MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c56be7c521d0f14e957932b89fc10c89ed377a1a7f05acc8d0b0b522b21e588c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c56be7c521d0f14e957932b89fc10c89ed377a1a7f05acc8d0b0b522b21e588c
SHA3-384 hash: a8166862c03423f86723603072eed8da5cabd94dc378920ec3c2c103aefa76f3146bdce980029da5678853362cafdc41
SHA1 hash: fd51c9c19f4f7678988a0d2b6874f4c70d4431c2
MD5 hash: 7bddc3e950345441b4fb47353567e3ca
humanhash: seven-rugby-one-mobile
File name:http___mbologwuholing.co.ug_D1_jpg01.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:764'717 bytes
First seen:2021-11-10 10:38:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 12288:xY20AljdZgBPfKf2yQxAogJfqsUsz0cX0N2Y7xeNlWHa8zo2b59Esdi5:m20gPgFKuyQxAVBbIcXm8lN8Rfi5
Threatray 5'950 similar samples on MalwareBazaar
TLSH T156F4F10226E18271D85378F68CF5D160DA787C2016618FCAAB7977195B30E97CD2AB3F
File icon (PE):PE icon
dhash icon 59cae0e36767e233 (8 x DarkComet, 1 x Smoke Loader)
Reporter Racco42
Tags:exe Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204685/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/618ba14a175442ca93aa7f9d/reports/9edc2795-ec15-4b11-8c0a-9f955da641a9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/010dfff2-d8e4-488d-a23f-bc06c8c725fe
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886632
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 519105 Sample: http___mbologwuholing.co.ug... Startdate: 10/11/2021 Architecture: WINDOWS Score: 100 89 Multi AV Scanner detection for domain / URL 2->89 91 Found malware configuration 2->91 93 Yara detected SmokeLoader 2->93 95 4 other signatures 2->95 14 http___mbologwuholing.co.ug_D1_jpg01.exe 3 12 2->14         started        18 rweujcs 2->18         started        process3 file4 71 C:\Users\user\AppData\Roaming\...\rider.com, PE32 14->71 dropped 73 C:\Users\user\AppData\Roaming\...\png.vbs, ASCII 14->73 dropped 133 Drops PE files with a suspicious file extension 14->133 20 wscript.exe 1 14->20         started        135 Injects a PE file into a foreign processes 18->135 22 rweujcs 18->22         started        signatures5 process6 signatures7 25 cmd.exe 2 20->25         started        99 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->99 101 Maps a DLL or memory area into another process 22->101 103 Checks if the current machine is a virtual machine (disk enumeration) 22->103 105 Creates a thread in another existing process (thread injection) 22->105 process8 signatures9 121 Uses cmd line tools excessively to alter registry or file data 25->121 28 wscript.exe 1 25->28         started        30 rider.com 5 25->30         started        33 conhost.exe 25->33         started        35 3 other processes 25->35 process10 file11 37 cmd.exe 1 28->37         started        75 C:\Users\user\AppData\...\kollx32h.exe, PE32 30->75 dropped process12 signatures13 97 Uses cmd line tools excessively to alter registry or file data 37->97 40 kollx32h.exe 37->40         started        43 taskkill.exe 1 37->43         started        45 taskkill.exe 1 37->45         started        47 5 other processes 37->47 process14 signatures15 115 Detected unpacking (changes PE section rights) 40->115 117 Contains functionality to inject code into remote processes 40->117 119 Injects a PE file into a foreign processes 40->119 49 kollx32h.exe 40->49         started        process16 signatures17 81 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 49->81 83 Maps a DLL or memory area into another process 49->83 85 Checks if the current machine is a virtual machine (disk enumeration) 49->85 87 Creates a thread in another existing process (thread injection) 49->87 52 explorer.exe 2 49->52 injected process18 dnsIp19 