MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4ce84d44b0a1fc50208163e1922cce8671210aa3a0528b8a061ec2bfbf5a5f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4ce84d44b0a1fc50208163e1922cce8671210aa3a0528b8a061ec2bfbf5a5f3
SHA3-384 hash: 1c82792dbcb27864313771329d3b93b5c82239a1900557a22d76c56c1a6f521636c102754ea6bdd5cdac8e20f50f51cc
SHA1 hash: dc20b9233e3cc51d0d3ad0cdf9357bc362fa262b
MD5 hash: 5e8780ce8aaf0ca3c0ecb0f9f2fba3e1
humanhash: pluto-eleven-hydrogen-hot
File name:1860sets inquiry.scr
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:457'728 bytes
First seen:2020-10-16 10:48:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:GQgM1TIKgzqUKTPrv47WCQ53pQNCQXqMyOuIgotlEsNZQFXHbTodKSZVPwrk3KO:Zf1UKgzqUwPb3pQ7yOWsjU3oLCP
Threatray 36 similar samples on MalwareBazaar
TLSH C4A4AE316A4ABF10F17D5737A8E4545413FAED019B62C52F3DF236EC5862FA44A32B0A
Reporter abuse_ch
Tags:GMX scr Smoke Loader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mout.gmx.com
Sending IP: 74.208.4.201
From: Anaisha Modill <Anaisha-modip@europe.com>
Subject: Re: WG: Inquiry 17376d
Attachment: 1860sets inquiry.rar (contains "1860sets inquiry.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71927/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% directory
Deleting of the original file
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493453
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Changes memory attributes in foreign processes to executable or writable
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299184 Sample: 1860sets inquiry.scr Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected AntiVM_3 2->78 80 Yara detected SmokeLoader 2->80 82 3 other signatures 2->82 9 1860sets inquiry.exe 3 2->9         started        13 uugcswg 3 2->13         started        15 regsvr32.exe 2->15         started        process3 file4 60 C:\Users\user\...\1860sets inquiry.exe.log, ASCII 9->60 dropped 92 Injects a PE file into a foreign processes 9->92 17 1860sets inquiry.exe 1 9->17         started        94 Multi AV Scanner detection for dropped file 13->94 96 Machine Learning detection for dropped file 13->96 20 uugcswg 1 13->20         started        98 Creates processes via WMI 15->98 signatures5 process6 file7 68 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->68 70 Renames NTDLL to bypass HIPS 17->70 72 Maps a DLL or memory area into another process 17->72 23 explorer.exe 4 17->23 injected 54 C:\Users\user\AppData\Local\Temp\65B3.tmp, PE32 20->54 dropped 74 Checks if the current machine is a virtual machine (disk enumeration) 20->74 signatures8 process9 dnsIp10 64 emona66.com.kz 176.119.1.100, 49751, 80 WS171-ASRU Ukraine 23->64 66 www.msftncsi.com 23->66 56 C:\Users\user\AppData\Roaming\uugcswg, PE32 23->56 dropped 58 C:\Users\user\...\uugcswg:Zone.Identifier, ASCII 23->58 dropped 84 Benign windows process drops PE files 23->84 86 Injects code into the Windows Explorer (explorer.exe) 23->86 88 Writes to foreign memory regions 23->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->90 28 explorer.exe 23->28         started        31 explorer.exe 23->31         started        33 explorer.exe 12 23->33         started        35 explorer.exe 23->35         started        file11 signatures12 process13 dnsIp14 100 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->100 102 Hijacks the control flow in another process 28->102 104 Changes memory attributes in foreign processes to executable or writable 28->104 38 sGKuGEkZQfeXKXVDiPVJBiSl.exe 28->38 injected 40 sGKuGEkZQfeXKXVDiPVJBiSl.exe 28->40 injected 42 sGKuGEkZQfeXKXVDiPVJBiSl.exe 28->42 injected 50 8 other processes 28->50 106 Writes to foreign memory