Windows Analysis Report 1RMZ62tUAl.exe

Overview

General Information

Sample Name: 1RMZ62tUAl.exe
Analysis ID: 524302
MD5: 8696a4269e30ddb34a7e0e84629ede03
SHA1: 125198e1f636ef118e468145d02e801a3ffe2a97
SHA256: 47ec411eab0aa15619f24caa6256ed4ca5cfc695a26f5b71830b53b07c22b05b
Tags: exe
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if browser processes are running
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to compare user and computer (likely to detect sandboxes)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://rsuehfidvdkfvk.top/", "http://rsuehfidvdkfvk.top/"]}
Multi AV Scanner detection for submitted file
Source: 1RMZ62tUAl.exe Virustotal: Detection: 46% Perma Link
Multi AV Scanner detection for domain / URL
Source: iosoftware.org Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\favdejf ReversingLabs: Detection: 55%
Machine Learning detection for sample
Source: 1RMZ62tUAl.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\favdejf Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E83364 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW, 19_2_02E83364
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E83171 StrRChrIW,StrRChrIW,StrRChrIW,StrRChrIW,RtlCompareMemory,CryptUnprotectData, 19_2_02E83171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E83696 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW, 19_2_02E83696
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E81289 StrRChrIW,lstrlen,CryptStringToBinaryA,CryptStringToBinaryA, 19_2_02E81289
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E8122F lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW, 19_2_02E8122F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E811E6 CryptBinaryToStringA,CryptBinaryToStringA, 19_2_02E811E6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E8213A CryptUnprotectData,RtlMoveMemory, 19_2_02E8213A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_0011118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 22_2_0011118D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_0011165C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 22_2_0011165C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_027D263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 24_2_027D263E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_027D245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 24_2_027D245E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_027D2404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA, 24_2_027D2404
Source: C:\Windows\SysWOW64\explorer.exe Code function: 26_2_00331EA2 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 26_2_00331EA2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D126D CryptBinaryToStringA,CryptBinaryToStringA, 28_2_027D126D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 29_2_027D25A4 CryptBinaryToStringA,CryptBinaryToStringA, 29_2_027D25A4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 29_2_027D2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 29_2_027D2799
Source: C:\Windows\SysWOW64\explorer.exe Code function: 31_2_027D1314 lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 31_2_027D1314

Compliance:

