Try VMRay Platform
Malicious
Classifications

Downloader Injector

Threat Names

SmokeLoader Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2022-01-13T19:03:00

toolspab3.exe

Windows Exe (x86-32)
...

Remarks (2/2)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "3 hours, 45 minutes, 30 seconds" to "44 seconds" to reveal dormant functionality.

(0x0200003A): A task was rescheduled ahead of time to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\toolspab3.exe Sample File Binary
malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Roaming\bcatcih (Dropped File)
MIME Type application/vnd.microsoft.portable-executable
File Size 281.50 KB
MD5 8c3223abe34b2be4cbc6af48963ceda1 Copy to Clipboard
SHA1 ed538d7d21f6fe3f3cc4d8fd7c93288c7e9b9651 Copy to Clipboard
SHA256 4e9aabb8abf8954eb2edc1ac5e5d80efb995b570af08dbc229930e471ae9bf08 Copy to Clipboard
SSDeep 3072:AjryFIe1Gz41IsR9Cw6saqJEqpUKyp9up6uVVggjcGkNIVqI:Ajry2sDbXJR69HC7ITsq Copy to Clipboard
ImpHash a8880d90dd309ce69e04adb371ea8632 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x403410
Size Of Code 0x12400
Size Of Initialized Data 0x3be00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2020-12-19 14:43:52+00:00
Version Information (3)
»
InternationalName bomgvioci.iwa
Copyright Copyrighz (C) 2021, fudkort
ProjectVersion 3.10.70.57
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x12223 0x12400 0x400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.67
.rdata 0x414000 0x3fb8 0x4000 0x12800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.44
.data 0x418000 0x28038 0x22000 0x16800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 2.78
.rsrc 0x441000 0xdc88 0xde00 0x38800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 6.38
Imports (1)
»
KERNEL32.dll (98)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetLocaleInfoA - 0x414000 0x17700 0x15f00 0x3f0
GetConsoleAliasesLengthW - 0x414004 0x17704 0x15f04 0x181
SetComputerNameExA - 0x414008 0x17708 0x15f08 0x3a2
VirtualQuery - 0x41400c 0x1770c 0x15f0c 0x45c
GetDefaultCommConfigW - 0x414010 0x17710 0x15f10 0x1b2
OpenJobObjectA - 0x414014 0x17714 0x15f14 0x32d
GetConsoleAliasA - 0x414018 0x17718 0x15f18 0x179
InterlockedDecrement - 0x41401c 0x1771c 0x15f1c 0x2bc
CompareFileTime - 0x414020 0x17720 0x15f20 0x51
GetProfileSectionA - 0x414024 0x17724 0x15f24 0x231
GetConsoleAliasesA - 0x414028 0x17728 0x15f28 0x17f
GetConsoleTitleA - 0x41402c 0x1772c 0x15f2c 0x19e
ReadConsoleW - 0x414030 0x17730 0x15f30 0x366
SetFileTime - 0x414034 0x17734 0x15f34 0x3e3
FindResourceExA - 0x414038 0x17738 0x15f38 0x137
Sleep - 0x41403c 0x1773c 0x15f3c 0x421
GetFileAttributesW - 0x414040 0x17740 0x15f40 0x1ce
GetAtomNameW - 0x414044 0x17744 0x15f44 0x156
RaiseException - 0x414048 0x17748 0x15f48 0x35a
GetLastError - 0x41404c 0x1774c 0x15f4c 0x1e6
GetLongPathNameW - 0x414050 0x17750 0x15f50 0x1f2
GetProcAddress - 0x414054 0x17754 0x15f54 0x220
VirtualAlloc - 0x414058 0x17758 0x15f58 0x454
PrepareTape - 0x41405c 0x1775c 0x15f5c 0x340
LocalAlloc - 0x414060 0x17760 0x15f60 0x2f9
DnsHostnameToComputerNameA - 0x414064 0x17764 0x15f64 0xce
GetFileType - 0x414068 0x17768 0x15f68 0x1d7
GetModuleFileNameA - 0x41406c 0x1776c 0x15f6c 0x1f4
CreateIoCompletionPort - 0x414070 0x17770 0x15f70 0x84
SetConsoleTitleW - 0x414074 0x17774 0x15f74 0x3c2
GetModuleHandleA - 0x414078 0x17778 0x15f78 0x1f6
GetStringTypeW - 0x41407c 0x1777c 0x15f7c 0x240
GetVersionExA - 0x414080 0x17780 0x15f80 0x275
ReadConsoleInputW - 0x414084 0x17784 0x15f84 0x360
EnumSystemLocalesW - 0x414088 0x17788 0x15f88 0xfa
CreateThread - 0x41408c 0x1778c 0x15f8c 0xa3
HeapAlloc - 0x414090 0x17790 0x15f90 0x29d
GetCommandLineA - 0x414094 0x17794 0x15f94 0x16f
GetStartupInfoA - 0x414098 0x17798 0x15f98 0x239
