MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42560389433675fab57a669923a7287010c6d49eadb8c07760d0a97fc9bdf6d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42560389433675fab57a669923a7287010c6d49eadb8c07760d0a97fc9bdf6d5
SHA3-384 hash: dfbd78fda4181a6d4bec9bba38362ca687f08558d87edb3b96c58600d805129c594f3d68924106d074bb92b53116dda0
SHA1 hash: fad0221c0d68d74d01ae521ea34269e11e3dbf3c
MD5 hash: 860c105df7bee24d82fb148b1e911751
humanhash: indigo-vermont-emma-delaware
File name:ZK PO No 20220429001 A860 mego.xll
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:9'216 bytes
First seen:2022-05-05 05:21:28 UTC
Last seen:2022-05-05 05:40:57 UTC
File type:Excel file xll
MIME type:application/x-dosexec
imphash 5b93d93d32cd48b4478e2218c8053334 (1 x Smoke Loader, 1 x GuLoader)
ssdeep 192:ofuuiX0ubSoDQMXmA2WjO9r9YawFryrJot6:bhgaXmxWj2RwFWyt
TLSH T1B7124C62FFD149F2CF2C03F56876592B866C77208FA10712BB7E661E2F05441FA1896E
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:Smoke Loader xll

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ZK PO No 20220429001 A860 mego.xll
Verdict:
Suspicious activity
Analysis date:
2022-05-05 05:26:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34892616-4d4e-49a1-9975-9bbc5f55d90b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.SUSP_Encoded_Discord_Attachment_Oct21_1.3832.177.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/42560389433675fab57a669923a7287010c6d49eadb8c07760d0a97fc9bdf6d5/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62735eff2b32b1c37c96d797/reports/8b668e93-e945-44ab-b16c-f562fa7ba962/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Empire PowerShell Request
Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/988250
Signature
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Malicious encrypted Powershell command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620744 Sample: ZK PO No 20220429001 A860 m... Startdate: 05/05/2022 Architecture: WINDOWS Score: 92 47 Found malware configuration 2->47 49 Yara detected GuLoader 2->49 51 C2 URLs / IPs found in malware configuration 2->51 53 Potential dropper URLs found in powershell memory 2->53 8 loaddll32.exe 1 2->8         started        process3 signatures4 61 Malicious encrypted Powershell command line found 8->61 63 PowerShell case anomaly found 8->63 11 cmd.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 rundll32.exe 8->18         started        process5 signatures6 65 Malicious encrypted Powershell command line found 11->65 67 Suspicious powershell command line found 11->67 69 Encrypted powershell cmdline option found 11->69 20 powershell.exe 15 19 11->20         started        71 PowerShell case anomaly found 14->71 25 rundll32.exe 14->25         started        27 cmd.exe 16->27         started        process7 dnsIp8 45 cdn.discordapp.com 162.159.130.233, 443, 49753 CLOUDFLARENETUS United States 20->45 35 C:\Users\user\...\dllhostServicesrun.exe, PE32 20->35 dropped 55 Powershell drops PE file 20->55 29 dllhostServicesrun.exe 1 33 20->29         started        57 Malicious encrypted Powershell command line found 25->57 59 PowerShell case anomaly found 25->59 33 cmd.exe 25->33         started        file9 signatures10 process11 file12 37 C:\Users\user\AppData\Local\Temp\zlib1.dll, PE32+ 29->37 dropped 39 C:\Users\user\AppData\Local\Temp\tapctl.exe, PE32+ 29->39 dropped 41 C:\Users\user\AppData\Local\...\System.dll, PE32 29->41 dropped 43 3 other files (none is malicious) 29->43 dropped 73 Tries to detect virtualization through RDTSC time measurements 29->73 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42560389433675fab57a669923a7287010c6d49eadb8c07760d0a97fc9bdf6d5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-05 00:11:18 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
11 of 25 (44.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijlahckdgz27vnl2m2mshjzioaimnve6vw4ma53a2cux7sn563kq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader family:smokeloader backdoor downloader keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220505-f2lqaafbg4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Process spawned suspicious child process
Checks QEMU agent file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
AgentTesla
Guloader,Cloudeye
Process spawned unexpected child process
SmokeLoader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://dibilabok.ga/
http://samilabok.ga/
http://teualabok.ga/
https://api.telegram.org/bot5239488314:AAGGrDj18iOt1_AHGa1AuU4zM9GYBxHtwsY/sendDocument
Dropper Extraction:
https://cdn.discordapp.com/attachments/965163295852081155/971180325122224158/d2.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/425603894336/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42560389433675fab57a669923a7287010c6d49eadb8c07760d0a97fc9bdf6d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_Case_Anomaly
Create hunting rule
Author:Florian Roth
Description:Detects obfuscated PowerShell hacktools
Reference:https://twitter.com/danielhbohannon/status/905096106924761088
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:SUSP_Encoded_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments