MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 11

Maldoc score: 7

Intelligence 11 IOCs YARA 10 File information Comments

SHA256 hash:	7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66
SHA3-384 hash:	79a0b0aa2df12753bf46f9d700e5a08d679b301db5aed2fe005ad7f8b54496f2c1a72e2d0888569f8fd38076a562fbe9
SHA1 hash:	724612a3c88f187aa000efe4ff4e9e04c9553696
MD5 hash:	0bd1328012301d04bdc921acb321b820
humanhash:	mango-skylark-shade-beryllium
File name:	Платіжна інструкція № 472.rtf
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	108'643 bytes
First seen:	2024-05-23 18:13:17 UTC
Last seen:	Never
File type:	doc
MIME type:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep	1536:FCuLaHmmF7tG8Q/qk8fowr/5mUpKNEteuEC5/ThAoLCAJZSfx6BrqbyGfh:hLIt7tD/rRmCK6guEC5/ThAQSfxSuGQ
TLSH	T148B349138C0C9B87E02D47F9BE071D9E7A6A475CED8279FE00521ECB7E412524D8A96F
TrID	53.0% (.DOCM) Word Microsoft Office Open XML Format document (with Macro) (52000/1/9) 23.9% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4) 17.8% (.ZIP) Open Packaging Conventions container (17500/1/4) 4.0% (.ZIP) ZIP compressed archive (4000/1) 1.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	abuse_ch
Tags:	doc Dofoil rtf Smoke Loader

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 7

OLE dump

MalwareBazaar was able to identify 7 sections in this file using oledump:

Section ID	Section size	Section name
A1	419 bytes	PROJECT
A2	71 bytes	PROJECTwm
A3	2099 bytes	VBA/NewMacros
A4	938 bytes	VBA/ThisDocument
A5	2637 bytes	VBA/_VBA_PROJECT
A6	568 bytes	VBA/dir

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	AutoOpen	Runs when the Word document is opened
Suspicious	Shell	May run an executable file or a system command
Suspicious	vbHide	May run an executable file or a system command
Suspicious	Powershell	May run PowerShell commands

Intelligence

File Origin

# of uploads :

# of downloads :

2'563

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66.doc

Verdict:

Malicious activity

Analysis date:

2024-05-23 18:23:20 UTC

Tags:

macros macros-on-open opendir loader smokeloader

Link:

https://app.any.run/tasks/62c1c61a-f9a7-4c54-9af2-45b2e6a66cc7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.PUA.PowerShell.Obfus-4.UNOFFICIAL

MiscreantPunch.EvilMacro.PSHELLB64INVOKEDASH.12.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW-OBJECT.200322B64.9.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW_OBJECT.200630B64.9.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.HTTP_.210304B64.6.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=664f87b902cf134c1c7f86f7win10vpnfull_triage

Tags:

Encryption Execution Generic Network Office Stealth Trojan W2000m

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Connecting to a non-recommended domain

Connection attempt

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Running batch commands by exploiting the app vulnerability

Result

Verdict:

Malicious

File Type:

Word File with Macro

Link:

https://app.docguard.net/7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66/results/dashboard

Behaviour

BlacklistAPI detected

Document image

Image:

Download PNG

Verdict:

Malicious

Labled as:

Msoffice/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66

Gathering data

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1446716

Signature

Antivirus detection for dropped file

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Drops PE files with benign system names

Encrypted powershell cmdline option found

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Powershell drops PE file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: System File Execution Location Anomaly

Suspicious command line found

Suspicious powershell command line found

Yara detected Powershell download and execute

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66/

Threat name:

Document-Office.Downloader.Powdow

Status:

Malicious

First seen:

2024-05-23 06:12:53 UTC

File Type:

Document

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ppu66yldf3oa6l6gvvm5mswwtw77xucqcouavmo7xnv5rjqjbnta._file

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor macro trojan

Link:

https://tria.ge/reports/240523-wvax7sbe42/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Office loads VBA resources, possible macro or embedded object present

Program crash

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

Process spawned unexpected child process

SmokeLoader

Malware Config

C2 Extraction:

http://rafraystore.ru/index.php
http://picwalldoor.ru/index.php
http://agentsuperpupervinil.ru/index.php
http://vivianstyler.ru/index.php
http://sephoraofficetz.ru/index.php
http://vikompalion.ru/index.php
http://ccbaminumpot.ru/index.php

Dropper Extraction:

http://45.84.0.173/download_22/server.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	office_document_vba Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	Office document with embedded VBA
Reference:	https://github.com/jipegit/

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

URLhaus

https://urlhaus.abuse.ch/url/2860823/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample