MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7e4c086f54086b129715c584777c2d920a9443a6ba85d4ea5e6d63b8eeb5b9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Maldoc score: 11


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7e4c086f54086b129715c584777c2d920a9443a6ba85d4ea5e6d63b8eeb5b9e
SHA3-384 hash: 5e0793200c6b59e35900b82e9c4536bd5573474a56fc7a2b99b2b78d43454f7f4d2766d6aaf352326a5bb2bd99a14ec3
SHA1 hash: 279b2f7b6ee8c4eb54fd0561fe8c0231f687705e
MD5 hash: 96ea58a72c79c4783c2e5fd307a9babf
humanhash: sink-lemon-coffee-autumn
File name:Report.464129889.doc
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:227'651 bytes
First seen:2020-11-20 13:18:03 UTC
Last seen:2020-11-20 15:05:44 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 3072:Ya9ypojzjRJJ7GS1/iA+Fhl8wF+mxYzzzzzzzzXMlfYLXnVhRs2B5:/9ypojxRilFhCwFTSJLXnVhRs2B5
TLSH 2424B0F4B356C25BD1037D714AA6D295A39CAC15CCD94A7F398CBB2B5B3E720D03A1A0
Reporter JAMESWT_WT
Tags:170.106.35.220 Smoke Loader

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 38 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
3536 bytesSummaryInformation
48455 bytes1Table
5121042 bytesData
6920 bytesMacros/PROJECT
7314 bytesMacros/PROJECTwm
897 bytesMacros/UserForm1/CompObj
9266 bytesMacros/UserForm1/VBFrame
1038 bytesMacros/UserForm1/f
110 bytesMacros/UserForm1/o
1297 bytesMacros/UserForm2/CompObj
13266 bytesMacros/UserForm2/VBFrame
1438 bytesMacros/UserForm2/f
150 bytesMacros/UserForm2/o
1697 bytesMacros/UserForm3/CompObj
17266 bytesMacros/UserForm3/VBFrame
1838 bytesMacros/UserForm3/f
190 bytesMacros/UserForm3/o
2097 bytesMacros/UserForm4/CompObj
21266 bytesMacros/UserForm4/VBFrame
2238 bytesMacros/UserForm4/f
230 bytesMacros/UserForm4/o
2497 bytesMacros/UserForm5/CompObj
25266 bytesMacros/UserForm5/VBFrame
2638 bytesMacros/UserForm5/f
270 bytesMacros/UserForm5/o
2815540 bytesMacros/VBA/Imkyf2ff_1d5k_ua
29687 bytesMacros/VBA/K8m82_a7yhx1w2t9i
301160 bytesMacros/VBA/UserForm1
311160 bytesMacros/VBA/UserForm2
321160 bytesMacros/VBA/UserForm3
331160 bytesMacros/VBA/UserForm4
341160 bytesMacros/VBA/UserForm5
351134 bytesMacros/VBA/Zynas813o1a9o17543
366710 bytesMacros/VBA/_VBA_PROJECT
371070 bytesMacros/VBA/dir
3839982 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_openRuns when the Word or Publisher document is opened
SuspiciousCreateMay execute file or a system command through WMI
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrWMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
DNS request
Sending an HTTP GET request
Creating a file
Possible injection to a system process
Launching a process by exploiting the app vulnerability
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/544157
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to check if a debugger is attached (DbgSetDebugFilterState,NtSetDebugFilterState)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Renames NTDLL to bypass HIPS
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Very long command line found
Writes to foreign memory regions
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321176 Sample: Report.464129889.doc Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 79 Antivirus detection for URL or domain 2->79 81 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->81 83 Yara detected SmokeLoader 2->83 85 7 other signatures 2->85 8 Moax0jt.exe 2->8         started        11 taskeng.exe 1 2->11         started        13 cmd.exe 2->13         started        15 WINWORD.EXE 436 30 2->15         started        process3 signatures4 95 Antivirus detection for dropped file 8->95 97 Multi AV Scanner detection for dropped file 8->97 99 Detected unpacking (changes PE section rights) 8->99 109 3 other signatures 