MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780
SHA3-384 hash: 7ca179715626c56a7dd742edf80e7607fa570b0e4157a5fd4a30f18482bb3e35d801cd4ab507072b97b09dc934582ad4
SHA1 hash: f2d8aa9d3ff81ba8853bbbc43af2bbb052371138
MD5 hash: 22f0838b7f38ff8eac2e40208acb640c
humanhash: pip-stream-magazine-glucose
File name:PSI-00577.jpg
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:218'624 bytes
First seen:2020-10-05 06:42:23 UTC
Last seen:2020-10-05 07:40:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:7XTcH1fu9uKdgSZvy4raeXjuMkqryNPs0tnopZ:7D4fqRBdy4r3XyMb6U0tna
Threatray 54 similar samples on MalwareBazaar
TLSH AE24AD20F0878899CDA647FB764384F8E0BA8585FA452E5DA2CCB7345D0FB6D176E036
Reporter GovCERT_CH
Tags:Smoke Loader SmokeLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68051/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481032
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292956 Sample: PSI-00577.jpg Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 8 PSI-00577.exe 9 2->8         started        12 pcalua.exe 1 2->12         started        14 pcalua.exe 1 1 2->14         started        process3 file4 32 C:\Users\user\oigns.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->34 dropped 36 C:\Users\user\oigns.exe:Zone.Identifier, ASCII 8->36 dropped 38 2 other files (1 malicious) 8->38 dropped 62 Drops PE files to the user root directory 8->62 64 Tries to detect virtualization through RDTSC time measurements 8->64 16 oigns.exe 2 8->16         started        19 cmd.exe 1 8->19         started        21 oigns.exe 3 12->21         started        signatures5 process6 signatures7 40 Writes to foreign memory regions 16->40 42 Allocates memory in foreign processes 16->42 44 Injects a PE file into a foreign processes 16->44 23 AddInProcess32.exe 16->23         started        26 reg.exe 1 1 19->26         started        28 conhost.exe 19->28         started        46 Machine Learning detection for dropped file 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 process8 signatures9 58 Maps a DLL or memory area into another process 23->58 30 explorer.exe 23->30 injected 60 Creates an autostart registry key pointing to binary in C:\Windows 26->60 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780/
Threat name:
ByteCode-MSIL.Trojan.Propagate
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 06:44:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ygbqxka2obzvoay7zds427htuyedymhtgzu74kkzbtddsfanm6aa._file
Verdict:
malicious
Similar samples:
0c3ffcd5a7623471ea4ebd0df78300568f641bba314b956f5837c2b829c87334
Smoke Loader
295603848fbebb33aede1859cfab94c0326c86ddabee364984048ed2598d5495
Smoke Loader
3afe4dd1466eb99bc7ab905a2363173dc043f9060982c49b6f5da73293f7d6ed
Smoke Loader
50871371de6754f17507213f50bd7748814f8a99899599f835701c5a772c89c7
Smoke Loader
65c86813da2eb5bfc495e538fa4e77f8c3a3c03418e655ac8262bc0aa42281ba
Smoke Loader
693626ad4ce750ecb027980dfb505ca69872923702dfe564e0adcb651e8c60d9
Smoke Loader
849af25a67d831b8e5d90cc6e4b51014a3a4d9f474f7363865cbd98c4dc0ea5a
Smoke Loader
b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35
Smoke Loader
b9b9457414995a44d73a5f9e4f2e4487adb8334fac4acc3ea1b529a5a648cbe4
Smoke Loader
cb663a4fa79cb0fcb52c3049b65b1a012c45e72badc13c931fc2c72a8a94dcca
Smoke Loader
+ 44 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan backdoor family:smokeloader
Link:
https://tria.ge/reports/201005-jm24n57ncj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Loads dropped DLL
Executes dropped EXE
SmokeLoader
Malware Config
C2 Extraction:
http://magichankey.com/1/
Unpacked files
SH256 hash:
c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780
MD5 hash:
22f0838b7f38ff8eac2e40208acb640c
SHA1 hash:
f2d8aa9d3ff81ba8853bbbc43af2bbb052371138
Link:
https://www.unpac.me/results/02be73cb-09bb-47d0-bb97-6c44fe48faac/
SH256 hash:
86d2b4ce556a90b585ffdddc1a7030b6c5ba2174022efb725285c67e55b2143f
MD5 hash:
dc2a49caea68a5ac73767610c52cc41f
SHA1 hash:
723aba56264f1eeefe0fc77cc1eb5efcc1728721
Detections:
win_smokeloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/02be73cb-09bb-47d0-bb97-6c44fe48faac/
SH256 hash:
6588cb59743ca04e6fb14256ed375908c9a74840b37df3eaa4d9e520f747e430
MD5 hash:
36bf02bda20d358a18f7ac65b7d7ac6c
SHA1 hash:
a08c8bb774773bd957adaf80ee544e53cc43679d
Link:
https://www.unpac.me/results/02be73cb-09bb-47d0-bb97-6c44fe48faac/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/02be73cb-09bb-47d0-bb97-6c44fe48faac/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
6d9942150310015d8d001176b29de14016ffae1e76a5b0753f4001bbaf5d8da6
MD5 hash:
76b8215a05f81f799102666798bc1210
SHA1 hash:
67110679f54386449f2902be1a67dea72f5d6890
Link:
https://www.unpac.me/results/02be73cb-09bb-47d0-bb97-6c44fe48faac/
SH256 hash:
cd4b26ebbbf804cbbfeb05d36f596f8542ce9e5639e751ee8d56141e201786e6
MD5 hash:
f90b9aa8c01ca0678b3ebc8d3ba07025
SHA1 hash:
995f6bb060dabcaf6a36cb9d7eff8bcddaa08903
Detections:
win_smokeloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/02be73cb-09bb-47d0-bb97-6c44fe48faac/
SH256 hash:
1466262571a11d867cd9a225792511d9837fb55f6b0bf5cd6eeac4708ebd2995
MD5 hash:
a3cb7bb37783e5c7a9b21b892e649d37
SHA1 hash:
cdef1be8d53f57454428d26c8d233ddbf60cf673
Detections:
win_smokeloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/02be73cb-09bb-47d0-bb97-6c44fe48faac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Smoke Loader

Excel file xls eac82994777b64301341675612fcacac8f08af9d468014c8de9f15aa3c784b42

Smoke Loader

Executable exe c1830ba81a707357031fc8e5cd7cf3a6083c30f33669fe29590cc639140d6780

(this sample)

  
Dropped by
MD5 4f4b085463f4a8885497de8cbcc2aceb
  
Dropped by
SmokeLoader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68051/
  
Dropped by
SHA256 eac82994777b64301341675612fcacac8f08af9d468014c8de9f15aa3c784b42

Comments