barindex
Uses 32bit PE files
Source: 1RMZ62tUAl.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\rorefeb\45\xabev\wok_kedage 44_dehawovexan.pdb source: 1RMZ62tUAl.exe
Source: Binary string: C:\rorefeb\45\xabev\wok_kedage 44_dehawovexan.pdbP source: 1RMZ62tUAl.exe
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E81EBA FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,FindNextFileW,FindClose, 19_2_02E81EBA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E82C81 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose, 19_2_02E82C81
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_001114D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 22_2_001114D8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_001113FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose, 22_2_001113FE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D1939 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,wsprintfW,wsprintfW,RtlZeroMemory,lstrcat,StrToIntA,PathMatchSpecW,FindNextFileW,FindClose, 28_2_027D1939
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D1FFD FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 28_2_027D1FFD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D217C FindFirstFileW,FindNextFileW,FindClose, 28_2_027D217C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D1B5B GetTempPathW,lstrcatW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,wsprintfW,CreateFileW,GetFileSize,ReadFile,CloseHandle,DeleteFileW, 28_2_027D1B5B
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 5.188.88.118 80 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Domain query: rsuehfidvdkfvk.top
Source: C:\Windows\explorer.exe Domain query: iosoftware.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://rsuehfidvdkfvk.top/
Source: Malware configuration extractor URLs: http://rsuehfidvdkfvk.top/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PINDC-ASRU PINDC-ASRU
Source: Joe Sandbox View ASN Name: HOSTKEY-USAUS HOSTKEY-USAUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oidhj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: rsuehfidvdkfvk.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wjigjxv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: rsuehfidvdkfvk.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mrirybsj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: rsuehfidvdkfvk.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tmmykkqa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: rsuehfidvdkfvk.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rsuehfidvdkfvk.top/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 423Host: rsuehfidvdkfvk.top
