Windows Analysis Report
2LksWs2xq7.exe

Overview

General Information

Sample name: 2LksWs2xq7.exe
renamed because original name is a hash value
Original sample name: 516547ec4cca7f8038998b6f3c9d95b2.exe
Analysis ID: 1417244
MD5: 516547ec4cca7f8038998b6f3c9d95b2
SHA1: 41dbc19f9f6ce4279bfbef5e05ae7acb28771f8c
SHA256: fd602cbf605a4f9baffac0737c13291635ad0019567db051809d5bf8823dce5b
Tags: exe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Execution of Suspicious File Type Extension
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 2LksWs2xq7.exe Avira: detected
Antivirus detection for URL or domain
Source: http://nidoe.org/tmp/index.php Avira URL Cloud: Label: malware
Source: http://sodez.ru/tmp/index.php Avira URL Cloud: Label: malware
Source: http://uama.com.ua/tmp/index.php Avira URL Cloud: Label: malware
Source: http://talesofpirates.net/tmp/index.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\thjwhdg Avira: detection malicious, Label: HEUR/AGEN.1352954
Found malware configuration
Source: 00000006.00000002.2363788041.0000000002170000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nidoe.org/tmp/index.php", "http://sodez.ru/tmp/index.php", "http://uama.com.ua/tmp/index.php", "http://talesofpirates.net/tmp/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\thjwhdg ReversingLabs: Detection: 60%
Multi AV Scanner detection for submitted file
Source: 2LksWs2xq7.exe ReversingLabs: Detection: 60%
Uses 32bit PE files
Source: 2LksWs2xq7.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\2LksWs2xq7.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49706 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49707 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49708 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49709 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49710 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49711 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49712 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49713 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49716 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49717 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49718 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49719 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49720 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49721 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49722 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49723 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49724 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49725 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49726 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49727 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49728 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49729 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49730 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49731 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49732 -> 175.119.10.231:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49733 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49734 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49735 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49736 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49737 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49738 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49739 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49740 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49741 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49742 -> 95.86.30.3:80
Source: Traffic Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49743 -> 95.86.30.3:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 175.119.10.231 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 95.86.30.3 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://nidoe.org/tmp/index.php
Source: Malware configuration extractor URLs: http://sodez.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://uama.com.ua/tmp/index.php
Source: Malware configuration extractor URLs: http://talesofpirates.net/tmp/index.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 95.86.30.3 95.86.30.3
Source: Joe Sandbox View IP Address: 175.119.10.231 175.119.10.231
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INEL-AS-MK INEL-AS-MK
Source: Joe Sandbox View ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pnvlycbcghcgkrg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://guhupprhkfxteykm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://swykuolavcpkeu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cfpmhjbtnnspkr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rcwcjwtgqtrk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eecygbqkuixd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gvpptbbjhqwtbt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://habidwgrhaptyh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fkfhpisoqfsv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://opponcvxitldw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lfwvuxydloyjiti.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gaduqfhesnk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://htwwypuseixblj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://chqqpchquyhotgm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xrirccluksou.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://loxowxqkfdy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wfkknmjwnemmu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dgknnrdhkjobn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tlyylwwlslj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cljdrbjyegucspt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hsqaxvfmigrauoy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nvkgstredaturd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnkrseavrjhu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jcoflffblunqqh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bjhxhpxfxsas.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqqiwatcqnjc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xbaflojmyub.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yhjwrvnjbebdsr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hpdqhjtffpefc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 209Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://paalhvtscxhk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hyqcvlmvqexo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://toqaaeutvgeyb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dpucdofclcoryi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rihptgebjpcvg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rqqhdxchyrra.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: nidoe.org
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pvwypqverqnt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: nidoe.org
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: nidoe.org
Source: unknown HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pnvlycbcghcgkrg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: nidoe.org
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2113619525.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2116271105.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2116287304.0000000007B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.2117570355.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.2119446650.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000002.00000000.2119446650.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000002.00000000.2119446650.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000002.00000000.2119446650.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2117570355.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000002.00000000.2119446650.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000006.00000002.2363788041.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2128140620.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2127986796.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2363822489.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.2363719760.00000000006D1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2127934835.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2363788041.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2128140620.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2128058168.0000000000801000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2363770795.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2127986796.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2363822489.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_004013ED NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004013ED
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401507
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401518
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_0040141C NtAllocateVirtualMemory, 0_2_0040141C
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040151C
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_0040142C NtAllocateVirtualMemory, 0_2_0040142C
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014E2
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_004013EC NtAllocateVirtualMemory, 0_2_004013EC
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014ED
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_004013F9 NtAllocateVirtualMemory, 0_2_004013F9
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_00402381 NtQuerySystemInformation, 0_2_00402381
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_004013ED NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004013ED
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_00401507
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_00401518
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_0040141C NtAllocateVirtualMemory, 6_2_0040141C
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_0040151C
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_0040142C NtAllocateVirtualMemory, 6_2_0040142C
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004014E2
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_004013EC NtAllocateVirtualMemory, 6_2_004013EC
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004014ED
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_004013F9 NtAllocateVirtualMemory, 6_2_004013F9
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_00402381 NtQuerySystemInformation, 6_2_00402381
Tries to load missing DLLs
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.shell.broker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Section loaded: msvcr100.dll Jump to behavior
Uses 32bit PE files
Source: 2LksWs2xq7.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000006.00000002.2363719760.00000000006D1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2127934835.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2363788041.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2128140620.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2128058168.0000000000801000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2363770795.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2127986796.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2363822489.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/2@8/2
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_00804B1E CreateToolhelp32Snapshot,Module32First, 0_2_00804B1E
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\thjwhdg Jump to behavior
Source: 2LksWs2xq7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2LksWs2xq7.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\2LksWs2xq7.exe "C:\Users\user\Desktop\2LksWs2xq7.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\thjwhdg C:\Users\user\AppData\Roaming\thjwhdg
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Unpacked PE file: 0.2.2LksWs2xq7.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\thjwhdg Unpacked PE file: 6.2.thjwhdg.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_00401205 push ecx; iretd 0_2_00401211
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_00401735 push eax; retf 0_2_00401737
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_004031E3 push eax; ret 0_2_004032BE
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_006B126C push ecx; iretd 0_2_006B1278
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_008057BB push ecx; iretd 0_2_008057C7
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_0080C1C8 push edx; retf 0_2_0080C1C9
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_0080C53D push edx; ret 0_2_0080C542
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_00808F5E push cs; retf 0_2_00808F5F
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_00401205 push ecx; iretd 6_2_00401211
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_00401735 push eax; retf 6_2_00401737
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_004031E3 push eax; ret 6_2_004032BE
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_006DBF65 push edx; ret 6_2_006DBF6A
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_006D51E3 push ecx; iretd 6_2_006D51EF
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_006DBBF0 push edx; retf 6_2_006DBBF1
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_006D8986 push cs; retf 6_2_006D8987
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_0216126C push ecx; iretd 6_2_02161278
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\thjwhdg Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\thjwhdg Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\2lksws2xq7.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\thjwhdg:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 2LksWs2xq7.exe, thjwhdg, 00000006.00000002.2363668902.00000000006BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 437 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1065 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 893 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 361 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 3550 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 879 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 863 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3580 Thread sleep count: 437 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2996 Thread sleep count: 1065 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2996 Thread sleep time: -106500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3976 Thread sleep count: 893 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3976 Thread sleep time: -89300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6556 Thread sleep count: 335 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6444 Thread sleep count: 345 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6444 Thread sleep time: -34500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3236 Thread sleep count: 361 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3236 Thread sleep time: -36100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2996 Thread sleep count: 3550 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2996 Thread sleep time: -355000s >= -30000s Jump to behavior
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000002.00000000.2117570355.00000000097F3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000002.00000000.2119446650.000000000C354000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2117570355.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000002.00000000.2117207484.0000000009605000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: explorer.exe, 00000002.00000000.2119446650.000000000C354000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000002.00000000.2119446650.000000000C354000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@]
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.2117570355.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000002.00000000.2119446650.000000000C354000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@r
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.2117570355.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\2LksWs2xq7.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\2LksWs2xq7.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_006B092B mov eax, dword ptr fs:[00000030h] 0_2_006B092B
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_006B0D90 mov eax, dword ptr fs:[00000030h] 0_2_006B0D90
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Code function: 0_2_008043FB push dword ptr fs:[00000030h] 0_2_008043FB
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_006D3E23 push dword ptr fs:[00000030h] 6_2_006D3E23
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_0216092B mov eax, dword ptr fs:[00000030h] 6_2_0216092B
Source: C:\Users\user\AppData\Roaming\thjwhdg Code function: 6_2_02160D90 mov eax, dword ptr fs:[00000030h] 6_2_02160D90

