MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e
SHA3-384 hash: dc3e63e6028a07c0c98dff8b9525289131fd41399e38e9e7c4f54fc324d4acca54edaae267087e1c9874e9ae1589ce6b
SHA1 hash: 5db5680d8b8004b0a945f5419764f2205e0cbbf0
MD5 hash: a890375b9eba7a6793441b190eab19cb
humanhash: west-bakerloo-winner-harry
File name:PO#206923312 BIG ORDER_PDF.scr.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:626'688 bytes
First seen:2021-03-26 13:13:27 UTC
Last seen:2021-03-26 14:34:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7e488c28577ff724a15664ae7cd0678 (1 x Smoke Loader)
ssdeep 12288:5W9MrbXMN0TRpIbmasUwwLu4Egszh2yzXVOHyHNzyR0:5WqrbXMNCRpIyasUwwLuDFFBFtz
Threatray 866 similar samples on MalwareBazaar
TLSH FBD4CE112B7D8D77D25254B44EA26D7AA8F4D1B01B2F8993F3E29D1E9539EE03236303
Reporter James_inthe_box
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#206923312 BIG ORDER_PDF.scr.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-26 13:14:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9e7d2a8-e97c-4599-8ecc-a2e36d65a49c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45973711.11718.17760.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
DNS request
Creating a process from a recently created file
Launching a process
Deleting a recently created file
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a recently created process
Connection attempt to an infection source
Stealing user critical data
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Unauthorized injection to a browser process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07c6a5c2-9b13-4b00-ad63-6294fd1a43ce
Result
Threat name:
Osiris AveMaria SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/654976
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Detected Osiris Trojan
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376421 Sample: PO#206923312 BIG ORDER_PDF.... Startdate: 26/03/2021 Architecture: WINDOWS Score: 100 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for dropped file 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 9 other signatures 2->94 12 PO#206923312 BIG ORDER_PDF.scr.exe 1 2->12         started        15 ibbvfwrc.exe 2->15         started        process3 signatures4 144 Maps a DLL or memory area into another process 12->144 17 PO#206923312 BIG ORDER_PDF.scr.exe 12->17         started        146 Multi AV Scanner detection for dropped file 15->146 148 Machine Learning detection for dropped file 15->148 process5 signatures6 84 Maps a DLL or memory area into another process 17->84 86 Checks if the current machine is a virtual machine (disk enumeration) 17->86 20 explorer.exe 3 7 17->20 injected process7 dnsIp8 78 mynah505.com.kz 176.119.1.100, 49736, 49737, 49739 WS171-ASRU Ukraine 20->78 80 www.msftncsi.com 20->80 72 C:\Users\user\AppData\...\ibbvfwrc.exe, PE32 20->72 dropped 74 C:\Users\user\AppData\Local\...\66B0.tmp.exe, PE32 20->74 dropped 76 C:\Users\...\ibbvfwrc.exe:Zone.Identifier, ASCII 20->76 dropped 102 System process connects to network (likely due to code injection or exploit) 20->102 104 Benign windows process drops PE files 20->104 106 Injects code into the Windows Explorer (explorer.exe) 20->106 108 2 other signatures 20->108 25 66B0.tmp.exe 2 20->25         started        28 explorer.exe 20->28         started        30 explorer.exe 20->30         started        32 10 other processes 20->32 file9 signatures10 process11 file12 118 Multi AV Scanner detection for dropped file 25->118 120 Detected Osiris Trojan 25->120 122 Machine Learning detection for dropped file 25->122 124 Adds a directory exclusion to Windows Defender 25->124 35 66B0.tmp.exe 25->35         started        126 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->126 128 Hijacks the control flow in another process 28->128 130 Changes memory attributes in foreign processes to executable or writable 28->130 39 PdLLeZCvHM.exe 28->39 injected 41 PdLLeZCvHM.exe 28->41 injected 43 PdLLeZCvHM.exe 28->43 injected 51 2 other processes 28->51 132 Writes to foreign memory regions 30->132 134 Maps a DLL or memory area into another process 30->134 136 Creates a thread in another existing process (thread injection) 30->136 45 sihost.exe 30->45 injected 47 taskhostw.exe 30->47 injected 53 2 other processes 30->53 68 C:\Users\user\AppData\Local\...