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Nov 2021 09:44:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 2c 01 00 00 0d ea ca f4 a9 bc c2 d2 42 81 8e 85 72 87 9b 58 60 8c d3 6c ea b8 55 27 e0 a1 b4 5e b6 34 5e b5 2b 44 fb 30 3b bc 67 5c ce fe b0 25 96 55 51 79 63 d7 60 70 55 2b e3 ef 22 79 35 f6 af 06 12 95 2f 9a 3d 93 4d 37 5a 42 f1 ab b5 95 90 bc f3 c3 36 8c 23 18 ba 54 73 c3 a9 20 6c 2f b2 93 54 fd bf db 73 3f 84 fb f5 e7 00 5e cd 13 22 cd 51 c2 19 3a c0 a2 1b 66 bc 39 14 d0 06 ed a7 6a 57 9d 82 73 7b 99 f4 a1 cf 5e 8d 37 3c bb 78 c7 58 00 b4 b7 52 a3 a1 4a 49 d1 4b 32 99 24 13 48 b6 ea ec 50 f3 a7 cc ce f2 57 ff 4b 29 f0 04 36 62 69 16 61 bb af 08 44 e6 69 bb 3c c3 ea f3 8c 5a 35 b2 fb 1a 3e 11 a4 de 25 42 ea 4b e6 60 89 13 26 de c6 22 17 42 32 ea 7b 8f 78 6e e5 2b ae 19 b3 76 5a 44 4f bb de 21 98 19 01 2f 49 a4 df 10 37 c1 f7 b6 b9 06 b8 50 96 3c 5c 81 9c 7b ee 15 3c f3 52 6c 24 12 fa e8 fe 72 b1 7f 94 17 ef 5d 66 a8 43 f3 b6 0c 51 0d 30 1b 6f a5 59 b4 d8 f8 d1 af 4b 7f f2 2d ad 31 aa eb 9e e5 cf 00 1e 71 06 00 b8 d3 34 d5 03 0f 06 00 0d 00 9c 03 00 00 c9 a6 6d fb 75 e6 cb 32 fd 66 8b 8e 41 26 0b 00 e5 c4 0d 6d 04 5e 5c e7 10 19 f4 25 09 91 e2 11 1d 20 4d 5a 26 d2 b8 dd 32 27 a3 25 c3 34 44 f1 af 41 59 5f 25 4d 9d 3c 3e 34 a2 81 d2 ca d1 51 64 d7 e5 5e 5e 84 51 60 e4 02 3b 29 c7 b1 b2 8f 87 03 6c 8f 65 32 08 3d c1 d2 8b 5b df 28 2c d3 f1 6c 90 9d e7 31 0d 81 8d ef f6 7d 15 a4 5a be 82 97 68 3b 5a 2c 32 cf 42 6b 9b 68 03 76 8b ce 62 87 63 a2 90 83 3d c1 c8 4a 9e d2 2b 50 82 9a 7a 43 69 8e 2d b6 35 4c 79 f6 f9 87 2e 92 c6 68 28 ad 22 17 5b 7a bc a2 04 1f 80 eb cd 89 67 b6 29 35 f2 db b0 f3 01 c1 5d 88 62 d6 3a 43 c4 ea 38 dd 76 40 32 7f 02 83 9d 3d ad c0 ec c8 af 83 82 42 e3 d5 7e 0f 5e 78 42 ff 89 eb 43 dc 87 39 c1 36 23 12 c7 42 2c 69 fc bf 45 d4 4c c2 12 09 5b 97 57 97 46 e3 49 da e1 0a c1 03 f1 ff 65 20 8d 3f 80 d7 45 b8 0f 83 ef 72 31 3a 85 33 e8 47 1e 4c 71 7b 8d db 39 e5 d8 86 94 2c 34 66 51 ad ca 8e ba 45 cd b5 7b f5 12 9b a0 da 2b ed 70 b9 69 f4 93 6d e6 c6 b1 44 d8 34 5e c2 e6 cb f4 e6 48 4f 8e 48 b8 66 56 c0 8a aa 26 e5 de 88 d1 77 10 49 9f 33 b5 35 d9 8d 63 2d c5 39 ea eb 6e c3 26 f9 01 ff 8c 29 4c 14 3e 59 82 64 63 17 bb 76 69 a9 27 3c 0b 0c c1 7b 0c f6 8f 76 b5 1f a3 90 4b 14 1e 92 34 24 7b fe 50 b8 45 c7 88 ff 2d 7e 60 f9 c4 c2 a6 4c 55 30 de 0e 46 76 50 8c 22 e3 5b 72 21 32 24 ee e3 34 65 ab 7c 3e 91 9c 3f 76 e5 77 3c 50 46 9f 59 46 e7 2d c3 cc 7e 32 6c e5 1d 70 61 c2 2b 7b 3c dd 0e c7 55 06 e7 4f 20 40 5a 4f dc 3d c9 23 e3 b0 e6 b7 76 fc 1c 76 46 c6 e8 12 a1 c2 98 ea 86 6e 16 8d b0 67 b5 80 af 65 61 61 5d 7b 82 7c 11 70 32 6d 59 af c0 d8 b6 14 e4 87 fe 1f 14 2d 1b 36 40 c9 53 d0 01 48 c0 c0 18 d0 d2 d4 40 ba a6 f0 e0 65 8a 35 00 fb 16 1c ea 16 43 ff ff da 9e a4 0e 39 cc 8f cc cf 3c 5b e8 e9 f2 7e 9a 1d 89 4e 09 a9 e7 77 b1 1c 33 e7 cc d4 55 79 09 b3 92 6a 6a 7b ef 8c 49 d0 ef 3e af 77 c2 29 c3 61 bf a8 77 6e 8b 9f c4 5a d4 ef
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Nov 2021 09:44:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 43Connection: closeData Raw: 00 00 a5 82 9a e9 e7 a9 cb d5 14 c4 95 94 67 85 c2 1f 10 97 c9 73 e0 ad 1c 27 e0 bf bd 15 ad 68 5d fb 0c 2c 85 07 1f d1 2c 50 d3 Data Ascii: gs'h],,P
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Nov 2021 09:44:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 46Connection: closeData Raw: 00 00 a5 82 9a e9 e7 a9 cb d5 14 c4 95 94 67 85 c2 1f 10 97 c9 73 e0 ad 1c 27 e0 bf bd 15 ad 68 5d fb 2c 30 82 06 0a 92 71 1e 98 ef c5 4a Data Ascii: gs'h],0qJ