regions 31->106 108 Maps a DLL or memory area into another process 31->108 110 Creates a thread in another existing process (thread injection) 31->110 44 sihost.exe 31->44 injected 46 taskhostw.exe 31->46 injected 48 ctfmon.exe 31->48 injected 52 2 other processes 31->52 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->112 114 Tries to steal Mail credentials (via file access) 33->114 116 Tries to harvest and steal browser information (history, passwords, etc) 33->116 62 192.168.2.1 unknown unknown 35->62 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4ce84d44b0a1fc50208163e1922cce8671210aa3a0528b8a061ec2bfbf5a5f3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 01:17:27 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wthijvclbip4kaqicy7bsiwm5btreefkhicsrofamhwcx67vuxzq._file
Verdict:
malicious
Similar samples:
082433d5a03c1b8d3afcddfd4dade5d0d14366ad0d1e8d04c2f70fb40558b9cf
Smoke Loader
28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199
Smoke Loader
4e9725c1d27ec7cf15d2b159b703764c59ee647a76060e937fbfca3a73ecf889
Smoke Loader
6ed38f127b3a25cff62c0855aeba85a7134a400b1dd4ef06412c2a96729b9991
Smoke Loader
76021aea3ce29a8755d97b4c13d16a7bcb9eb0bd6e1a2d1df62ffeb8fb9397cd
Smoke Loader
92be89b620f61dba7a3c69c6e597787a02b9b8f7e0de333c589ce5048cbd8e6e
Smoke Loader
a7ed52eaed3c431823109509515c36b6bf45aab634606980509950674f018f88
Smoke Loader
b8860da111fd60fd6bcb2d6ffd3f1a62357d1da8888b766726bcf0919ba25e3e
Smoke Loader
e91568f40d148d2bdf04cf14156febbbb0d72e10b876c38d0900e0a66cb8706f
Smoke Loader
febbc268d54ae4612531ceb696c39bd8c0a60ea22d2877751eecce32bd651257
Smoke Loader
+ 26 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor family:smokeloader
Link:
https://tria.ge/reports/201016-z43wlsz98x/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
SmokeLoader
Malware Config
C2 Extraction:
http://emona66.com.kz/nonso/
http://emona667.com.kz/nonso2/
Unpacked files
SH256 hash:
b4ce84d44b0a1fc50208163e1922cce8671210aa3a0528b8a061ec2bfbf5a5f3
MD5 hash:
5e8780ce8aaf0ca3c0ecb0f9f2fba3e1
SHA1 hash:
dc20b9233e3cc51d0d3ad0cdf9357bc362fa262b
Link:
https://www.unpac.me/results/9d36fb72-e8a5-4a38-a65d-0dbfdd94a0a3/
SH256 hash:
7513b92d5a023654acd6d7c1e63da83fe7b264826e88097d7747e20ed6830ac3
MD5 hash:
5de423a94e64419e5bf017d8eba7f1f4
SHA1 hash:
1563849715ed2d7ccb35656e402ec1a8021dcea7
Link:
https://www.unpac.me/results/9d36fb72-e8a5-4a38-a65d-0dbfdd94a0a3/
Parent samples :
79884015c62283faf473df2a8f7d704e9fc96f5efbfea82dce7c8be87ef02455
0f3dc00291dcb787ca5fe22879abdfb5d1113351a79327cd04471ecedf658b46
SH256 hash:
5764f906d101ecda8c8c2bb454eb30f9ca5cadda571cc439b9d92d6629a43543
MD5 hash:
ffcb11deed40b8ca49dcc26fccb66a06
SHA1 hash:
a43e05dcf4c027dc280bce3dc33c44da35b68fd2
Link:
https://www.unpac.me/results/9d36fb72-e8a5-4a38-a65d-0dbfdd94a0a3/
SH256 hash:
90e94b68f6f8b2acc6f4cd2c1796cfee724cb2a12dfeab22d299314a5d872405
MD5 hash:
2da65cf81506d340fb4a821ac25014b7
SHA1 hash:
b307228e8d567ec52c64eeb223f8c5eb626c113d
Link:
https://www.unpac.me/results/9d36fb72-e8a5-4a38-a65d-0dbfdd94a0a3/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/9d36fb72-e8a5-4a38-a65d-0dbfdd94a0a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b4ce84d44b0a1fc50208163e1922cce8671210aa3a0528b8a061ec2bfbf5a5f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

rar 4c7de78f77dc0e4bc1ed09bc75cd9d721b44e203fc7eb808325424e20a9fc4c7

Smoke Loader

Executable exe b4ce84d44b0a1fc50208163e1922cce8671210aa3a0528b8a061ec2bfbf5a5f3

(this sample)

  
Dropped by
MD5 f5a3e108a2f240925ebbe0754bf3c149
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71927/
  
Dropped by
SHA256 4c7de78f77dc0e4bc1ed09bc75cd9d721b44e203fc7eb808325424e20a9fc4c7

Comments