MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ce9d6aba2f689b9fe636f0bc29cd7202608d0f84730b49ab3a894e0eecb6334. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ce9d6aba2f689b9fe636f0bc29cd7202608d0f84730b49ab3a894e0eecb6334
SHA3-384 hash: 4bcab15461c59f6c961a2e2bfa6e69cf3c309d1b0e3c5fc4b69d0dcefa34d01b45cdc82a283637c99eee034a9047e2ab
SHA1 hash: e56b2d64134d0af287018430e90e7c8404676540
MD5 hash: bcf668ef90851c26d0413a3be51d7082
humanhash: mirror-friend-hotel-butter
File name:рахунок_вiд_12_07_2023_до_оплати.vbs
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:23'423 bytes
First seen:2023-07-13 07:39:11 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:8c3Pr/LWAC9Kt30KrR3FeZWwOYFFOLqOPe8IHM9NiMfOXdl82F4l3vM7:fltFeA3qOh28s4q
Threatray 2'289 similar samples on MalwareBazaar
TLSH T190B25F6D034FA8FC9773ACC84AD5AC53FB74872A4A6CDAC49F30AEEA2414174A0F551D
Reporter abuse_ch
Tags:Dofoil Smoke Loader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/417276/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.3260.3326.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
VBS/Dldr.Agent
Link:
https://www.hybrid-analysis.com/sample/7ce9d6aba2f689b9fe636f0bc29cd7202608d0f84730b49ab3a894e0eecb6334
Result
Verdict:
MALICIOUS
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272232
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download HTTP data from a sinkholed server
Tries to resolve many domain names, but no domain seems valid
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272232 Sample: 42#U0438.vbs Startdate: 13/07/2023 Architecture: WINDOWS Score: 100 52 Tries to download HTTP data from a sinkholed server 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 6 other signatures 2->58 9 wscript.exe 1 2->9         started        12 ajvhbth 2->12         started        process3 signatures4 72 VBScript performs obfuscated calls to suspicious functions 9->72 74 Wscript starts Powershell (via cmd or directly) 9->74 76 PowerShell case anomaly found 9->76 14 cmd.exe 1 9->14         started        78 Detected unpacking (changes PE section rights) 12->78 80 Machine Learning detection for dropped file 12->80 82 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->82 84 3 other signatures 12->84 process5 signatures6 86 Suspicious powershell command line found 14->86 88 Wscript starts Powershell (via cmd or directly) 14->88 90 Encrypted powershell cmdline option found 14->90 92 2 other signatures 14->92 17 powershell.exe 14 18 14->17         started        22 conhost.exe 14->22         started        process7 dnsIp8 42 liverpulapp.ru 193.106.174.173, 49710, 49711, 49712 IQHOSTRU Russian Federation 17->42 44 samoramertut.ru 17->44 36 C:\Users\user\AppData\Local\Temp\2.exe, PE32 17->36 dropped 38 C:\Users\user\AppData\Local\Temp\1.exe, PE32 17->38 dropped 60 Powershell drops PE file 17->60 24 1.exe 17->24         started        27 2.exe 17->27         started        file9 62 System process connects to network (likely due to code injection or exploit) 42->62 signatures10 process11 signatures12 64 Detected unpacking (changes PE section rights) 24->64 66 Machine Learning detection for dropped file 24->66 68 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 24->68 70 3 other signatures 24->70 29 explorer.exe 6 2 24->29 injected 34 WerFault.exe 3 10 27->34         started        process13 dnsIp14 46 zakolibal.online 29->46 48 zaikaopentra.com.ug 29->48 50 44 other IPs or domains 29->50 40 C:\Users\user\AppData\Roaming\ajvhbth, PE32 29->40 dropped 94 System process connects to network (likely due to code injection or exploit) 29->94 96 Benign windows process drops PE files 29->96 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->98 file15 100 Tries to resolve many domain names, but no domain seems valid 48->100 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ce9d6aba2f689b9fe636f0bc29cd7202608d0f84730b49ab3a894e0eecb6334/
Threat name:
Script-WScript.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 04:08:39 UTC
File Type:
Text (VBS)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ptu5nk5c62e3t7tdn4f4fhgxeataruhyi4yljgvtvckob3wlmm2a._file
Verdict:
malicious
Similar samples:
02a2eb47b6d8711c8a76cf30e0835a91ae9289540cfc9091ce837b809932c507
Smoke Loader
0c26ec308dc78ef090ebec907e1eb15d6dfdc28a85fa27e0a945fc5354a3e5f9
Smoke Loader
6ba6ba1ad5f6525a76e854affad5bb28d1e59c93bd26d88a9cf1da7b84ed3b27
Smoke Loader
80c8b0971ef6542ced612e91aff7bca5d0ae3462a62b20eea298e3ac20d4df2e
Smoke Loader
93c048fa590c3fc63003ccec29071f13aebda830c4094430445fd996d8cca072
Smoke Loader
b1a03e848235832237fff6c73ddfb785968b66ee3683c2dc1ec1e6be516ac461
Smoke Loader
b92797965358585eadbe928c2b8531c5575caa87cbcef1171a48f1941a10b740
Smoke Loader
de8385440c23789f44c418bdf2e30578559b1c6b142c820f081f81280d1c0888
Smoke Loader
e2890e9fa0e086c87f866ebcf6b83fed7029cc9221ecc19318af45a8608a11e8
Smoke Loader
e7b2ce3363313b6bcc7651b591e5fe8280f0ca40bd1e7652f6376cc3100cc441
Smoke Loader
+ 2'279 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/230713-jhj9wsff98/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
SmokeLoader
Malware Config
C2 Extraction:
http://internetcygane.ru/
http://zallesman.ru/
http://maxteroper.ru/
http://kilomunara.com/
http://napropertyhub.eu/
http://nafillimonilini.net/
http://goodlenuxilam.site/
http://jimloamfilling.online/
http://vertusupportjk.org/
http://liverpulapp.ru/
http://zarabovannyok.eu/
http://cityofuganda.ug/
http://hillespostelnm.eu/
http://jslopasitmon.com/
http://zaikadoctor.ru/
http://sismasterhome.ru/
http://supermarioprohozhdenie.ru/
http://krasavchikoleg.net/
http://samoramertut.ru/
http://polinamailserverip.ru/
http://lamazone.site/
http://criticalosl.tech/
http://maximprofile.net/
http://zaliphone.com/
http://humanitarydp.ug/
http://zaikaopentra.com.ug/
http://zaikaopentra-com-ug.online/
http://infomalilopera.ru/
http://jskgdhjkdfhjdkjhd844.ru/
http://jkghdj2993jdjjdjd.ru/
http://kjhgdj99fuller.ru/
http://azartnyjboy.com/
Dropper Extraction:
http://liverpulapp.ru/htainfo.txt
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

Visual Basic Script (vbs) vbs 7ce9d6aba2f689b9fe636f0bc29cd7202608d0f84730b49ab3a894e0eecb6334

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/417276/

Comments