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 18 Nov 2021 09:45:16 GMTContent-Type: text/html; charset=utf-8Content-Length: 406Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 73 75 65 68 66 69 64 76 64 6b 66 76 6b 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at rsuehfidvdkfvk.top Port 80</address></body></html>
Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmp, explorer.exe, 00000014.00000002.482205642.00000000011F0000.00000004.00000020.sdmp, explorer.exe, 00000015.00000002.561502388.0000000002BA8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000002.562589266.0000000002BD8000.00000004.00000020.sdmp, explorer.exe, 00000017.00000002.555930517.00000000007E0000.00000004.00000020.sdmp, explorer.exe, 00000018.00000000.500674063.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 00000019.00000000.505280148.0000000000EA0000.00000040.00020000.sdmp, explorer.exe, 0000001A.00000000.511253478.0000000000340000.00000040.00020000.sdmp, explorer.exe, 0000001B.00000002.555867484.0000000000760000.00000004.00000020.sdmp, explorer.exe, 0000001D.00000000.525714592.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 0000001E.00000002.555950745.0000000001376000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000002.561863769.0000000002CC8000.00000004.00000020.sdmp String found in binary or memory: http://rsuehfidvdkfvk.top/
Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmp String found in binary or memory: http://rsuehfidvdkfvk.top/:
Source: explorer.exe, 00000014.00000002.482205642.00000000011F0000.00000004.00000020.sdmp, explorer.exe, 00000015.00000002.561502388.0000000002BA8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000002.562589266.0000000002BD8000.00000004.00000020.sdmp, explorer.exe, 00000017.00000002.555930517.00000000007E0000.00000004.00000020.sdmp, explorer.exe, 00000018.00000000.500674063.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 00000019.00000000.505280148.0000000000EA0000.00000040.00020000.sdmp, explorer.exe, 00000019.00000002.555816764.0000000000EE8000.00000004.00000020.sdmp, explorer.exe, 0000001A.00000000.511253478.0000000000340000.00000040.00020000.sdmp, explorer.exe, 0000001B.00000002.555867484.0000000000760000.00000004.00000020.sdmp, explorer.exe, 0000001B.00000000.516205138.0000000000600000.00000040.00020000.sdmp, explorer.exe, 0000001D.00000000.525714592.00000000027E0000.00000040.00020000.sdmp, explorer.exe, 0000001E.00000002.555950745.0000000001376000.00000004.00000020.sdmp, explorer.exe, 0000001E.00000000.530597579.0000000001290000.00000040.00020000.sdmp, explorer.exe, 0000001F.00000002.561863769.0000000002CC8000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.535523393.00000000027E0000.00000040.00020000.sdmp String found in binary or memory: http://rsuehfidvdkfvk.top/Mozilla/5.0
Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmp String found in binary or memory: http://rsuehfidvdkfvk.top/application/x-www-form-urlencodedMozilla/5.0
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oidhj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: rsuehfidvdkfvk.top
Source: unknown DNS traffic detected: queries for: rsuehfidvdkfvk.top