77 mbologwuholing.co.ug 195.133.10.184, 443, 49756, 49757 FLEX-ASRU Russian Federation 52->77 69 C:\Users\user\AppData\Roaming\rweujcs, PE32 52->69 dropped 107 Benign windows process drops PE files 52->107 109 Injects code into the Windows Explorer (explorer.exe) 52->109 111 Writes to foreign memory regions 52->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 52->113 57 explorer.exe 52->57         started        61 explorer.exe 52->61         started        63 explorer.exe 52->63         started        65 6 other processes 52->65 file20 signatures21 process22 dnsIp23 79 mbologwuholing.co.ug 57->79 123 System process connects to network (likely due to code injection or exploit) 57->123 125 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 57->125 127 Tries to steal Mail credentials (via file / registry access) 57->127 131 2 other signatures 57->131 129 Tries to harvest and steal browser information (history, passwords, etc) 61->129 67 WerFault.exe 63->67         started        signatures24 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c56be7c521d0f14e957932b89fc10c89ed377a1a7f05acc8d0b0b522b21e588c/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 10:39:08 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvv6prjb2dyu5flzgk4j7qimrhwto6q2p4c2zsgqwc2sfmq6lcga._file
Verdict:
malicious
Similar samples:
1a78aaf6aae3b9d9a32dc6c8cfe9182043f71a3d44e727464ab95a70fc24bbe8
Smoke Loader
1d1dbabc1c905c7153847c6bb5b88905942d414c4dbf39e3784dc9a62e1120db
Smoke Loader
201f2b8cd0d15399da2d0b98ff9b7d50d515deeea3f9435062b4b0a4548b0082
Smoke Loader
68e731d3431bc9223c2ff57b2d319194c4a6b8027e15c75f16b841bc78499172
Smoke Loader
7f40d0fe270f72aec76ec5348630f3b354ea4dd010d60edcdd865693824981de
Smoke Loader
82c5a4103769e5391fee93ead9d6509dd3eb8186f53ce450f14a22b4f82e968c
Smoke Loader
91a949a238f887601af94c9ab7921352102b1edc24aba6e4ab6d726a8c314843
Smoke Loader
a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b
Smoke Loader
ad5592929818b5ee09b99dddb8a652d84621e0b70efe51c2f2b6ca54aeaa3713
Smoke Loader
e1cbebc0c9a675ca172e7de1908991f7b0bd0866c1bea9404ae10bc201de0fe6
Smoke Loader
+ 5'940 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor collection evasion trojan
Link:
https://tria.ge/reports/211110-mpy86sggd3/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Executes dropped EXE
Sets file to hidden
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
https://mbologwuholing.co.ug/index.php
http://mbologwuholing.co.ug/index.php
Unpacked files
SH256 hash:
c1522e7c30f417b6a56220b23fad15bf93521204e8b71e005cd06e11ac62f919
MD5 hash:
c8931c6643ef3e4945863ace3b57ec4d
SHA1 hash:
de97f6a7f50bb9aedd138b96da0fa0cb586101df
Link:
https://www.unpac.me/results/6b2af873-0e0f-4564-8048-b9a6128d9459/
SH256 hash:
f5de84550f19ef114ac864aa8116b0ae2b3bbbe5f21da62a66494fa032ae0709
MD5 hash:
75701a9126b49b4bb14d32429d4b6e66
SHA1 hash:
07b36f73d1c664babab0f407e2edfb8885ed62e1
Link:
https://www.unpac.me/results/6b2af873-0e0f-4564-8048-b9a6128d9459/
SH256 hash:
d91fcb8e2f163272c54d3c5816617818d5e13f6c6d9c76fbf6376e41a2786f09
MD5 hash:
4be8c26b455b7bebbfee8aa62a131aef
SHA1 hash:
d256880f3d95029d12f2c606391426eb7ce3601d
Link:
https://www.unpac.me/results/6b2af873-0e0f-4564-8048-b9a6128d9459/
SH256 hash:
c56be7c521d0f14e957932b89fc10c89ed377a1a7f05acc8d0b0b522b21e588c
MD5 hash:
7bddc3e950345441b4fb47353567e3ca
SHA1 hash:
fd51c9c19f4f7678988a0d2b6874f4c70d4431c2
Link:
https://www.unpac.me/results/6b2af873-0e0f-4564-8048-b9a6128d9459/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c56be7c521d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c56be7c521d0f14e957932b89fc10c89ed377a1a7f05acc8d0b0b522b21e588c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/204685/

Comments