RtlUnwind - 0x41409c 0x1779c 0x15f9c 0x392
TerminateProcess - 0x4140a0 0x177a0 0x15fa0 0x42d
GetCurrentProcess - 0x4140a4 0x177a4 0x15fa4 0x1a9
UnhandledExceptionFilter - 0x4140a8 0x177a8 0x15fa8 0x43e
SetUnhandledExceptionFilter - 0x4140ac 0x177ac 0x15fac 0x415
IsDebuggerPresent - 0x4140b0 0x177b0 0x15fb0 0x2d1
HeapFree - 0x4140b4 0x177b4 0x15fb4 0x2a1
DeleteCriticalSection - 0x4140b8 0x177b8 0x15fb8 0xbe
LeaveCriticalSection - 0x4140bc 0x177bc 0x15fbc 0x2ef
EnterCriticalSection - 0x4140c0 0x177c0 0x15fc0 0xd9
VirtualFree - 0x4140c4 0x177c4 0x15fc4 0x457
HeapReAlloc - 0x4140c8 0x177c8 0x15fc8 0x2a4
HeapCreate - 0x4140cc 0x177cc 0x15fcc 0x29f
GetModuleHandleW - 0x4140d0 0x177d0 0x15fd0 0x1f9
ExitProcess - 0x4140d4 0x177d4 0x15fd4 0x104
WriteFile - 0x4140d8 0x177d8 0x15fd8 0x48d
GetStdHandle - 0x4140dc 0x177dc 0x15fdc 0x23b
SetHandleCount - 0x4140e0 0x177e0 0x15fe0 0x3e8
SetFilePointer - 0x4140e4 0x177e4 0x15fe4 0x3df
TlsGetValue - 0x4140e8 0x177e8 0x15fe8 0x434
TlsAlloc - 0x4140ec 0x177ec 0x15fec 0x432
TlsSetValue - 0x4140f0 0x177f0 0x15ff0 0x435
TlsFree - 0x4140f4 0x177f4 0x15ff4 0x433
InterlockedIncrement - 0x4140f8 0x177f8 0x15ff8 0x2c0
SetLastError - 0x4140fc 0x177fc 0x15ffc 0x3ec
GetCurrentThreadId - 0x414100 0x17800 0x16000 0x1ad
CloseHandle - 0x414104 0x17804 0x16004 0x43
FreeEnvironmentStringsA - 0x414108 0x17808 0x16008 0x14a
GetEnvironmentStrings - 0x41410c 0x1780c 0x1600c 0x1bf
FreeEnvironmentStringsW - 0x414110 0x17810 0x16010 0x14b
WideCharToMultiByte - 0x414114 0x17814 0x16014 0x47a
GetEnvironmentStringsW - 0x414118 0x17818 0x16018 0x1c1
QueryPerformanceCounter - 0x41411c 0x1781c 0x1601c 0x354
GetTickCount - 0x414120 0x17820 0x16020 0x266
GetCurrentProcessId - 0x414124 0x17824 0x16024 0x1aa
GetSystemTimeAsFileTime - 0x414128 0x17828 0x16028 0x24f
InitializeCriticalSectionAndSpinCount - 0x41412c 0x1782c 0x1602c 0x2b5
LoadLibraryA - 0x414130 0x17830 0x16030 0x2f1
GetCPInfo - 0x414134 0x17834 0x16034 0x15b
GetACP - 0x414138 0x17838 0x16038 0x152
GetOEMCP - 0x41413c 0x1783c 0x1603c 0x213
IsValidCodePage - 0x414140 0x17840 0x16040 0x2db
CreateFileA - 0x414144 0x17844 0x16044 0x78
SetStdHandle - 0x414148 0x17848 0x16048 0x3fc
GetConsoleCP - 0x41414c 0x1784c 0x1604c 0x183
GetConsoleMode - 0x414150 0x17850 0x16050 0x195
FlushFileBuffers - 0x414154 0x17854 0x16054 0x141
HeapSize - 0x414158 0x17858 0x16058 0x2a6
GetLocaleInfoA - 0x41415c 0x1785c 0x1605c 0x1e8
LCMapStringA - 0x414160 0x17860 0x16060 0x2e1
MultiByteToWideChar - 0x414164 0x17864 0x16064 0x31a
LCMapStringW - 0x414168 0x17868 0x16068 0x2e3
GetStringTypeA - 0x41416c 0x1786c 0x1606c 0x23d
SetEndOfFile - 0x414170 0x17870 0x16070 0x3cd
GetProcessHeap - 0x414174 0x17874 0x16074 0x223
ReadFile - 0x414178 0x17878 0x16078 0x368
WriteConsoleA - 0x41417c 0x1787c 0x1607c 0x482
GetConsoleOutputCP - 0x414180 0x17880 0x16080 0x199
WriteConsoleW - 0x414184 0x17884 0x16084 0x48c
Memory Dumps (9)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
toolspab3.exe 1 0x00400000 0x0044EFFF Relevant Image False 32-bit 0x00403305 False
...
buffer 1 0x00030000 0x00037FFF First Execution False 32-bit 0x00030000 False
...
buffer 1 0x001C0000 0x001C8FFF First Execution False 32-bit 0x001C0000 False
...
buffer 2 0x00400000 0x00408FFF First Execution False 32-bit 0x00402F47 False
...
toolspab3.exe 1 0x00400000 0x0044EFFF Process Termination False 32-bit - False
...
buffer 2 0x00400000 0x00408FFF Content Changed False 32-bit 0x0040283D False
...
buffer 2 0x01D40000 0x01D55FFF Marked Executable False 32-bit - True
...
buffer 2 0x001D0000 0x001D5FFF Process Termination False 32-bit - True
...
buffer 2 0x00400000 0x00408FFF Process Termination False 32-bit - False
...
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image