MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b679711aacd061c530ee542da3c47e3757034a339d3537430df7397e2756344f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Smoke Loader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	b679711aacd061c530ee542da3c47e3757034a339d3537430df7397e2756344f
SHA3-384 hash:	56269736521d657bbd22b7d49ba940b9d308774cbfe1d4df365f971c26e1f99c2192d94840fddabe42d2267f75173e1d
SHA1 hash:	fc4997514cadb9a9d643ce82b2cac2b80e0c33df
MD5 hash:	83aecff4c15b6c518726a12fa77f2166
humanhash:	london-michigan-washington-quiet
File name:	16259917.xlsx.com
Download:	download sample
Signature	Smoke Loader Create hunting rule
File size:	664'064 bytes
First seen:	2020-12-17 01:17:36 UTC
Last seen:	2020-12-17 02:34:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	68f22fd8df6610ed3fc28b9e506b0cd3 (1 x Smoke Loader)
ssdeep	12288:4tk3V5ExYEn2Hpt9nVT7U98TJeYyfuSXj:4tYgYMkjVIqTMLWST
Threatray	102 similar samples on MalwareBazaar
TLSH	ACE47414E184E019C015EDF6C60E63F3F517EE222C0B6D6E19CAAA19A4FBCF17A57970
Reporter	Anonymous
Tags:	Smoke Loader

Intelligence

File Origin

# of uploads :

2

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

16259917.xlsx.com

Verdict:

No threats detected

Analysis date:

2020-12-17 01:11:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7b63cfa9-eeb0-477c-b3bd-bd25760b2833

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.5961.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/564890

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b679711aacd061c530ee542da3c47e3757034a339d3537430df7397e2756344f/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wz4xcgvm2bq4kmhokqw2hrd6g5lqgsrttu2toqyn644x4j2wgrhq._file

Verdict:

malicious

Similar samples:

038db8698b6bf0a2b258c072ef1e9fe90e1b846c386631085da6daf730bbef88

4b1f2c18b149fd0e878c362ffba50bb553d7bea93a795b33e398d032dc0b7663

91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f

939b640dab052ec6a08e17075397aa34abb4d4943768628a767f93d9f7d973f8

a9d54a962d46e4a2d40da284aa8b3a25a3b4e93b7c388890cd38b838a1a65433

ab7d156971b4c71bd112c92043ac2fcace480d0032f6303beda28fb2a5001b3d

b566ebf0eb9ddf87b1392a660af7b1826e80427ec8352cdcc29e49d226f13184

ba1b8c4a78257830c7fa8528e9788af055d62d3605de94e7c433260ebdd9a286

d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740

dc0715adb07b65af47d660aa7582f9ecdfc770606f1a852fe1aa7a643bba7543

+ 92 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor spyware trojan

Link:

https://tria.ge/reports/201217-cqn7b3gkq2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Program crash

Deletes itself

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://thirdgearback.net/

Unpacked files

SH256 hash:

b679711aacd061c530ee542da3c47e3757034a339d3537430df7397e2756344f

MD5 hash:

83aecff4c15b6c518726a12fa77f2166

SHA1 hash:

fc4997514cadb9a9d643ce82b2cac2b80e0c33df

Link:

https://www.unpac.me/results/5321024f-af59-4db9-8389-d95935d543c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b679711aacd061c530ee542da3c47e3757034a339d3537430df7397e2756344f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample