MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db80119b8c5a0a68d84561ff34e72aff001cf864541aec9d08b812c6ab9bfe34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db80119b8c5a0a68d84561ff34e72aff001cf864541aec9d08b812c6ab9bfe34
SHA3-384 hash: 262a2f1d6709d01804e55583c23d60294b054e99e86684402d1002bbeedf51fb0f9ac5beb53aea7f39ffd340567ed121
SHA1 hash: 7426353f56ac05591c68a40a8a8e98879668b9a1
MD5 hash: 1ef0a3739c198eabe15dc5fa9bf2ef3e
humanhash: ink-angel-salami-north
File name:SecuriteInfo.com.Variant.Midie.108082.14902.22115
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:263'880 bytes
First seen:2022-02-21 13:58:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a6dba6c84409e1cce26d4097ba2cb7b (5 x Smoke Loader, 1 x AgentTesla, 1 x GuLoader)
ssdeep 3072:4Wum2Mg5WhwKBoFQTCoB5RVVs0AFvLucIpzN2x2Im2M7Wz:4fmRgcZFTCkjV8FDucIpzhImR7a
Threatray 9'426 similar samples on MalwareBazaar
TLSH T101448DA7F818AD31F821C97D6416E29650D0ACB555408B1E3EE47FEAD8312DE2327F1B
File icon (PE):PE icon
dhash icon 72c2e0e4ce92f278 (7 x Smoke Loader, 2 x GuLoader, 1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe signed Smoke Loader

Code Signing Certificate

Organisation:Hjkultur1
Issuer:Hjkultur1
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-21T10:17:24Z
Valid to:2023-02-21T10:17:24Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 4a71deec3395238745cc5ce3ccd1a76f942fb1678e81c78b9cc33388fd5317e2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242970/
Detection(s):
SecuriteInfo.com.Variant.Midie.108082.14902.22115.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62139aaea2660f3bb91b77bb/reports/ea906f68-0af5-479f-8839-23986c025ba4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b569df0-dc39-4e04-b653-609bbe0992ea
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/943269
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db80119b8c5a0a68d84561ff34e72aff001cf864541aec9d08b812c6ab9bfe34/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 13:59:16 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
Smoke Loader
4db943d3621a557370a3585cd61db3f9835c65f350a2284c9d5f3024adb0ff07
Smoke Loader
539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc
Smoke Loader
5f2999762b0f8ab07d3f2aba62f5b698b6a1ebd0c2ace8753ff7ac40a5a47c80
Smoke Loader
b0f2a0a127513365c48a8b4f269a37d06c9cac41cafb5d567e30816694e8d44d
Smoke Loader
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
Smoke Loader
d6f128c8cc5257acccffb5e6c1fccb4eedf7c4f01247bf6287baa1f39570e444
Smoke Loader
db48dc160b1f48b8939b0d49c5f0bee2a28bc3b340cff62cea8da50424e1afea
Smoke Loader
e8878506c5e3493a1fdc7ee88ec6db1567db870c2b726b0028bcacbf64a3adc6
Smoke Loader
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
Smoke Loader
+ 9'416 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader family:smokeloader backdoor collection downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220221-rad2xabear/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks QEMU agent file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
Guloader,Cloudeye
SmokeLoader
Malware Config
C2 Extraction:
https://api.telegram.org/bot5013020608:AAFu_btAZRcQ9V-SvEIxL9rCbb_x1A-9IJo/sendDocument
http://venis.ml/
http://tootoo.ga/
http://eyecosl.ga/
http://bullions.tk/
http://mizangs.tw/
http://xpowebs.ga/
Unpacked files
SH256 hash:
db80119b8c5a0a68d84561ff34e72aff001cf864541aec9d08b812c6ab9bfe34
MD5 hash:
1ef0a3739c198eabe15dc5fa9bf2ef3e
SHA1 hash:
7426353f56ac05591c68a40a8a8e98879668b9a1
Link:
https://www.unpac.me/results/718ad96f-852c-4885-ad31-b2a9799adcff/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/db80119b8c5a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/db80119b8c5a0a68d84561ff34e72aff001cf864541aec9d08b812c6ab9bfe34

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe db80119b8c5a0a68d84561ff34e72aff001cf864541aec9d08b812c6ab9bfe34

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2050643/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/242970/

Comments