MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903
SHA3-384 hash: 30e0102190af43c19701ffd55f39708b816bd8b4cf218318a459a4bc33b4cabbd8c1affd9e3053136eb54752f07b9b91
SHA1 hash: 24654e082d4b883efd2cdea6322bc5d8fd6b2d59
MD5 hash: 5958275a4b4972824858be1429c575bb
humanhash: jupiter-single-north-seventeen
File name:Tender RFQ List.scr
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:565'248 bytes
First seen:2021-03-29 06:12:35 UTC
Last seen:2021-03-29 07:11:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fb2ae5a99be77c84c6fec75f9e8242e6 (1 x Smoke Loader)
ssdeep 12288:I7uffVFmmmdGK+vAMsrGhh2cB8S1q7KkRDDu+aff7:guHVFmtGKCUGX2y8S1qdR/DIT
Threatray 116 similar samples on MalwareBazaar
TLSH 0BC44B53018C96A5D23036308092AE3255A7DEB46E3FE847EBB47DDFA13DF856C24A47
Reporter abuse_ch
Tags:Dofoil scr Smoke Loader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: regular1.263xmail.com
Sending IP: 211.150.70.205
From: Sebastine <lan.wang@zeppelin-china.com>
Subject: Re: First Approved Tender List for Quotation
Attachment: Approval Tender List.img (contains "Tender RFQ List.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
432
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Tender RFQ List.scr
Verdict:
Suspicious activity
Analysis date:
2021-03-29 06:19:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9d987bb-2c10-4c3f-b0c6-535ebb476517

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127456/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.7881.13791.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file in the %temp% directory
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching a process
Deleting a recently created file
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a recently created process
Connection attempt to an infection source
Stealing user critical data
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a browser process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Osiris AveMaria SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656449
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected Osiris Trojan
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Increases the number of concurrent connection per server for Internet Explorer
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377152 Sample: Tender RFQ List.scr Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 8 other signatures 2->85 11 Tender RFQ List.exe 1 2->11         started        14 erceefht.exe 2->14         started        process3 signatures4 135 Maps a DLL or memory area into another process 11->135 16 Tender RFQ List.exe 11->16         started        137 Machine Learning detection for dropped file 14->137 process5 signatures6 75 Maps a DLL or memory area into another process 16->75 77 Checks if the current machine is a virtual machine (disk enumeration) 16->77 19 explorer.exe 3 14 16->19 injected process7 dnsIp8 71 mynah505.com.kz 176.119.1.100, 49711, 49712, 49714 WS171-ASRU Ukraine 19->71 73 www.msftncsi.com 19->73 63 C:\Users\user\AppData\...\erceefht.exe, PE32 19->63 dropped 65 C:\Users\user\AppData\Local\...\7507.tmp.exe, PE32 19->65 dropped 67 C:\Users\...\erceefht.exe:Zone.Identifier, ASCII 19->67 dropped 93 System process connects to network (likely due to code injection or exploit) 19->93 95 Benign windows process drops PE files 19->95 97 Injects code into the Windows Explorer (explorer.exe) 19->97 99 3 other signatures 19->99 24 7507.tmp.exe 2 19->24         started        27 explorer.exe 19->27         started        29 explorer.exe 19->29         started        31 8 other processes 19->31 file9 signatures10 process11 signatures12 109 Multi AV Scanner detection for dropped file 24->109 111 Detected Osiris Trojan 24->111 113 Machine Learning detection for dropped file 24->113 115 Adds a directory exclusion to Windows Defender 24->115 33 7507.tmp.exe 24->33         started        117 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->117 119 Hijacks the control flow in another process 27->119 121 Changes memory attributes in foreign processes to executable or writable 27->121 37 pHDVpmnxKiMDWLzudNHOpi.exe 27->37 injected 39 pHDVpmnxKiMDWLzudNHOpi.exe 27->39 injected 41 pHDVpmnxKiMDWLzudNHOpi.exe 27->41 injected 43 pHDVpmnxKiMDWLzudNHOpi.exe 27->43 injected 123 Writes to foreign memory regions 29->123 125 Maps a DLL or memory area into another process 29->125 127 Creates a thread in another existing process (thread injection) 29->127 45 sihost.exe 29->45 injected 47 taskhostw.exe 29->47 injected 49 ctfmon.exe 29->49 injected 51 smartscreen.exe 29->51 injected 129 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->129 131 Tries to steal Mail credentials (via file access) 31->131 133 Tries to harvest and steal browser information (history, passwords, etc) 31->133 process13 file14 61 C:\ProgramData\Winx.exe, PE32 33->61 dropped 87 Adds a directory exclusion to Windows Defender 33->87 89 Increases the number of concurrent connection per server for Internet Explorer 33->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->91 53 Winx.exe 33->53         started        57 powershell.exe 33->57         started        signatures15 process16 file17 69 C:\Users\user\AppData\Local\...\Liebert.bmp, PE32 53->69 dropped 101 Multi AV Scanner detection for dropped file 53->101 103 Detected Osiris Trojan 53->103 105 Machine Learning detection for dropped file 53->105 107 Sample uses process hollowing technique 53->107 59 conhost.exe 57->59         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 06:13:06 UTC
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3sp7z5knwmhwnyqokoolfaapzlqtiba32hpjzgur2vpxzzfbebq._file
Verdict:
malicious
Similar samples:
2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
Smoke Loader
67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3
Smoke Loader
6ee7395df98613294d9cf0effd03c5312682dbe2551360b697d8dfe0f8dc9c9a
Smoke Loader
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
Smoke Loader
8f32a2bc4817137939fbd615fbcbab4c93dd0305e9d407ec6de706483c50556e
Smoke Loader
91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f
Smoke Loader
c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
e91568f40d148d2bdf04cf14156febbbb0d72e10b876c38d0900e0a66cb8706f
Smoke Loader
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Smoke Loader
+ 106 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210329-z37y94k69j/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
SmokeLoader
Malware Config
C2 Extraction:
http://mynah505.com.kz/mynah/
http://mynah506.com.kz/mynah/
Unpacked files
SH256 hash:
0c68c2bd6f072532a4a8bae6b4faaf8031f665945b1b9c2c73a2381ea4b7e8c7
MD5 hash:
b05892e351651d7d58d8067938d906e0
SHA1 hash:
239481bae12db7e81e3444deb92d9c16e1839d9b
Detections:
win_smokeloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/9695c6c9-2a38-4015-b421-16c6b29ddc7d/
SH256 hash:
b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903
MD5 hash:
5958275a4b4972824858be1429c575bb
SHA1 hash:
24654e082d4b883efd2cdea6322bc5d8fd6b2d59
Link:
https://www.unpac.me/results/9695c6c9-2a38-4015-b421-16c6b29ddc7d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

img d4b30fa63884e4758e5545848ad0846038885c9b0f55d33f0facae9e7f639a4a

Smoke Loader

Executable exe b6e4ffe7aa6d987b3710729ce594007e5709a020de8ef4e4d48eaafbe7250903

(this sample)

  
Dropped by
MD5 33bc8eeed441d6fbeaae7e348f6fa5ca
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/127456/
  
Dropped by
SHA256 d4b30fa63884e4758e5545848ad0846038885c9b0f55d33f0facae9e7f639a4a

Comments