MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de
SHA3-384 hash: e56f4f64e440f797bd77a26fc3e7cac4fa2ecc5972ba2fc456bf5a41a0ad7102d37f866fb7352840637d757cc951975b
SHA1 hash: 33a4a18759143c258703147bb5a05a19f9be65d6
MD5 hash: 4edc2181db86513f593f18793d30ebf9
humanhash: magnesium-uncle-mirror-potato
File name:file
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:24'576 bytes
First seen:2023-01-25 12:20:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 96:TbpKgeeUZvHZ6mkIWjT4nLkjDUPRx0UxkRbkPf4LNiRB4e3T3e3Lvn1fzNt:Y8AvQdIWfoLkjD8TOQPf4L9bnr
TLSH T1B5B23F05A398D27DFC633E34ACA706704B7AEDC9C822AF9F9C007AD6A979741C615320
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 72690d69690d6972 (8 x AgentTesla, 6 x Smoke Loader, 2 x PureCrypter)
Reporter jstrosch
Tags:.NET exe MSIL Smoke Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-25 12:23:16 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/c73c62be-dd75-4555-800e-5329d19bacda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356712/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d11eb6447edb203a00ea99/reports/f1c39071-6806-4c3f-a097-136e19ee7d6e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c84f2e13-8b7d-462a-9cbc-7ba8a763e34b
Result
Threat name:
SmokeLoader, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158671
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791408 Sample: file.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for URL or domain 2->96 98 7 other signatures 2->98 10 file.exe 16 7 2->10         started        15 scjthbg 2->15         started        process3 dnsIp4 82 isilab.kaist.ac.kr 15.164.23.161, 49711, 49714, 49717 AMAZON-02US United States 10->82 66 C:\Users\user\AppData\Roaming\...behaviorgraphoyyvx.exe, PE32 10->66 dropped 68 C:\Users\user\...behaviorgraphoyyvx.exe:Zone.Identifier, ASCII 10->68 dropped 70 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->70 dropped 126 Encrypted powershell cmdline option found 10->126 17 file.exe 10->17         started        20 powershell.exe 16 10->20         started        22 powershell.exe 15->22         started        file5 signatures6 process7 signatures8 84 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->84 86 Maps a DLL or memory area into another process 17->86 88 Checks if the current machine is a virtual machine (disk enumeration) 17->88 90 Creates a thread in another existing process (thread injection) 17->90 24 explorer.exe 6 7 17->24 injected 29 conhost.exe 20->29         started        31 conhost.exe 22->31         started        process9 dnsIp10 78 alpatrik.com 45.81.39.147, 49725, 49726, 49727 LVLT-10753US United States 24->78 80 cletonmy.com 172.105.103.207, 49720, 80 LINODE-APLinodeLLCUS United States 24->80 60 C:\Users\user\AppData\Roaming\scjthbg, PE32 24->60 dropped 62 C:\Users\user\AppData\Local\Temp\46EA.exe, PE32 24->62 dropped 64 C:\Users\user\...\scjthbg:Zone.Identifier, ASCII 24->64 dropped 110 System process connects to network (likely due to code injection or exploit) 24->110 112 Benign windows process drops PE files 24->112 114 Injects code into the Windows Explorer (explorer.exe) 24->114 116 3 other signatures 24->116 33 Goyyvx.exe 3 24->33         started        37 Goyyvx.exe 14 4 24->37         started        39 explorer.exe 24->39         started        41 6 other processes 24->41 file11 signatures12 process13 dnsIp14 72 isilab.kaist.ac.kr 33->72 100 Encrypted powershell cmdline option found 33->100 43 Goyyvx.exe 33->43         started        46 powershell.exe 33->46         started        48 Goyyvx.exe 33->48         started        50 Goyyvx.exe 33->50         started        74 isilab.kaist.ac.kr 37->74 52 Goyyvx.exe 37->52         started        54 powershell.exe 37->54         started        102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->102 104 Tries to steal Mail credentials (via file / registry access) 39->104 106 Tries to harvest and steal browser information (history, passwords, etc) 39->106 76 isilab.kaist.ac.kr 41->76 108 Machine Learning detection for dropped file 41->108 signatures15 process16 signatures17 118 Creates a thread in another existing process (thread injection) 43->118 56 conhost.exe 46->56         started        120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 52->120 122 Maps a DLL or memory area into another process 52->122 124 Checks if the current machine is a virtual machine (disk enumeration) 52->124 58 conhost.exe 54->58         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 08:48:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
12 of 39 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sl23yhaez6sssbllp5wovvhmjkrm4kaouunrm3spmk34idqoglpa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:purecrypter family:smokeloader backdoor collection downloader loader persistence trojan
Link:
https://tria.ge/reports/230125-pjbxssga24/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Detect PureCrypter injector
Detects Smokeloader packer
PureCrypter
SmokeLoader
Unpacked files
SH256 hash:
92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de
MD5 hash:
4edc2181db86513f593f18793d30ebf9
SHA1 hash:
33a4a18759143c258703147bb5a05a19f9be65d6
Link:
https://www.unpac.me/results/43b38ccb-4613-4d37-ab1e-6494c2c2072e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92f5bc1c04cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 92f5bc1c04cfa529056b7f6cead4ec4aa2ce280ea51b166e4f62b7c40e0e32de

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2517296/
Cape
Cape
https://www.capesandbox.com/analysis/356712/

Comments