\Liebert.bmp, PE32 32->68 dropped 138 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->138 140 Tries to steal Mail credentials (via file access) 32->140 142 Tries to harvest and steal browser information (history, passwords, etc) 32->142 49 Legit Program.exe 32->49         started        signatures13 process14 file15 70 C:\ProgramData\Winx.exe, PE32 35->70 dropped 96 Adds a directory exclusion to Windows Defender 35->96 98 Increases the number of concurrent connection per server for Internet Explorer 35->98 100 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->100 55 Winx.exe 35->55         started        58 powershell.exe 35->58         started        signatures16 process17 signatures18 110 Multi AV Scanner detection for dropped file 55->110 112 Detected Osiris Trojan 55->112 114 Machine Learning detection for dropped file 55->114 116 Adds a directory exclusion to Windows Defender 55->116 60 Winx.exe 55->60         started        64 conhost.exe 58->64         started        process19 dnsIp20 82 194.5.97.40, 1024, 49740, 49741 DANILENKODE Netherlands 60->82 150 Writes to foreign memory regions 60->150 152 Allocates memory in foreign processes 60->152 154 Adds a directory exclusion to Windows Defender 60->154 156 Creates a thread in another existing process (thread injection) 60->156 66 powershell.exe 60->66         started        signatures21 process22
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 02:26:57 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfq32647kyuhkkyfgptd5odnahbs55k6ftcs453de46fdzpnmupa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
290980462cb21d689c20276b2aac1aa8dc704b237235723e847199a109218e1e
Smoke Loader
2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
Smoke Loader
2ba5b16b9ce46066c1122bad1fc5feb3de0743451c6603b98e3d0ffe6f9cc019
Smoke Loader
666a5a0354a5f37b2de59a69f8dab856b9f7bb478bbdd2a996e040fe2b839650
Smoke Loader
67b3372fe2d46a20278a8c584d7d831f832e9dfad7bd880dc61f9c97b0590be3
Smoke Loader
6ee7395df98613294d9cf0effd03c5312682dbe2551360b697d8dfe0f8dc9c9a
Smoke Loader
95a4cf409c7e7813bfa744598bee2e0e572b2d05ec31622867237ea6dab8a813
Smoke Loader
d95b7c505dbb3905f88c71bb1efedfe716a0d65862a622eb932f3d774a07a740
Smoke Loader
e237d6e3b44c0bcacf4eff59f58c8028a48c0675f283adc96490ae6daf645bd7
Smoke Loader
e91568f40d148d2bdf04cf14156febbbb0d72e10b876c38d0900e0a66cb8706f
Smoke Loader
+ 856 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/210326-j7swcydc2j/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
SmokeLoader
Malware Config
C2 Extraction:
http://mynah505.com.kz/mynah/
http://mynah506.com.kz/mynah/
Unpacked files
SH256 hash:
4186a377c54e6a8bfd299a497c5de1f71e440f216cab566c4da4056e04b0f428
MD5 hash:
234c30ec6f6694306587b4e4415930c7
SHA1 hash:
20d4acafff136169a48e45eb625d1656204e86db
Detections:
win_smokeloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae908c3c-2969-41f0-95e7-95786b45c357/
SH256 hash:
c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e
MD5 hash:
a890375b9eba7a6793441b190eab19cb
SHA1 hash:
5db5680d8b8004b0a945f5419764f2205e0cbbf0
Link:
https://www.unpac.me/results/ae908c3c-2969-41f0-95e7-95786b45c357/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c161bd7b9f5628752b0533e63eb86d01c32ef55e2cc52e7763273c51e5ed651e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments