MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA3-384 hash: 31140be83814f593eaea0a8fb350b0ae4e9b176f2fa1cb3d8d6c12639ae43cb06c4a7e7203c6dd8d75ca451f8581dba0
SHA1 hash: d39c5146f3560a6d55657eaa384a8794e25c97ad
MD5 hash: a8a27695f1bc25512354f2c6b5e9d037
humanhash: crazy-nebraska-rugby-network
File name:SecuriteInfo.com.FileRepMalware.16560.22720
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:719'920 bytes
First seen:2023-07-14 11:53:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 12288:/fyw2ahjxbe1SORR84Rl7hChlA4aEISAe43v:/6NanbivDChdrnXm
Threatray 790 similar samples on MalwareBazaar
TLSH T1EAE4AD11BF98D916C09987349EB7CBC753B5FE906D62838F7288B75C5E722F01A422B4
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 727a7170f070314c (1 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-31T02:24:51Z
Valid to:2025-12-30T02:24:51Z
Serial number: 11c907fb57bbc5e681512d13fe790aa737304729
Thumbprint Algorithm:SHA256
Thumbprint: e9441b1ec57bd7069d02052d005b48bae486a80dbe859c827de3eb69c2184dc0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
Pedido- 1253-360.xls
Verdict:
Malicious activity
Analysis date:
2023-07-14 06:59:38 UTC
Tags:
opendir exploit cve-2017-11882 loader guloader
Link:
https://app.any.run/tasks/2814b690-b48d-4cf6-8b8b-15d012f1e97d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/418718/
Detection(s):
SecuriteInfo.com.FileRepMalware.16560.22720.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Searching for the window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97604/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/608c5436-dc64-401d-8be0-1ab8dc81be9c
Result
Threat name:
GuLoader, AgentTesla, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273122
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Deletes itself after installation
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected GuLoader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1273122 Sample: SecuriteInfo.com.FileRepMal... Startdate: 14/07/2023 Architecture: WINDOWS Score: 100 73 cletonmy.com 2->73 75 alpatrik.com 2->75 77 3 other IPs or domains 2->77 107 Snort IDS alert for network traffic 2->107 109 Multi AV Scanner detection for domain / URL 2->109 111 Found malware configuration 2->111 113 12 other signatures 2->113 10 SecuriteInfo.com.FileRepMalware.16560.22720.exe 5 40 2->10         started        14 efietvt 30 2->14         started        16 efietvt 2->16         started        signatures3 process4 file5 57 C:\Users\user\...\libpixbufloader-icns.dll, PE32+ 10->57 dropped 59 C:\Users\user\AppData\Local\...\System.dll, PE32 10->59 dropped 123 Tries to detect Any.run 10->123 18 SecuriteInfo.com.FileRepMalware.16560.22720.exe 6 10->18         started        61 C:\Users\user\AppData\Local\...\System.dll, PE32 14->61 dropped 22 efietvt 14->22         started        63 C:\Users\user\AppData\Local\...\System.dll, PE32 16->63 dropped 24 efietvt 16->24         started        signatures6 process7 dnsIp8 79 198.23.156.248, 50254, 50263, 50272 AS-COLOCROSSINGUS United States 18->79 115 Tries to detect Any.run 18->115 117 Maps a DLL or memory area into another process 18->117 119 Checks if the current machine is a virtual machine (disk enumeration) 18->119 26 explorer.exe 15 7 18->26 injected 121 Creates a thread in another existing process (thread injection) 22->121 signatures9 process10 dnsIp11 81 cletonmy.com 172.105.103.207, 50255, 80 LINODE-APLinodeLLCUS United States 26->81 83 alpatrik.com 185.244.180.69, 50256, 50257, 50258 BELCLOUDBG Russian Federation 26->83 65 C:\Users\user\AppData\Roaming\efietvt, PE32 26->65 dropped 67 C:\Users\user\AppData\Local\Temp\1482.exe, PE32 26->67 dropped 69 C:\Users\user\...