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.424469148.0000000003C21000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.345433901.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.424450951.0000000003C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.357762865.0000000002181000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.559721619.00000000027D1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.555611191.0000000000111000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.555126531.0000000000311000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.555346763.0000000000E91000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6908, type: MEMORYSTR
Creates a DirectInput object (often for capturing keystrokes)
Source: 1RMZ62tUAl.exe, 00000001.00000002.357794252.00000000021DA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\explorer.exe Code function: 29_2_027D162B GetKeyboardState,ToUnicode, 29_2_027D162B

E-Banking Fraud:

barindex
Checks if browser processes are running
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, firefox.exe 22_2_001137BC
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, iexplore.exe 22_2_001137BC
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, microsoftedgecp.exe 22_2_001137BC
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, chrome.exe 22_2_001137BC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 31_2_027D226C CreateDesktopW,SetThreadDesktop,RtlZeroMemory,RtlZeroMemory,CreateProcessW,ResumeThread, 31_2_027D226C

System Summary:

barindex
Uses 32bit PE files
Source: 1RMZ62tUAl.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\explorer.exe Code function: 21_2_00241351 RtlAdjustPrivilege,ExitWindowsEx, 21_2_00241351
Source: C:\Windows\SysWOW64\explorer.exe Code function: 31_2_027D2171 StrStrIW,StrStrIW,RtlZeroMemory,ShellExecuteExW,StrStrIW,RtlAdjustPrivilege,ExitWindowsEx, 31_2_027D2171
Detected potential crypto function
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E82304 19_2_02E82304
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E9B520 19_2_02E9B520
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02EA5AAA 19_2_02EA5AAA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E86A0C 19_2_02E86A0C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E9AEFE 19_2_02E9AEFE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E8BE9B 19_2_02E8BE9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02ED3FDA 19_2_02ED3FDA
Source: C:\Windows\explorer.exe Code function: 20_2_00DF1E20 20_2_00DF1E20
Source: C:\Windows\explorer.exe Code function: 23_2_00312C18 23_2_00312C18
Source: C:\Windows\explorer.exe Code function: 23_2_00312308 23_2_00312308
Source: C:\Windows\explorer.exe Code function: 25_2_00E92860 25_2_00E92860
Source: C:\Windows\explorer.exe Code function: 25_2_00E92054 25_2_00E92054
Source: C:\Windows\SysWOW64\explorer.exe Code function: 26_2_003331E4 26_2_003331E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 26_2_003330E8 26_2_003330E8
Source: C:\Windows\explorer.exe Code function: 27_2_003F2154 27_2_003F2154
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D803C 28_2_027D803C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027DC392 28_2_027DC392
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027DE95C 28_2_027DE95C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D3D28 28_2_027D3D28
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027DF9F4 28_2_027DF9F4
Source: C:\Windows\explorer.exe Code function: 30_2_01282A04 30_2_01282A04
Source: C:\Windows\explorer.exe Code function: 30_2_012820F4 30_2_012820F4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 31_2_027D2ADD 31_2_027D2ADD
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 027D8E70 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 02E87B12 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 02E883A3 appears 40 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Code function: 1_2_004019BC Sleep,NtTerminateProcess, 1_2_004019BC
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Code function: 1_2_004019C7 Sleep,NtTerminateProcess, 1_2_004019C7
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Code function: 1_2_004018E6 Sleep,NtTerminateProcess, 1_2_004018E6
Source: C:\Users\user\AppData\Roaming\favdejf Code function: 10_2_004019BC Sleep,NtTerminateProcess, 10_2_004019BC
Source: C:\Users\user\AppData\Roaming\favdejf Code function: 10_2_004019C7 Sleep,NtTerminateProcess, 10_2_004019C7
Source: C:\Users\user\AppData\Roaming\favdejf Code function: 10_2_004018E6 Sleep,NtTerminateProcess, 10_2_004018E6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E84734 RtlMoveMemory,NtUnmapViewOfSection, 19_2_02E84734
Source: C:\Windows\explorer.exe Code function: 20_2_00DF38A4 NtUnmapViewOfSection, 20_2_00DF38A4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 21_2_00241016 RtlMoveMemory,NtUnmapViewOfSection,wsprintfA,RtlMoveMemory,lstrlen,RtlZeroMemory,RtlMoveMemory,RtlZeroMemory,Sleep, 21_2_00241016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_00113C89 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection, 22_2_00113C89
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_00111F9A NtCreateSection,NtMapViewOfSection, 22_2_00111F9A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_00112031 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 22_2_00112031
Source: C:\Windows\explorer.exe Code function: 23_2_00315014 RtlAllocateHeap,NtUnmapViewOfSection, 23_2_00315014
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_027D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep, 24_2_027D1016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_027D1819 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 24_2_027D1819
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_027D1A80 NtCreateSection,NtMapViewOfSection, 24_2_027D1A80
Source: C:\Windows\explorer.exe Code function: 25_2_00E9355C RtlAllocateHeap,NtUnmapViewOfSection, 25_2_00E9355C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 26_2_00331016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, 26_2_00331016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 26_2_003315FE lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 26_2_003315FE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 26_2_00331865 NtCreateSection,NtMapViewOfSection, 26_2_00331865
