MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74651dedba95ec668db7d4e545be66d575b7f3f7af03b3d5d91148f01db746e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74651dedba95ec668db7d4e545be66d575b7f3f7af03b3d5d91148f01db746e2
SHA3-384 hash: d71eb7655cc4cd74ddc54d6482d251d3456e1e919a8b1d43cefda91690cf5ee10e94edc5c7806c2dd6542b4713722448
SHA1 hash: 46789892c49246f1291016e8a1972010e439fd08
MD5 hash: 393c580a147ceb59dfb9d92d36dd1aef
humanhash: fillet-fifteen-aspen-low
File name:SecuriteInfo.com.Heur.PonyStealer.qm1@UKtOkgki.6686.23432
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:263'880 bytes
First seen:2022-02-21 13:58:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a6dba6c84409e1cce26d4097ba2cb7b (5 x Smoke Loader, 1 x AgentTesla, 1 x GuLoader)
ssdeep 3072:IWum2MgWZDPWI4YMIoII//pxMn/LjqazsfJrHgW9Im2M7WX:IfmRgoPW33ISRxuNsfJrXImR72
Threatray 9'425 similar samples on MalwareBazaar
TLSH T12A447C73F289193AF462C8BC9621A68E58D17C7140519B19BEC1BA14E2312DF735BF3B
File icon (PE):PE icon
dhash icon 72c2e0e4ce92f278 (7 x Smoke Loader, 2 x GuLoader, 1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:Garderobe3
Issuer:Garderobe3
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-21T10:16:41Z
Valid to:2023-02-21T10:16:41Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: bdc08f6f7654667286d2dfd0d040090572ca6228c8092cfce7e34aadc5b3196c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection:
GuLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242971/
Detection(s):
SecuriteInfo.com.Heur.PonyStealer.qm1@UKtOkgki.6686.23432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62139ab0875593a3ccfbb5ce/reports/62afed2c-d021-47dc-b245-9b0a10619199/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16064dbb-a656-4913-9e00-d933c794f46c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/943268
Signature
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74651dedba95ec668db7d4e545be66d575b7f3f7af03b3d5d91148f01db746e2/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 13:59:16 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15520c752a3375cd92bee021404e10830d4732681be2e50b3d293bcbd3c1e262
Smoke Loader
414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
Smoke Loader
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
Smoke Loader
539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc
Smoke Loader
5f2999762b0f8ab07d3f2aba62f5b698b6a1ebd0c2ace8753ff7ac40a5a47c80
Smoke Loader
ae83f208925ec791bd10f37e0cd1bfc98473ea586c4814288a243c7d579c2e55
Smoke Loader
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
Smoke Loader
db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea
Smoke Loader
e909198f5ca355e38c8459bc7ae2028ee25f849fde5c37714f914b87a94b5182
Smoke Loader
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
Smoke Loader
+ 9'415 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader family:smokeloader backdoor downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220221-raecnsadf4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
Guloader,Cloudeye
SmokeLoader
Malware Config
C2 Extraction:
https://api.telegram.org/bot5013020608:AAFu_btAZRcQ9V-SvEIxL9rCbb_x1A-9IJo/sendDocument
http://venis.ml/
http://tootoo.ga/
http://eyecosl.ga/
http://bullions.tk/
http://mizangs.tw/
http://xpowebs.ga/
Unpacked files
SH256 hash:
74651dedba95ec668db7d4e545be66d575b7f3f7af03b3d5d91148f01db746e2
MD5 hash:
393c580a147ceb59dfb9d92d36dd1aef
SHA1 hash:
46789892c49246f1291016e8a1972010e439fd08
Link:
https://www.unpac.me/results/4272d2ea-b7dd-4d5b-b987-a6909d8d77f9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/74651dedba95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/74651dedba95ec668db7d4e545be66d575b7f3f7af03b3d5d91148f01db746e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 74651dedba95ec668db7d4e545be66d575b7f3f7af03b3d5d91148f01db746e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2050644/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/242971/

Comments