MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd779173116b49bfb1537944a33e17275612a1abc72a5f1bb54bbe24ecfd2e2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd779173116b49bfb1537944a33e17275612a1abc72a5f1bb54bbe24ecfd2e2b
SHA3-384 hash: e23ba10f4c07f05dc13d6d8127e3b08f261e5127c590e63dae56d2028c1a2990cd5a919781ef80e65e5c16227e2e0626
SHA1 hash: 66bdfe2e8e5b944c1f99bfdb28be2e450bd05bd7
MD5 hash: d09f67179edf34f085786931c48f984f
humanhash: two-king-uniform-kentucky
File name:ItsMe.lnk
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:3'449 bytes
First seen:2022-05-26 17:10:45 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 96:8nzRbpXu5nZXuuaVNnNnpV5na+S8mnFpXVappu3VKNnTucpuXu7t0wgvQBFqFpNM:8nzRo3dvQ2Fvg
TLSH T1C661AC3D9BE1023DE2F3DF35E677E35156267A1A6E1EAD0D00C402094853213B9D673E
Reporter Finch39487976
Tags:EternityWorm lnk Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.61321.22925.7370.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.PShellEncoderGamesTheMessage.20220523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/fd779173116b49bfb1537944a33e17275612a1abc72a5f1bb54bbe24ecfd2e2b/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive icedid masquerade powershell powershell
Link:
https://www.filescan.io/uploads/628fb4beeba388bb8683b32c/reports/721f7810-cb38-4ec2-b854-eac1010c7340/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002256
Signature
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634752 Sample: ItsMe.lnk Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Windows shortcut file (LNK) starts blacklisted processes 2->55 57 4 other signatures 2->57 11 powershell.exe 20 2->11         started        process3 signatures4 61 Powershell drops PE file 11->61 14 mshta.exe 23 11->14         started        18 conhost.exe 1 11->18         started        process5 dnsIp6 47 soapbeginshops.com 34.118.86.4, 49749, 49750, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 14->47 65 Windows shortcut file (LNK) starts blacklisted processes 14->65 67 Suspicious powershell command line found 14->67 69 Obfuscated command line found 14->69 71 Very long command line found 14->71 20 powershell.exe 16 19 14->20         started        signatures7 process8 dnsIp9 45 soapbeginshops.com 20->45 43 C:\Users\user\AppData\Roaming\tel.exe, PE32 20->43 dropped 24 fodhelper.exe 12 20->24         started        27 conhost.exe 20->27         started        file10 process11 signatures12 59 Windows shortcut file (LNK) starts blacklisted processes 24->59 29 cmd.exe 1 24->29         started        process13 signatures14 63 Windows shortcut file (LNK) starts blacklisted processes 29->63 32 cmd.exe 1 29->32         started        35 conhost.exe 29->35         started        process15 signatures16 49 Windows shortcut file (LNK) starts blacklisted processes 32->49 37 powershell.exe 34 32->37         started        39 conhost.exe 32->39         started        41 cmd.exe 32->41         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd779173116b49bfb1537944a33e17275612a1abc72a5f1bb54bbe24ecfd2e2b/
Threat name:
Shortcut.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 02:26:19 UTC
File Type:
Binary
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:camp1 backdoor infostealer spyware suricata trojan
Link:
https://tria.ge/reports/220526-vp9c5sdcg2/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://motionberry999xerz.ru/
http://happyday9risce.com/
http://kokihap7siexz3.com/
https://motionberry999xerz.ru/
https://happyday9risce.com/
https://kokihap7siexz3.com/
65.109.11.10:8599
Dropper Extraction:
http://soapbeginshops.com/45d.hta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd779173116b49bfb1537944a33e17275612a1abc72a5f1bb54bbe24ecfd2e2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Smoke Loader

Executable exe 856ef7f611f594731015621e730d9713ae59824f3280703bd3c7de5ba8884767

Smoke Loader

zip 608d90507e8477ca85b911f790799f13f8d04cc380d346b78358237a9480de6d

Smoke Loader

Shortcut (lnk) lnk fd779173116b49bfb1537944a33e17275612a1abc72a5f1bb54bbe24ecfd2e2b

(this sample)

  
Dropped by
SHA256 608d90507e8477ca85b911f790799f13f8d04cc380d346b78358237a9480de6d
  
Dropped by
MD5 4027a41cc4f3d834e8f9091a0f55641f

Comments