Source: C:\Windows\explorer.exe Code function: 27_2_003F2B00 RtlAllocateHeap,NtUnmapViewOfSection, 27_2_003F2B00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D1EBE RtlMoveMemory,NtUnmapViewOfSection, 28_2_027D1EBE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 29_2_027D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep, 29_2_027D1016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 29_2_027D18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 29_2_027D18BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 29_2_027D1B26 NtCreateSection,NtMapViewOfSection, 29_2_027D1B26
Source: C:\Windows\explorer.exe Code function: 30_2_0128370C RtlAllocateHeap,NtUnmapViewOfSection, 30_2_0128370C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 31_2_027D26A9 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection, 31_2_027D26A9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 31_2_027D1CEF OpenProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 31_2_027D1CEF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 31_2_027D1C58 NtCreateSection,NtMapViewOfSection, 31_2_027D1C58
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: 1RMZ62tUAl.exe Virustotal: Detection: 46%
Source: 1RMZ62tUAl.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1RMZ62tUAl.exe "C:\Users\user\Desktop\1RMZ62tUAl.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\favdejf C:\Users\user\AppData\Roaming\favdejf
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\favdejf Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\6128.tmp Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winEXE@15/6@7/2
Source: C:\Windows\SysWOW64\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 21_2_002411EC CreateToolhelp32Snapshot,Process32First,lstrcmpi,Process32Next,CloseHandle, 21_2_002411EC
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Command line argument: \H 1_2_0042EC10
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Command line argument: BW? 1_2_0042EC10
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Command line argument: lipupacuye 1_2_0042EC10
Source: C:\Users\user\AppData\Roaming\favdejf Command line argument: \H 10_2_0042EC10
Source: C:\Users\user\AppData\Roaming\favdejf Command line argument: BW? 10_2_0042EC10
Source: C:\Users\user\AppData\Roaming\favdejf Command line argument: lipupacuye 10_2_0042EC10
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 1RMZ62tUAl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1RMZ62tUAl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1RMZ62tUAl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1RMZ62tUAl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1RMZ62tUAl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1RMZ62tUAl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1RMZ62tUAl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\rorefeb\45\xabev\wok_kedage 44_dehawovexan.pdb source: 1RMZ62tUAl.exe
Source: Binary string: C:\rorefeb\45\xabev\wok_kedage 44_dehawovexan.pdbP source: 1RMZ62tUAl.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Unpacked PE file: 1.2.1RMZ62tUAl.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\favdejf Unpacked PE file: 10.2.favdejf.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Code function: 1_2_00402F29 push 00002ECAh; retf 002Eh 1_2_00402F4F
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Code function: 1_2_0042E3F0 push ecx; mov dword ptr [esp], 00000002h 1_2_0042E3F1
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Code function: 1_2_021F24F8 push D95CF5DBh; retf 1_2_021F24FD
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Code function: 1_2_021F3949 push ebp; iretd 1_2_021F3955
Source: C:\Users\user\AppData\Roaming\favdejf Code function: 10_2_00402F29 push 00002ECAh; retf 002Eh 10_2_00402F4F
Source: C:\Users\user\AppData\Roaming\favdejf Code function: 10_2_0042E3F0 push ecx; mov dword ptr [esp], 00000002h 10_2_0042E3F1
Source: C:\Windows\explorer.exe Code function: 20_2_00DF14D4 push esi; ret 20_2_00DF14D6
Source: C:\Windows\explorer.exe Code function: 20_2_00DF1405 push esi; ret 20_2_00DF1407
Source: C:\Windows\explorer.exe Code function: 20_2_00DF47B7 push esp; iretd 20_2_00DF47B8
Source: C:\Windows\explorer.exe Code function: 20_2_00DFA119 push ds; ret 20_2_00DFA11A
Source: C:\Windows\explorer.exe Code function: 20_2_00DF9B16 push esp; iretd 20_2_00DF9B17
Source: C:\Windows\explorer.exe Code function: 20_2_00DFA1B3 push ss; rep ret 20_2_00DFA258
Source: C:\Windows\SysWOW64\explorer.exe Code function: 21_2_00242227 push esp; iretd 21_2_00242228
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_00114FC7 push esp; iretd 22_2_00114FC8
Source: C:\Windows\explorer.exe Code function: 23_2_00311405 push esi; ret 23_2_00311407
Source: C:\Windows\explorer.exe Code function: 23_2_00316198 push eax; retf 23_2_00316199
Source: C:\Windows\explorer.exe Code function: 23_2_003114D4 push esi; ret 23_2_003114D6
Source: C:\Windows\explorer.exe Code function: 23_2_003170C7 push esp; iretd 23_2_003170C8
Source: C:\Windows\explorer.exe Code function: 23_2_0031CAD8 push esp; iretd 23_2_0031CAD9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 24_2_027D3417 push esp; iretd 24_2_027D3418
Source: C:\Windows\explorer.exe Code function: 25_2_00E914D4 push esi; ret 25_2_00E914D6
Source: C:\Windows\explorer.exe Code function: 25_2_00E945A7 push esp; iretd 25_2_00E945A8
Source: C:\Windows\explorer.exe Code function: 25_2_00E91405 push esi; ret 25_2_00E91407
Source: C:\Windows\explorer.exe Code function: 27_2_003F14D4 push esi; ret 27_2_003F14D6
Source: C:\Windows\explorer.exe Code function: 27_2_003F1405 push esi; ret 27_2_003F1407
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D8EB5 push ecx; ret 28_2_027D8EC8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027F4E2C push eax; ret 28_2_027F4DF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027F4C63 push eax; ret 28_2_027F4DF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 29_2_027D3627 push esp; iretd 29_2_027D3628
Source: C:\Windows\explorer.exe Code function: 30_2_01281405 push esi; ret 30_2_01281407
Source: C:\Windows\explorer.exe Code function: 30_2_01284817 push esp; iretd 30_2_01284818
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E82304 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary, 19_2_02E82304
Source: initial sample Static PE information: section name: .text entropy: 7.06143863939
Source: initial sample Static PE information: section name: .text entropy: 7.06143863939