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: thjwhdg.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 175.119.10.231 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 95.86.30.3 80 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Thread created: C:\Windows\explorer.exe EIP: 86819D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Thread created: unknown EIP: 2F219D0 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\2LksWs2xq7.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\thjwhdg Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: explorer.exe, 00000002.00000000.2113548191.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: explorer.exe, 00000002.00000000.2113548191.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2114339773.00000000048E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2113548191.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +Progman
Source: explorer.exe, 00000002.00000000.2113548191.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2117570355.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd31A

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000006.00000002.2363788041.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2128140620.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2127986796.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2363822489.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000006.00000002.2363788041.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2128140620.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2127986796.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2363822489.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417244 Sample: 2LksWs2xq7.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 21 nidoe.org 2->21 27 Snort IDS alert for network traffic 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 6 other signatures 2->33 7 2LksWs2xq7.exe 2->7         started        10 thjwhdg 2->10         started        signatures3 process4 signatures5 35 Detected unpacking (changes PE section rights) 7->35 37 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->37 39 Maps a DLL or memory area into another process 7->39 41 Creates a thread in another existing process (thread injection) 7->41 12 explorer.exe 63 3 7->12 injected 43 Antivirus detection for dropped file 10->43 45 Multi AV Scanner detection for dropped file 10->45 47 Checks if the current machine is a virtual machine (disk enumeration) 10->47 process6 dnsIp7 23 nidoe.org 175.119.10.231, 49706, 49707, 49708 SKB-ASSKBroadbandCoLtdKR Korea Republic of 12->23 25 95.86.30.3, 49733, 49734, 49735 INEL-AS-MK Macedonia 12->25 17 C:\Users\user\AppData\Roaming\thjwhdg, PE32 12->17 dropped 19 C:\Users\user\...\thjwhdg:Zone.Identifier, ASCII 12->19 dropped 49 System process connects to network (likely due to code injection or exploit) 12->49 51 Benign windows process drops PE files 12->51 53 Deletes itself after installation 12->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->55 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.86.30.3
 unknown Macedonia
49056 INEL-AS-MK true
175.119.10.231
 nidoe.org Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true

Contacted Domains

Name IP Active
nidoe.org 175.119.10.231 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://talesofpirates.net/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
http://uama.com.ua/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
http://sodez.ru/tmp/index.php true
  • Avira URL Cloud: malware
 unknown
http://nidoe.org/tmp/index.php true
  • Avira URL Cloud: malware
 unknown