MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ad3a05cfa5317f2c1321c99ff189de49df6bbe146f8feed1def69a12ecf605f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ad3a05cfa5317f2c1321c99ff189de49df6bbe146f8feed1def69a12ecf605f
SHA3-384 hash: 9e28c07c47d43f797e285679d72cc7d3dcf8d5200a3deda31b8a66295c08aa828df797ade0cbd6c343287259ad69265b
SHA1 hash: 0b3739b2cb602475a8b0c43f802b13f8fa014abc
MD5 hash: c7113881fbf17454b383dda0125d8b1c
humanhash: wolfram-uranus-nineteen-two
File name:c7113881fbf17454b383dda0125d8b1c.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:263'880 bytes
First seen:2022-02-21 18:58:35 UTC
Last seen:2022-02-21 20:34:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a6dba6c84409e1cce26d4097ba2cb7b (5 x Smoke Loader, 1 x AgentTesla, 1 x GuLoader)
ssdeep 3072:pWum2Mgt4GVqbJHBHEjHUIXNKXRQf1Im2M7W:pfmRguJbJHRyLXNKXyImR7
Threatray 9'432 similar samples on MalwareBazaar
TLSH T1D94449B7F010A974F59BCDBE2865815E60C42D7401509B09BED27B68E235A8FB35BF0B
File icon (PE):PE icon
dhash icon 72c2e0e4ce92f278 (7 x Smoke Loader, 2 x GuLoader, 1 x AgentTesla)
Reporter abuse_ch
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:Betragtnin
Issuer:Betragtnin
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-21T10:19:30Z
Valid to:2023-02-21T10:19:30Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 2b809332723468236743c967ee67a24698b333f8524ddd032e599301dbe549cd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
GuLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243034/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.40510.6018.4171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6213e108a2660f3bb91d93b2/reports/2586453c-f51f-4b38-a460-4bba82130ca1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cad6867-795c-44aa-a735-346a8065988f
Result
Threat name:
AgentTesla GuLoader SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.bank.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943442
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution of Suspicious File Type Extension
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Yara detected SmokeLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 575921 Sample: OKtvzGb1XI.exe Startdate: 21/02/2022 Architecture: WINDOWS Score: 100 58 venis.ml 2->58 60 cdn.discordapp.com 2->60 62 api.telegram.org 2->62 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 11 other signatures 2->78 12 OKtvzGb1XI.exe 1 2->12         started        15 jcghadd 1 2->15         started        17 jcghadd 2->17         started        signatures3 process4 signatures5 126 Writes to foreign memory regions 12->126 128 Tries to detect Any.run 12->128 130 Hides threads from debuggers 12->130 19 CasPol.exe 15 13 12->19         started        24 CasPol.exe 12->24         started        132 Multi AV Scanner detection for dropped file 15->132 134 Machine Learning detection for dropped file 15->134 26 jcghadd 15->26         started        28 jcghadd 17->28         started        process6 dnsIp7 64 api.telegram.org 149.154.167.220, 443, 49836 TELEGRAMRU United Kingdom 19->64 66 cdn.discordapp.com 162.159.130.233, 443, 49813, 49814 CLOUDFLARENETUS United States 19->66 54 C:\Users\user\AppData\...\Brugerudgav.exe, PE32 19->54 dropped 88 Tries to steal Mail credentials (via file / registry access) 19->88 90 Tries to harvest and steal ftp login credentials 19->90 92 Tries to harvest and steal browser information (history, passwords, etc) 19->92 30 Brugerudgav.exe 1 19->30         started        33 conhost.exe 19->33         started        94 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->94 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->96 98 Hides threads from debuggers 26->98 100 Checks if the current machine is a virtual machine (disk enumeration) 26->100 102 Creates a thread in another existing process (thread injection) 26->102 68 162.159.134.233, 443, 49839 CLOUDFLARENETUS United States 28->68 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 28->104 106 Tries to detect Any.run 28->106 108 Maps a DLL or memory area into another process 28->108 file8 signatures9 process10 signatures11 136 Multi AV Scanner detection for dropped file 30->136 138 Machine Learning detection for dropped file 30->138 140 Tries to detect Any.run 30->140 142 Hides threads from debuggers 30->142 35 Brugerudgav.exe 6 30->35         started        process12 signatures13 80 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->80 82 Tries to detect Any.run 35->82 84 Maps a DLL or memory area into another process 35->84 86 3 other signatures 35->86 38 explorer.exe 2 35->38 injected process14 dnsIp15 70 venis.ml 2.57.187.166, 49827, 80 DTLNRU Russian Federation 38->70 56 C:\Users\user\AppData\Roaming\jcghadd, PE32 38->56 dropped 110 Benign windows process drops PE files 38->110 112 Injects code into the Windows Explorer (explorer.exe) 38->112 114 Writes to foreign memory regions 38->114 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->116 43 explorer.exe 38->43         started        46 explorer.exe 38->46         started        48 explorer.exe 38->48         started        50 4 other processes 38->50 file16 signatures17 process18 signatures19 118 Found evasive API chain (may stop execution after checking mutex) 43->118 120 Checks if browser processes are running 43->120 122 Tries to harvest and steal browser information (history, passwords, etc) 43->122 124 Contains functionality to compare user and computer (likely to detect sandboxes) 43->124 52 WerFault.exe 21 43->52         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ad3a05cfa5317f2c1321c99ff189de49df6bbe146f8feed1def69a12ecf605f/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 18:59:19 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
Smoke Loader
1f2f9b357003d7816259c172bff00bc8be6305247a94594de4eb9a7e7ecbb385
Smoke Loader
34a666042ff3ad45f4e1e37776cc55d4f4fdd1bcd8233852839d55fc076410d1
Smoke Loader
414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
Smoke Loader
4ec1dc35d5e0e830cd2de5f40f7fe242dfcfaaa2a8e5483e892cd140e349e143
Smoke Loader
539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc
Smoke Loader
c63a3f86be406a11e8f7760403e407a97441753205f8cef432fd634856ca2992
Smoke Loader
de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e
Smoke Loader
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
Smoke Loader
+ 9'422 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader family:smokeloader backdoor collection downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220221-xm5naaage7/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks QEMU agent file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
Guloader,Cloudeye
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
https://api.telegram.org/bot5013020608:AAFu_btAZRcQ9V-SvEIxL9rCbb_x1A-9IJo/sendDocument
http://venis.ml/
http://tootoo.ga/
http://eyecosl.ga/
http://bullions.tk/
http://mizangs.tw/
http://xpowebs.ga/
Unpacked files
SH256 hash:
9ad3a05cfa5317f2c1321c99ff189de49df6bbe146f8feed1def69a12ecf605f
MD5 hash:
c7113881fbf17454b383dda0125d8b1c
SHA1 hash:
0b3739b2cb602475a8b0c43f802b13f8fa014abc
Link:
https://www.unpac.me/results/6c8ce9f4-3941-4fa5-a1b5-9b3b84640619/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9ad3a05cfa5317f2c1321c99ff189de49df6bbe146f8feed1def69a12ecf605f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 9ad3a05cfa5317f2c1321c99ff189de49df6bbe146f8feed1def69a12ecf605f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2047533/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/243034/

Comments