MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 875806c077ad2a9fc5a2c87fa0837f97c07ac731215428a88784d0bf5a7d6f25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Smoke Loader
Vendor detections: 7
| SHA256 hash: | 875806c077ad2a9fc5a2c87fa0837f97c07ac731215428a88784d0bf5a7d6f25 |
|---|---|
| SHA3-384 hash: | 79cf078aa192814935e9ad4382132e6b7b0cdeddeb946346d9c7f234ddc2c1ff18d7068bdf61ed32a45706732ad6b75c |
| SHA1 hash: | 5081d7c1d67e72a106ae4d4c616bdcbc00bc6373 |
| MD5 hash: | 777036e41d7f56674096e0657f658cd2 |
| humanhash: | lamp-bulldog-river-alabama |
| File name: | Invoice 21PTAES2110-2.pif |
| Download: | download sample |
| Signature | Smoke Loader |
| File size: | 177'664 bytes |
| First seen: | 2020-08-14 10:22:26 UTC |
| Last seen: | 2020-08-14 11:01:29 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 1536:voNZhjkVIgAOQ2IY+Vdt9vECGQ9eksmxROWlZGrVCzI:gNZhYhQa+VuCGJT6jlZGv |
| Threatray | 513 similar samples on MalwareBazaar |
| TLSH | 970430479A8C6FCFD47753B898A15C2083E87A7F8391E3693D51028E4BE7EC06FA5905 |
| Reporter |  abuse_ch |
| Tags: | Dofoil HostGator pif Smoke Loader |
abuse_ch
Malspam distributing Smoke Loader:HELO: gateway33.websitewelcome.com
Sending IP: 192.185.146.85
From: Mahardika Putranto <vendas@correntesttc.com.br>
Reply-To: morgansh@speedy.com.ar
Subject: Balanced Payment - PO 21PTAES2110-2-TBK
Attachment: Invoice 21PTAES2110-2.gz (contains "Invoice 21PTAES2110-2.pif")
Smoke Loader payload URL:
https://paste.ee/r/pdgk5
Smoke Loader C2:
http://5by80.com/1/
Intelligence
File Origin
# of uploads :
2
# of downloads :
704
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Changing a file
Creating a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connection attempt
Sending an HTTP POST request
Reading critical registry keys
Creating a window
Setting browser functions hooks
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
56 / 100
Signature
Connects to a pastebin service (likely for C&C)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Behaviour
Behavior Graph:
Threat name:
Win32.Downloader.Starpast
Status:
Malicious
First seen:
2020-08-14 10:24:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
3/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 503 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Score:
10/10
Tags:
trojan backdoor family:smokeloader
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Blacklisted process makes network request
SmokeLoader
Malware Config
C2 Extraction:
http://185.35.137.147/mlp/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.