MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9420352e6f0bd18b2e3cd99144ab76c1fca76b96bdba6e07b83bd5d1d2fb790b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9420352e6f0bd18b2e3cd99144ab76c1fca76b96bdba6e07b83bd5d1d2fb790b
SHA3-384 hash: f963b9d8f989a1bab261798031657996f61d8b14d44d4d2603e8ad748378da1fc5b02a3256ef7c718dc3a707f7fba234
SHA1 hash: aa0296d7a713689dd6a3b4b4d10fdf0720d44a4a
MD5 hash: b57028af601138a20909e11bd5cb684b
humanhash: monkey-alanine-six-tennis
File name:Signed Alibaba RFQ_TXT_DOC.Pif
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:649'728 bytes
First seen:2021-03-31 07:04:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JLKnBBImHoAlHNxOmpSq0MqgUVrS+JSEC0lIj:xmllH
Threatray 122 similar samples on MalwareBazaar
TLSH 82D4C7AA307E135DDEB59630F7A449B35B8725323F92FE3B249312045C5B76AFA0E460
Reporter abuse_ch
Tags:pif Smoke Loader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: regular1.263xmail.com
Sending IP: 211.150.70.204
From: Beatrice Lyu <sales-shanghai@zeppelin-china.com>
Subject: RE: payment and invoice for WL19205
Attachment: Signed Trade RFQ_TXT_DOC.zip (contains "Signed Alibaba RFQ_TXT_DOC.Pif")

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Signed Alibaba RFQ_TXT_DOC.Pif
Verdict:
Suspicious activity
Analysis date:
2021-03-31 07:37:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e78783ae-972b-4178-999b-561e3e6a7e29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129183/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.576-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Osiris AveMaria SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/659819
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected Osiris Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378835 Sample: Signed Alibaba RFQ_TXT_DOC.Pif Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 10 other signatures 2->62 9 Signed Alibaba RFQ_TXT_DOC.exe 4 2->9         started        12 fvcutvcd.exe 2 2->12         started        process3 signatures4 72 Adds a directory exclusion to Windows Defender 9->72 74 Injects a PE file into a foreign processes 9->74 14 Signed Alibaba RFQ_TXT_DOC.exe 9->14         started        17 powershell.exe 24 9->17         started        76 Detected unpacking (changes PE section rights) 12->76 78 Detected unpacking (overwrites its own PE header) 12->78 process5 signatures6 106 Maps a DLL or memory area into another process 14->106 108 Checks if the current machine is a virtual machine (disk enumeration) 14->108 19 explorer.exe 3 8 14->19 injected 24 conhost.exe 17->24         started        process7 dnsIp8 52 mynah505.com.kz 176.119.1.100, 49715, 49716, 49718 WS171-ASRU Ukraine 19->52 54 www.msftncsi.com 19->54 44 C:\Users\user\AppData\...\fvcutvcd.exe, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\...\A01E.tmp.exe, PE32 19->46 dropped 48 C:\Users\...\fvcutvcd.exe:Zone.Identifier, ASCII 19->48 dropped 64 System process connects to network (likely due to code injection or exploit) 19->64 66 Benign windows process drops PE files 19->66 68 Injects code into the Windows Explorer (explorer.exe) 19->68 70 2 other signatures 19->70 26 explorer.exe 19->26         started        29 explorer.exe 19->29         started        31 A01E.tmp.exe 2 19->31         started        34 8 other processes 19->34 file9 signatures10 process11 file12 80 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->80 82 Hijacks the control flow in another process 26->82 84 Changes memory attributes in foreign processes to executable or writable 26->84 36 gikPEGtBeIfcagtqxbuqbs.exe 26->36 injected 38 gikPEGtBeIfcagtqxbuqbs.exe 26->38 injected 86 Writes to foreign memory regions 29->86 88 Maps a DLL or memory area into another process 29->88 90 Creates a thread in another existing process (thread injection) 29->90 40 sihost.exe 29->40 injected 42 taskhostw.exe 29->42 injected 50 C:\Users\user\AppData\Local\...\Liebert.bmp, PE32 31->50 dropped 92 Multi AV Scanner detection for dropped file 31->92 94 Detected Osiris Trojan 31->94 96 Machine Learning detection for dropped file 31->96 98 Sample uses process hollowing technique 31->98 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->100 102 Tries to steal Mail credentials (via file access) 34->102 104 Tries to harvest and steal browser information (history, passwords, etc) 34->104 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9420352e6f0bd18b2e3cd99144ab76c1fca76b96bdba6e07b83bd5d1d2fb790b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 07:05:13 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqqdkltpbpiywlr43giujk3wyh6ko24wxw5g4b5yhpk5dux3pefq._file
Verdict:
malicious
Similar samples:
2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
Smoke Loader
67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3
Smoke Loader
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
Smoke Loader
8f32a2bc4817137939fbd615fbcbab4c93dd0305e9d407ec6de706483c50556e
Smoke Loader
91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f
Smoke Loader
b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903
Smoke Loader
c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e
Smoke Loader
cb76c19c178a71a5115ee308b51de416255de06d4e8226fdda8e59275a519c14
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Smoke Loader
+ 112 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210331-mh8gbv9etj/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
SmokeLoader
Malware Config
C2 Extraction:
http://mynah505.com.kz/mynah/
http://mynah506.com.kz/mynah/
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/d13debfb-82f9-40ca-af83-6293e7adfa0a/
SH256 hash:
9420352e6f0bd18b2e3cd99144ab76c1fca76b96bdba6e07b83bd5d1d2fb790b
MD5 hash:
b57028af601138a20909e11bd5cb684b
SHA1 hash:
aa0296d7a713689dd6a3b4b4d10fdf0720d44a4a
Link:
https://www.unpac.me/results/d13debfb-82f9-40ca-af83-6293e7adfa0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/9420352e6f0bd18b2e3cd99144ab76c1fca76b96bdba6e07b83bd5d1d2fb790b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

zip 2cfe6c2923835f1115ef597905029c8f1331b46812f8ec2000e71785c29b90e2

Smoke Loader

Executable exe 9420352e6f0bd18b2e3cd99144ab76c1fca76b96bdba6e07b83bd5d1d2fb790b

(this sample)

  
Dropped by
MD5 ac0329cb18bcfc52a17d5e710e13bac7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2cfe6c2923835f1115ef597905029c8f1331b46812f8ec2000e71785c29b90e2
Cape
Cape
https://www.capesandbox.com/analysis/129183/

Comments