Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family SmokeLoader
Trojan:Win32/SmokeLoader!pz is a concrete detection of SmokeLoader, a sophisticated malware loader that establishes a foothold on a Windows system to download and execute additional malicious payloads. It often employs techniques like code injection, PowerShell execution, and C2 communication to deliver follow-on attacks such as infostealers or ransomware.
Relevant strings associated with this threat: - >yAR3/ (SNID) - https://bemojo.com/ds/161120.gif (MACROHSTR_EXT) - https://btchs.com.br/ds/161120.gif (MACROHSTR_EXT) - C:\yobuyoticezi\muv.pdb (PEHSTR_EXT) - pacoletupifodof wotodudokejaxezucudi tazex (PEHSTR_EXT) - zaluloloza\roba\jopotih kuxacuza.pdb (PEHSTR_EXT) - PortableApps.com (PEHSTR_EXT) - 2.2.1.0 (PEHSTR_EXT) - jsXjmf (PEHSTR_EXT) - f:\dd\vct (PEHSTR_EXT) - filifilm.com.br/images/ (PEHSTR_EXT) - kernel32.dll (PEHSTR_EXT) - feyicujey-mividefefute-jasi92_domu.pdb (PEHSTR_EXT) - . 899_ (PEHSTR_EXT) - iccoperadora.com.br/erros_OLD (PEHSTR_EXT) - 192.3.27.140 (PEHSTR_EXT) - Xjsf (PEHSTR_EXT) - KB_/YB]NXK/YBBJBL/YM@WHZ/YM@W\I/YM@WB@/YM@WYF/YM@WKF/YF@\J]//qp (PEHSTR_EXT) - f!p0vDC. (SNID) - D.d}] (SNID) - powershell-e$ccc;",6)application.screenupdating=trueendsub (MACROHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
b71cf215c7fc346a51d1f0ff5c7163188c109c9b5f21bc05b8592117c61dfab0Immediately isolate the infected system to prevent further compromise. Perform a full system scan with updated anti-malware software and block associated C2 domains and IP addresses at the network perimeter. Due to its nature as a loader, a full system re-image is highly recommended after thoroughly investigating for any delivered secondary payloads.