MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184
SHA3-384 hash: a0338afeed87a88efb59944bf5be74b1a8000a5f7b89aa5f2571ce94cd66fe756156891f90f6c138f2c05bd8361fdae1
SHA1 hash: 0d6ac2be03885921e5fe4f80e6ef53fa5dc76ec4
MD5 hash: 10eeaeacec5f9c6b88204eef6aa06f6c
humanhash: undress-artist-three-orange
File name:amaoke.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:208'384 bytes
First seen:2020-10-13 07:52:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a0823c52899fa8303c93b8e09d9e74e (1 x Smoke Loader)
ssdeep 3072:DksWfpRlXsZk+5vIyWH5w7WGnYcrku5LuVdgsqHMjKcewoEFX5xvcWXzFvJs4Kxz:wfu9K5SAzFrMuM1A73yEEe
Threatray 27 similar samples on MalwareBazaar
TLSH 9D14F60AAC87D381F845D57EB3EBB1580907EE285335E94662F72B84A6334207769C3F
Reporter abuse_ch
Tags:exe Smoke Loader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [143.110.186.144]
Sending IP: 143.110.186.144
From: tinas@bernal-led.com
Reply-To: asia107@gmx.com
Subject: RE: Order error
Attachment: amaoke.iso (contains "amaoke.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70324/
Detection(s):
SecuriteInfo.com.BScope.TrojanPSW.Spy.5894.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Connection attempt
Sending an HTTP POST request
Launching a process
Searching for the window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Forced shutdown of a browser
Unauthorized injection to a browser process
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489353
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297123 Sample: amaoke.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 49 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected SmokeLoader 2->53 55 2 other signatures 2->55 8 amaoke.exe 5 1 2->8         started        11 jwrfbrr 1 2->11         started        process3 file4 59 Detected unpacking (changes PE section rights) 8->59 61 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->61 63 Renames NTDLL to bypass HIPS 8->63 71 2 other signatures 8->71 14 explorer.exe 3 8->14 injected 31 C:\Users\user\AppData\Local\Temp\44DA.tmp, PE32 11->31 dropped 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Maps a DLL or memory area into another process 11->69 signatures5 process6 dnsIp7 39 thirdgearback.net 8.208.90.102, 49760, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 14->39 33 C:\Users\user\...\jwrfbrr:Zone.Identifier, ASCII 14->33 dropped 35 C:\Users\user\AppData\Roaming\jwrfbrr, MS-DOS 14->35 dropped 41 Benign windows process drops PE files 14->41 43 Injects code into the Windows Explorer (explorer.exe) 14->43 45 Deletes itself after installation 14->45 47 2 other signatures 14->47 19 explorer.exe 14->19         started        22 explorer.exe 14->22         started        24 explorer.exe 14->24         started        26 4 other processes 14->26 file8 signatures9 process10 signatures11 57 Tries to harvest and steal browser information (history, passwords, etc) 19->57 28 WerFault.exe 20 9 22->28         started        process12 dnsIp13 37 192.168.2.1 unknown unknown 28->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184/
Threat name:
Win32.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 04:14:22 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wvtox4hltxpypmjzfjtav55rqjxiaqt6za2szxgctze5ejxrggca._file
Verdict:
suspicious
Similar samples:
1765e5f0ee49b2b6cf4a7361bbaac484f15c6c1d003de02338fffdb615e831d8
Smoke Loader
2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
Smoke Loader
2ba5b16b9ce46066c1122bad1fc5feb3de0743451c6603b98e3d0ffe6f9cc019
Smoke Loader
95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813
Smoke Loader
9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63
Smoke Loader
ab7d156971b4c71bd112c92043ac2fcace480d0032f6303beda28fb2a5001b3d
Smoke Loader
d1c50e90c890f092d4675611d4034a89c102226ca2ec29a46294d22b6f656b78
Smoke Loader
d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
faed8958e332c72282fd257d32a1bbdff45a2859b29ff2d2eb7bcca8812d7478
Smoke Loader
+ 17 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor family:smokeloader spyware
Link:
https://tria.ge/reports/201013-7znbneqw32/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://thirdgearback.net/
Unpacked files
SH256 hash:
b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184
MD5 hash:
10eeaeacec5f9c6b88204eef6aa06f6c
SHA1 hash:
0d6ac2be03885921e5fe4f80e6ef53fa5dc76ec4
Link:
https://www.unpac.me/results/dae65719-113c-4ea5-9622-a82b64100b00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f431bc6724c79f76778e0db811653eab

Smoke Loader

Executable exe b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184

(this sample)

  
Dropped by
MD5 f431bc6724c79f76778e0db811653eab
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70324/

Comments