MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3
SHA3-384 hash: 4af0fd9a95d352814e98a0d95d02055cedb935eb5ad0c6a1f5831ef31b1336aaa4b16c9c9f7666f2f5e4c9553d0333c4
SHA1 hash: 886657fc7b42065ad7189fd94ccca1a8b82be61f
MD5 hash: 40cf3cac4e549231ca46024d323553c2
humanhash: pizza-stream-charlie-stairway
File name:NEW RFQ D-OP1043 from Canada.com
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:466'944 bytes
First seen:2020-10-19 06:43:47 UTC
Last seen:2020-10-19 08:24:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 95b8200c64a95fede2250a413917beb4 (1 x Smoke Loader)
ssdeep 6144:hJRU0iITQSaeJYTVxh2mlUkq8mspIREUuG69SfHNpWY7GuxgLjvebntph:nRqEQfeJYT4KUkq8fpI9u79G7GDgt
Threatray 45 similar samples on MalwareBazaar
TLSH 12A4AE05631ADEBBE36315B14D65A83558A8EA710F2F08D3BBC5AC9E963DDC13B31306
Reporter abuse_ch
Tags:com Smoke Loader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: regular1.263xmail.com
Sending IP: 211.150.70.205
From: Miya <sale01@zhonglanindustry.com>
Subject: Re: NEW RFQ D-OP1043, UPDATED
Attachment: NEW RFQ D-OP1043 from Canada.ace (contains "NEW RFQ D-OP1043 from Canada.com")

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72756/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.39403.10137.18740.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
DNS request
Creating a process from a recently created file
Launching a process
Reading critical registry keys
Deleting a recently created file
Setting browser functions hooks
Unauthorized injection to a recently created process
Connection attempt to an infection source
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a browser process
Unauthorized injection to a system process
Result
Threat name:
Osiris SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494880
Signature
Antivirus detection for dropped file
Benign windows process drops PE files
Checks if the current machine is a virtual machine (disk enumeration)
Detected Osiris Trojan
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299899 Sample: NEW RFQ D-OP1043 from Canada.com Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 45 canonicalizer.ucsuri.tcs 2->45 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for dropped file 2->59 61 7 other signatures 2->61 10 NEW RFQ D-OP1043 from Canada.exe 1 2->10         started        14 gacidtdb.exe 2->14         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\...\Liebert.bmp, PE32 10->43 dropped 79 Maps a DLL or memory area into another process 10->79 16 NEW RFQ D-OP1043 from Canada.exe 10->16         started        81 Multi AV Scanner detection for dropped file 14->81 83 Machine Learning detection for dropped file 14->83 signatures6 process7 signatures8 51 Maps a DLL or memory area into another process 16->51 53 Checks if the current machine is a virtual machine (disk enumeration) 16->53 19 explorer.exe 8 16->19 injected process9 dnsIp10 47 mynah505.com.kz 176.119.1.100, 49735, 49736, 49737 WS171-ASRU Ukraine 19->47 49 www.msftncsi.com 19->49 37 C:\Users\user\AppData\...\gacidtdb.exe, PE32 19->37 dropped 39 C:\Users\user\AppData\Local\...\8841.tmp.exe, PE32 19->39 dropped 41 C:\Users\...\gacidtdb.exe:Zone.Identifier, ASCII 19->41 dropped 63 Benign windows process drops PE files 19->63 65 Injects code into the Windows Explorer (explorer.exe) 19->65 67 Writes to foreign memory regions 19->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->69 24 explorer.exe 8 19->24         started        27 8841.tmp.exe 19->27         started        29 explorer.exe 19->29         started        31 7 other processes 19->31 file11 signatures12 process13 signatures14 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->71 73 Tries to steal Mail credentials (via file access) 24->73 75 Tries to harvest and steal browser information (history, passwords, etc) 24->75 77 Machine Learning detection for dropped file 27->77 33 sihost.exe 29->33 injected 35 wdjcNqPErpzI.exe 31->35 injected process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 22:57:32 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6ztol7c2rvcaj4krrme27mdd6bs5hp2266yqdogd6ojpmczbprq._file
Verdict:
malicious
Similar samples:
1765e5f0ee49b2b6cf4a7361bbaac484f15c6c1d003de02338fffdb615e831d8
Smoke Loader
2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
Smoke Loader
2ba5b16b9ce46066c1122bad1fc5feb3de0743451c6603b98e3d0ffe6f9cc019
Smoke Loader
91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f
Smoke Loader
95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813
Smoke Loader
9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63
Smoke Loader
a7ed52eaed3c431823109509515c36b6bf45aab634606980509950674f018f88
Smoke Loader
d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
e91568f40d148d2bdf04cf14156febbbb0d72e10b876c38d0900e0a66cb8706f
Smoke Loader
+ 35 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor family:smokeloader
Link:
https://tria.ge/reports/201019-q7eg2dvcha/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
SmokeLoader
Malware Config
C2 Extraction:
http://mynah505.com.kz/mynah/
http://mynah506.com.kz/mynah/
Unpacked files
SH256 hash:
a4121247b574f72fc128237abfffe3b67cd8b996f7b367935cac50ebd3d29296
MD5 hash:
933ca775acc6f71052a703280bbc89ea
SHA1 hash:
e7216836f7824a77b8a182d0024e32bfd605a4c8
Link:
https://www.unpac.me/results/fe034ca7-ec20-431f-bfb6-fc0791df6454/
SH256 hash:
67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3
MD5 hash:
40cf3cac4e549231ca46024d323553c2
SHA1 hash:
886657fc7b42065ad7189fd94ccca1a8b82be61f
Link:
https://www.unpac.me/results/fe034ca7-ec20-431f-bfb6-fc0791df6454/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

zip 20df44eabae2079c7a21b0beb7b597aa1b939efbf4868f2f097a27f58cd1a22b

Smoke Loader

Executable exe 67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3

(this sample)

  
Dropped by
MD5 004f934e72413ed05ffbefe01dbe1663
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72756/
  
Dropped by
SHA256 20df44eabae2079c7a21b0beb7b597aa1b939efbf4868f2f097a27f58cd1a22b

Comments