c330a17f3a2677d8d68ba1ae4e2ba401dbd9d51c5b2c13b4cc6ef2d3235 |
| SHA1 hash: | 3aa0a9adcdeafbdc8e3d70371b67caf7c1059297 |
| MD5 hash: | 8823f3efc24472eb77bedf4d03855b21 |
| humanhash: | network-white-undress-carolina |
| File name: | 8823f3efc24472eb77bedf4d03855b21.doc |
| Download: | download sample |
| Signature | Smoke Loader |
| File size: | 834'043 bytes |
| First seen: | 2020-09-08 00:09:07 UTC |
| Last seen: | Never |
| File type: |  doc |
| MIME type: | text/rtf |
| ssdeep | 24576:5iBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBiBio7:gYYYYYYYYYYYYYYYYYYYYYYYYK |
| TLSH | BD05CFF4669188D2EBAF4B4761589DCC6635217FFACB21880092FF981D77662CB0DCC6 |
| Reporter |  theDark3d |
| Tags: | doc Smoke Smoke Loader SmokeLoader |
Intelligence
File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27301.RtfHeur.BadVer.UNOFFICIAL
SecuriteInfo.com.FakeRTF-2.UNOFFICIAL
MiscreantPunch.RTF.2017-0199.Obfus.170830.UNOFFICIAL
MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL
TwinWave.EvilDoc.DOCXSTRGOOD.RTFSTR._EQUATION.200422.UNOFFICIAL
TwinWave.EvilDoc.RTFFakeVersionWithObjUpdateUKSurfMix.20200514.UNOFFICIAL
SecuriteInfo.com.FakeRTF-2.UNOFFICIAL
MiscreantPunch.RTF.2017-0199.Obfus.170830.UNOFFICIAL
MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL
TwinWave.EvilDoc.DOCXSTRGOOD.RTFSTR._EQUATION.200422.UNOFFICIAL
TwinWave.EvilDoc.RTFFakeVersionWithObjUpdateUKSurfMix.20200514.UNOFFICIAL
Result
Verdict:
Malware
Maliciousness:
Behaviour
Launching a process
Creating a window
DNS request
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connection attempt
Sending an HTTP POST request
Launching a service
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Setting browser functions hooks
Possible injection to a system process
Sending an HTTP GET request
Launching a file downloaded from the Internet
Stealing user critical data
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2020-09-08 00:11:05 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
smokeloader
Score:
10/10
Tags:
trojan backdoor family:smokeloader
Behaviour
Launches Equation Editor
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in System32 directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://abcphonics.app/2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bloodhound
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.