\efietvt:Zone.Identifier, ASCII 26->69 dropped 125 System process connects to network (likely due to code injection or exploit) 26->125 127 Benign windows process drops PE files 26->127 129 Injects code into the Windows Explorer (explorer.exe) 26->129 131 3 other signatures 26->131 31 1482.exe 16 4 26->31         started        36 Mgqonkicp.exe 26->36         started        38 WinHlp.exe 26->38         started        40 8 other processes 26->40 file12 signatures13 process14 dnsIp15 87 qu.ax 45.95.232.107, 443, 50259, 50265 RHC-HOSTINGGB Russian Federation 31->87 55 C:\Users\user\AppData\Roaming\Mgqonkicp.exe, PE32 31->55 dropped 89 Antivirus detection for dropped file 31->89 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->91 93 Machine Learning detection for dropped file 31->93 95 Creates multiple autostart registry keys 31->95 42 1482.exe 31->42         started        97 Injects a PE file into a foreign processes 36->97 47 Mgqonkicp.exe 36->47         started        49 WinHlp.exe 38->49         started        99 System process connects to network (likely due to code injection or exploit) 40->99 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->101 103 Tries to steal Mail credentials (via file / registry access) 40->103 105 Tries to harvest and steal browser information (history, passwords, etc) 40->105 51 WinHlp.exe 40->51         started        53 WerFault.exe 40->53         started        file16 signatures17 process18 dnsIp19 85 api4.ipify.org 173.231.16.76, 443, 50264, 50269 WEBNXUS United States 42->85 71 C:\Users\user\AppData\Roaming\...\WinHlp.exe, PE32 42->71 dropped 133 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->133 135 Tries to steal Mail credentials (via file / registry access) 42->135 137 Creates multiple autostart registry keys 42->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->139 141 Installs a global keyboard hook 47->141 143 Tries to harvest and steal browser information (history, passwords, etc) 51->143 file20 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-14 02:56:36 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
5 of 38 (13.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ins76pet5yp2uqj2w7hwqoeijrcjau2htuydt2mvu3g74wibexsa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
2bcbb670647ed04d137cfb1d8a8fda4f7dbd1b3d668a99efc034539691e35514
Smoke Loader
396d28268cee1176f329d930c041236fbb6085f568381ecdc386d3d436ddcba5
Smoke Loader
3aed3ef42a227f0f1f29297ceb59e0edab0da065a0b9c7894e113fb16fd55849
Smoke Loader
4d6ae0a40fcc30fab170c3e70dd5076253ddf9fa6ec0886d39cffbd9df99ae52
Smoke Loader
7feb0133d36aafdd1b2ba2dbae6ea92c8cefee7b48b82cbcd736dc729196a3e5
Smoke Loader
c2c1f25688e42a7cf6e8ec33ef1347abd6031f97c996555e0fe3df6e717fcb43
Smoke Loader
d40f43dfe57ebd99e557968a04bcf24f1fd1b8bdd6a4075fed1c738eb1a6d687
Smoke Loader
e4b6f95557a2356d046da60a1ca4e52d302618108fae774b8128ffc0586366e0
Smoke Loader
+ 780 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:smokeloader backdoor discovery downloader trojan
Link:
https://tria.ge/reports/230714-n2vxysdd73/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks QEMU agent file
Deletes itself
Loads dropped DLL
Guloader,Cloudeye
SmokeLoader
Malware Config
C2 Extraction:
http://cletonmy.com/
http://alpatrik.com/
Unpacked files
SH256 hash:
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
MD5 hash:
375e8a08471dc6f85f3828488b1147b3
SHA1 hash:
1941484ac710fc301a7d31d6f1345e32a21546af
Link:
https://www.unpac.me/results/efd3b700-f0c9-495b-886c-373f165bd204/
SH256 hash:
4365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
MD5 hash:
a8a27695f1bc25512354f2c6b5e9d037
SHA1 hash:
d39c5146f3560a6d55657eaa384a8794e25c97ad
Link:
https://www.unpac.me/results/efd3b700-f0c9-495b-886c-373f165bd204/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4365ff3c93ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 4365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2682421/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/418718/

Comments