8->109 17 Moax0jt.exe 1 8->17         started        20 jghivds 11->20         started        101 Suspicious powershell command line found 13->101 103 Very long command line found 13->103 105 Encrypted powershell cmdline option found 13->105 107 PowerShell case anomaly found 13->107 22 powershell.exe 16 9 13->22         started        26 msg.exe 13->26         started        process5 dnsIp6 59 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->59 61 Renames NTDLL to bypass HIPS 17->61 63 Maps a DLL or memory area into another process 17->63 75 2 other signatures 17->75 28 explorer.exe 2 17->28 injected 65 Antivirus detection for dropped file 20->65 67 Multi AV Scanner detection for dropped file 20->67 69 Detected unpacking (changes PE section rights) 20->69 77 2 other signatures 20->77 33 jghivds 1 20->33         started        53 prosyarmakassar.com 103.29.215.194, 443, 49165, 49166 SENTRACOLO-AS-IDSentraNiagaSolusindoPTID Indonesia 22->53 55 www.ctrlbfont.com 104.28.21.160, 443, 49167 CLOUDFLARENETUS United States 22->55 45 C:\Users\user\X2ku8j9\Rx_9bgs\Moax0jt.exe, PE32 22->45 dropped 71 Creates processes via WMI 22->71 73 Powershell drops PE file 22->73 file7 signatures8 process9 dnsIp10 57 penodux.com 170.106.35.220, 49168, 49169, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 28->57 47 C:\Users\user\AppData\Roaming\jghivds, PE32 28->47 dropped 111 Benign windows process drops PE files 28->111 113 Injects code into the Windows Explorer (explorer.exe) 28->113 115 Writes to foreign memory regions 28->115 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->117 35 explorer.exe 12 28->35         started        39 explorer.exe 28->39         started        41 explorer.exe 28->41         started        43 7 other processes 28->43 49 C:\Users\user\AppData\Local\Temp\45E1.tmp, PE32 33->49 dropped 119 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 33->119 121 Renames NTDLL to bypass HIPS 33->121 123 Maps a DLL or memory area into another process 33->123 125 2 other signatures 33->125 file11 signatures12 process13 dnsIp14 51 penodux.com 35->51 87 System process connects to network (likely due to code injection or exploit) 35->87 89 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->89 91 Tries to steal Mail credentials (via file access) 35->91 93 Tries to harvest and steal browser information (history, passwords, etc) 35->93 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7e4c086f54086b129715c584777c2d920a9443a6ba85d4ea5e6d63b8eeb5b9e/
Threat name:
Script-Macro.Trojan.Amphitryon
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 13:19:03 UTC
File Type:
Document
Extracted files:
44
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47smbbxvicdlcklrlrmeo56c3eqksrb2nouf2tvf43ldxdxllopa._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor macro spyware trojan
Link:
https://tria.ge/reports/201120-7ddjtzdhr2/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious use of UnmapMainImage
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
Process spawned unexpected child process
SmokeLoader
Malware Config
C2 Extraction:
http://penodux.com/xsmkld/index.php
http://tommusikirtyur.com/xsmkld/index.php
http://ploaernysannyer.com/xsmkld/index.php
http://dersmasfannyer.com/xsmkld/index.php
http://derdsgdannyer.com/xsmkld/index.php
Dropper Extraction:
http://giftcard2naira.com/
https://nc3aaa.org/
https://readaboutcare.site/
https://www.ctrlbfont.com/
https://prosyarmakassar.com/
https://online-theorie.driveddy.com/
http://sbm.balajihandheld.in/
https://kezenelectric.ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e7e4c086f54086b129715c584777c2d920a9443a6ba85d4ea5e6d63b8eeb5b9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments