Windows Analysis Report
YWwcRHSpbw.exe

Overview

General Information

Sample name: YWwcRHSpbw.exe
renamed because original name is a hash value
Original sample name: 26ce123ca4fb973543d48c2da9ece87e.exe
Analysis ID: 1417238
MD5: 26ce123ca4fb973543d48c2da9ece87e
SHA1: ab474a3c06831b4f673f400f912f77cd3fd154fd
SHA256: 2952319efa611dd3cd0704bd8bf3f6bce423cd88aace8e28e51b19c672d209cf
Tags: exe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: YWwcRHSpbw.exe Avira: detected
Antivirus detection for URL or domain
Source: http://talesofpirates.net/tmp/index.php Avira URL Cloud: Label: malware
Source: http://sodez.ru/tmp/index.php Avira URL Cloud: Label: malware
Source: http://nidoe.org/tmp/index.php Avira URL Cloud: Label: malware
Source: http://uama.com.ua/tmp/index.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\twiufas Avira: detection malicious, Label: HEUR/AGEN.1313018
Found malware configuration
Source: 0000000E.00000002.2342383112.0000000000C80000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\twiufas ReversingLabs: Detection: 81%
Multi AV Scanner detection for submitted file
Source: YWwcRHSpbw.exe ReversingLabs: Detection: 81%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\twiufas Joe Sandbox ML: detected
Machine Learning detection for sample
Source: YWwcRHSpbw.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: YWwcRHSpbw.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\najubaxelu\rafusa.pdb source: YWwcRHSpbw.exe, twiufas.7.dr
Source: Binary string: 0YC:\najubaxelu\rafusa.pdb source: YWwcRHSpbw.exe, twiufas.7.dr

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49708 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49709 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49710 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49711 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49712 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49713 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49714 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49715 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49717 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49718 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49719 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49720 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49721 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49722 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49723 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49724 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49725 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49726 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49727 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49728 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49729 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49730 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49731 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49732 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49733 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49734 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49735 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49736 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49737 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49738 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49739 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49740 -> 187.211.208.213:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49741 -> 2.180.10.7:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49742 -> 2.180.10.7:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49743 -> 2.180.10.7:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49744 -> 2.180.10.7:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49745 -> 2.180.10.7:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49746 -> 2.180.10.7:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 2.180.10.7 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 187.211.208.213 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://nidoe.org/tmp/index.php
Source: Malware configuration extractor URLs: http://sodez.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://uama.com.ua/tmp/index.php
Source: Malware configuration extractor URLs: http://talesofpirates.net/tmp/index.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 2.180.10.7 2.180.10.7
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TCIIR TCIIR
Source: Joe Sandbox View ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pupsyyqhnyuu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://knxhgptouprbniih.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://emyurlqcjjyj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejbjebnoyfri.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bwysdrtpablfgl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uofkobqxixbfk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fcuywombggrafjib.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ynktcenwpam.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uvmhklgullnvt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rvkwbvhuhtjbr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://momncwwqinyqtp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://roylvkurbui.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wpiwrcrirxduh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oihhrvgcybvcsuxi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rrqnkwtyoabmogph.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edieevlfgkkls.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jmclafrxoobmieku.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kypbrgoejmtypjld.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmnbaopyagukh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nfhkllysrbr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lyvyflfisyah.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://arpnixxgabsm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fqsxiiurjreg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aejfdfxpfervxw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fmuksxchfhia.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cwgamrfxlonyha.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://icollummmgr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xadirvaessjoufrs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nycxtrjfegyhmkwh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nlprikrcsqcwcx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://goxggajhtahiors.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lqiladfddekdv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fwfgljdxisppjhs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wwlupdikxjrxjim.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pllsurjetsi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mgejyfixlvh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vesjqmoimso.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dafyvrphumoidoi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: nidoe.org
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: nidoe.org
Source: unknown HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pupsyyqhnyuu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: nidoe.org
Source: explorer.exe, 00000007.00000000.1351615775.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000000.1351615775.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000000.1351615775.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000000.1351615775.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000000.1349386300.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1350900086.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1351425713.00000000082D0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000007.00000000.1355240359.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micros1D
Source: explorer.exe, 00000007.00000000.1351529116.00000000085D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000007.00000000.1353996410.000000000BD22000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
Source: explorer.exe, 00000007.00000000.1353996410.000000000BE32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000000.1353996410.000000000BE32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSJM
Source: explorer.exe, 00000007.00000000.1353996410.000000000BE32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSZM
Source: explorer.exe, 00000007.00000000.1353996410.000000000BE32000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 00000007.00000000.1351615775.0000000008796000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/rT
Source: explorer.exe, 00000007.00000000.1351615775.000000000862F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
Source: explorer.exe, 00000007.00000000.1351615775.0000000008796000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/~T
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1349498186.0000000002F10000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 00000007.00000000.1353996410.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000007.00000000.1353996410.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 00000007.00000000.1353996410.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1351615775.000000000899E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 00000007.00000000.1353996410.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.yelp.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000B.00000002.1602661016.0000000002761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2342383112.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361136760.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361171360.0000000002751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2345420365.0000000000DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1602567802.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000002.1602547599.0000000002620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000B.00000002.1602661016.0000000002761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.2342383112.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.1361119076.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000E.00000002.2342305962.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.1361136760.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.1360962326.0000000000B1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.2346010984.0000000000E22000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.1361171360.0000000002751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.1602463145.0000000000C4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.2345420365.0000000000DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.1602567802.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_004013ED NtAllocateVirtualMemory,GlobalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 1_2_004013ED
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 1_2_00401507
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 1_2_00401518
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_0040141C NtAllocateVirtualMemory,GlobalAlloc, 1_2_0040141C
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 1_2_0040151C
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_0040142C NtAllocateVirtualMemory,GlobalAlloc, 1_2_0040142C
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_004032D5 RtlInitUnicodeString,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower, 1_2_004032D5
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 1_2_004014E2
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_004013EC NtAllocateVirtualMemory,GlobalAlloc, 1_2_004013EC
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 1_2_004014ED
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_004013F9 NtAllocateVirtualMemory,GlobalAlloc, 1_2_004013F9
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00402381 NtQuerySystemInformation, 1_2_00402381
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_004013ED NtAllocateVirtualMemory,GlobalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 11_2_004013ED
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401507
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401518
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_0040141C NtAllocateVirtualMemory,GlobalAlloc, 11_2_0040141C
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 11_2_0040151C
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_0040142C NtAllocateVirtualMemory,GlobalAlloc, 11_2_0040142C
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_004032D5 RtlInitUnicodeString,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower, 11_2_004032D5
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 11_2_004014E2
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_004013EC NtAllocateVirtualMemory,GlobalAlloc, 11_2_004013EC
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 11_2_004014ED
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_004013F9 NtAllocateVirtualMemory,GlobalAlloc, 11_2_004013F9
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00402381 NtQuerySystemInformation, 11_2_00402381
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_004013ED NtAllocateVirtualMemory,GlobalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 14_2_004013ED
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 14_2_00401507
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 14_2_00401518
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_0040141C NtAllocateVirtualMemory,GlobalAlloc, 14_2_0040141C
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 14_2_0040151C
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_0040142C NtAllocateVirtualMemory,GlobalAlloc, 14_2_0040142C
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 14_2_004014E2
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_004013EC NtAllocateVirtualMemory,GlobalAlloc, 14_2_004013EC
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, 14_2_004014ED
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_004013F9 NtAllocateVirtualMemory,GlobalAlloc, 14_2_004013F9
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00402381 NtQuerySystemInformation, 14_2_00402381
Sample file is different than original file name gathered from version info
Source: YWwcRHSpbw.exe, 00000001.00000002.1360880018.0000000000AE4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRight2 vs YWwcRHSpbw.exe
Source: YWwcRHSpbw.exe Binary or memory string: OriginalFilenameRight2 vs YWwcRHSpbw.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: msvcr100.dll Jump to behavior
Uses 32bit PE files
Source: YWwcRHSpbw.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000000B.00000002.1602547599.0000000002620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000B.00000002.1602661016.0000000002761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.2342383112.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.1361119076.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000E.00000002.2342305962.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.1361136760.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.1360962326.0000000000B1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.2346010984.0000000000E22000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.1361171360.0000000002751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.1602463145.0000000000C4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.2345420365.0000000000DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.1602567802.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/2@8/2
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00B24F9A CreateToolhelp32Snapshot,Module32First, 1_2_00B24F9A
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\twiufas Jump to behavior
Source: YWwcRHSpbw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: YWwcRHSpbw.exe ReversingLabs: Detection: 81%
Source: unknown Process created: C:\Users\user\Desktop\YWwcRHSpbw.exe "C:\Users\user\Desktop\YWwcRHSpbw.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\twiufas C:\Users\user\AppData\Roaming\twiufas
Source: unknown Process created: C:\Users\user\AppData\Roaming\twiufas C:\Users\user\AppData\Roaming\twiufas
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: YWwcRHSpbw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\najubaxelu\rafusa.pdb source: YWwcRHSpbw.exe, twiufas.7.dr
Source: Binary string: 0YC:\najubaxelu\rafusa.pdb source: YWwcRHSpbw.exe, twiufas.7.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Unpacked PE file: 1.2.YWwcRHSpbw.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\twiufas Unpacked PE file: 11.2.twiufas.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\twiufas Unpacked PE file: 14.2.twiufas.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00401205 push ecx; iretd 1_2_00401211
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00401735 push eax; retf 1_2_00401737
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_004031E3 push eax; ret 1_2_004032BE
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00B2C9B9 push edx; ret 1_2_00B2C9BE
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00B293DA push cs; retf 1_2_00B293DB
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00B25C37 push ecx; iretd 1_2_00B25C43
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00B2C644 push edx; retf 1_2_00B2C645
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_0272126C push ecx; iretd 1_2_02721278
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00401205 push ecx; iretd 11_2_00401211
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00401735 push eax; retf 11_2_00401737
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_004031E3 push eax; ret 11_2_004032BE
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00C5518F push ecx; iretd 11_2_00C5519B
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00C5BB9C push edx; retf 11_2_00C5BB9D
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00C5BF11 push edx; ret 11_2_00C5BF16
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00C58932 push cs; retf 11_2_00C58933
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_0262126C push ecx; iretd 11_2_02621278
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00401205 push ecx; iretd 14_2_00401211
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00401735 push eax; retf 14_2_00401737
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_004031E3 push eax; ret 14_2_004032BE
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00C7126C push ecx; iretd 14_2_00C71278
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00E2DBDA push cs; retf 14_2_00E2DBDB
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00E311B9 push edx; ret 14_2_00E311BE
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00E30E44 push edx; retf 14_2_00E30E45
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00E2A437 push ecx; iretd 14_2_00E2A443
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\twiufas Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\twiufas Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\ywwcrhspbw.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\twiufas:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: twiufas Binary or memory string: ASWHOOK
Source: twiufas, 0000000E.00000002.2345876701.0000000000E17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK0H
Source: YWwcRHSpbw.exe, 00000001.00000002.1360901357.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOKD
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 421 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2659 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 797 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 359 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1973 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 890 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 860 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 7288 Thread sleep count: 421 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7296 Thread sleep count: 2659 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7296 Thread sleep time: -265900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7292 Thread sleep count: 797 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7292 Thread sleep time: -79700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7640 Thread sleep count: 364 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7640 Thread sleep time: -36400s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7636 Thread sleep count: 269 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7644 Thread sleep count: 359 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7644 Thread sleep time: -35900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7296 Thread sleep count: 1973 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7296 Thread sleep time: -197300s >= -30000s Jump to behavior
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1351615775.000000000888E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: explorer.exe, 00000007.00000000.1351615775.0000000008979000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00`
Source: explorer.exe, 00000007.00000000.1351615775.00000000087C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: explorer.exe, 00000007.00000000.1351615775.0000000008796000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWe
Source: explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.00000000087C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.1348844310.0000000000A44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
Source: explorer.exe, 00000007.00000000.1351615775.00000000087C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
Source: explorer.exe, 00000007.00000000.1351615775.00000000088E6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000000.1351615775.00000000088E6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 00000007.00000000.1348844310.0000000000A44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000000.1351615775.00000000088E6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1348844310.0000000000A44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1351615775.00000000088E6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_00B24877 push dword ptr fs:[00000030h] 1_2_00B24877
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_0272092B mov eax, dword ptr fs:[00000030h] 1_2_0272092B
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Code function: 1_2_02720D90 mov eax, dword ptr fs:[00000030h] 1_2_02720D90
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_00C53DCF push dword ptr fs:[00000030h] 11_2_00C53DCF
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_0262092B mov eax, dword ptr fs:[00000030h] 11_2_0262092B
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 11_2_02620D90 mov eax, dword ptr fs:[00000030h] 11_2_02620D90
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00C70D90 mov eax, dword ptr fs:[00000030h] 14_2_00C70D90
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00C7092B mov eax, dword ptr fs:[00000030h] 14_2_00C7092B
Source: C:\Users\user\AppData\Roaming\twiufas Code function: 14_2_00E29077 push dword ptr fs:[00000030h] 14_2_00E29077

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: twiufas.7.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 2.180.10.7 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 187.211.208.213 80 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Thread created: C:\Windows\explorer.exe EIP: 8C619D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Thread created: unknown EIP: B619D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Thread created: unknown EIP: 24C19D0 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\twiufas Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: explorer.exe, 00000007.00000000.1349169464.0000000001071000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.1351615775.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1350120128.0000000004480000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1349169464.0000000001071000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.1349169464.0000000001071000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.1349169464.0000000001071000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.1348844310.0000000000A44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanq

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000B.00000002.1602661016.0000000002761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2342383112.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361136760.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361171360.0000000002751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2345420365.0000000000DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1602567802.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000B.00000002.1602661016.0000000002761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2342383112.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361136760.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1361171360.0000000002751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2345420365.0000000000DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1602567802.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417238 Sample: YWwcRHSpbw.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 23 nidoe.org 2->23 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 7 other signatures 2->43 7 YWwcRHSpbw.exe 2->7         started        10 twiufas 2->10         started        12 twiufas 2->12         started        signatures3 process4 signatures5 45 Detected unpacking (changes PE section rights) 7->45 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->47 49 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->49 14 explorer.exe 85 3 7->14 injected 51 Antivirus detection for dropped file 10->51 53 Multi AV Scanner detection for dropped file 10->53 55 Machine Learning detection for dropped file 10->55 57 Maps a DLL or memory area into another process 12->57 59 Checks if the current machine is a virtual machine (disk enumeration) 12->59 61 Creates a thread in another existing process (thread injection) 12->61 process6 dnsIp7 25 nidoe.org 187.211.208.213, 49708, 49709, 49710 UninetSAdeCVMX Mexico 14->25 27 2.180.10.7, 49741, 49742, 49743 TCIIR Iran (ISLAMIC Republic Of) 14->27 19 C:\Users\user\AppData\Roaming\twiufas, PE32 14->19 dropped 21 C:\Users\user\...\twiufas:Zone.Identifier, ASCII 14->21 dropped 29 System process connects to network (likely due to code injection or exploit) 14->29 31 Benign windows process drops PE files 14->31 33 Deletes itself after installation 14->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->35 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
2.180.10.7
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR true
187.211.208.213
 nidoe.org Mexico
8151 UninetSAdeCVMX true

Contacted Domains

Name IP Active
nidoe.org 187.211.208.213 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://talesofpirates.net/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
http://sodez.ru/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
http://uama.com.ua/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
http://nidoe.org/tmp/index.php true
  • Avira URL Cloud: malware
 unknown