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\favdejf Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\favdejf Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\1rmz62tual.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\favdejf:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_001137BC GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, 22_2_001137BC

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 1RMZ62tUAl.exe, 00000001.00000002.357794252.00000000021DA000.00000004.00000020.sdmp Binary or memory string: ASWHOOK0$
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, 22_2_001137BC
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6632 Thread sleep count: 564 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6648 Thread sleep count: 261 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6628 Thread sleep count: 349 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6628 Thread sleep time: -34900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6612 Thread sleep count: 331 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1144 Thread sleep count: 131 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1680 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_001137BC GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, 22_2_001137BC
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 564 Jump to behavior
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E860B4 GetSystemInfo, 19_2_02E860B4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E81EBA FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,FindNextFileW,FindClose, 19_2_02E81EBA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E82C81 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose, 19_2_02E82C81
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_001114D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 22_2_001114D8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_001113FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose, 22_2_001113FE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D1939 wsprintfW,FindFirstFileW,lstrcmpiW,wsprintfW,wsprintfW,wsprintfW,RtlZeroMemory,lstrcat,StrToIntA,PathMatchSpecW,FindNextFileW,FindClose, 28_2_027D1939
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D1FFD FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 28_2_027D1FFD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D217C FindFirstFileW,FindNextFileW,FindClose, 28_2_027D217C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D1B5B GetTempPathW,lstrcatW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,wsprintfW,CreateFileW,GetFileSize,ReadFile,CloseHandle,DeleteFileW, 28_2_027D1B5B
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: explorer.exe, 00000006.00000000.336294695.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.322637021.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000006.00000000.336294695.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000006.00000000.332136252.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.332136252.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000013.00000002.485190294.0000000003294000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWtion* 6
Source: explorer.exe, 00000006.00000000.336294695.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027DCB3A IsDebuggerPresent, 28_2_027DCB3A
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_001137BC GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, 22_2_001137BC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027DE09A RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 28_2_027DE09A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E82304 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary, 19_2_02E82304
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E81000 GetProcessHeap,RtlAllocateHeap, 19_2_02E81000
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Code function: 1_2_021ED8D7 push dword ptr fs:[00000030h] 1_2_021ED8D7
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 22_2_00111E98 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock, 22_2_00111E98
Source: C:\Windows\SysWOW64\explorer.exe Code function: 28_2_027D8D3B SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_027D8D3B

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: favdejf.6.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 5.188.88.118 80 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Domain query: rsuehfidvdkfvk.top
Source: C:\Windows\explorer.exe Domain query: iosoftware.org
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\1RMZ62tUAl.exe Thread created: C:\Windows\explorer.exe EIP: 4DE1930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\favdejf Thread created: unknown EIP: 4EC1930 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\explorer.exe Code function: CreateToolhelp32Snapshot,Process32First,lstrcmpi,Process32Next,CloseHandle, explorer.exe 21_2_002411EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep, explorer.exe 29_2_027D10A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,FindCloseChangeNotification,Sleep, explorer.exe 29_2_027D1016
Source: explorer.exe, 00000006.00000000.342990113.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000006.00000000.312286247.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000002.562776985.0000000003050000.00000002.00020000.sdmp, explorer.exe, 00000016.00000002.562911220.0000000002ED0000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.556994442.0000000000C70000.00000002.00020000.sdmp, explorer.exe, 00000018.00000002.562677135.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.557849351.0000000001750000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.561545851.0000000003160000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000002.557928064.0000000000E10000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.564628449.00000000032E0000.00000002.00020000.sdmp, explorer.exe, 0000001D.00000002.562791958.00000000032A0000.00000002.00020000.sdmp, explorer.exe, 0000001E.00000002.557784723.00000000019E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.563078612.00000000031A0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.314997894.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000015.00000002.562776985.0000000003050000.00000002.00020000.sdmp, explorer.exe, 00000016.00000002.562911220.0000000002ED0000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.556994442.0000000000C70000.00000002.00020000.sdmp, explorer.exe, 00000018.00000002.562677135.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.557849351.0000000001750000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.561545851.0000000003160000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000002.557928064.0000000000E10000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.564628449.00000000032E0000.00000002.00020000.sdmp, explorer.exe, 0000001D.00000002.562791958.00000000032A0000.00000002.00020000.sdmp, explorer.exe, 0000001E.00000002.557784723.00000000019E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.563078612.00000000031A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.312286247.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000002.562776985.0000000003050000.00000002.00020000.sdmp, explorer.exe, 00000016.00000002.562911220.0000000002ED0000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.556994442.0000000000C70000.00000002.00020000.sdmp, explorer.exe, 00000018.00000002.562677135.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.557849351.0000000001750000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.561545851.0000000003160000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000002.557928064.0000000000E10000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.564628449.00000000032E0000.00000002.00020000.sdmp, explorer.exe, 0000001D.00000002.562791958.00000000032A0000.00000002.00020000.sdmp, explorer.exe, 0000001E.00000002.557784723.00000000019E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.563078612.00000000031A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.312286247.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000002.562776985.0000000003050000.00000002.00020000.sdmp, explorer.exe, 00000016.00000002.562911220.0000000002ED0000.00000002.00020000.sdmp, explorer.exe, 00000017.00000002.556994442.0000000000C70000.00000002.00020000.sdmp, explorer.exe, 00000018.00000002.562677135.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000019.00000002.557849351.0000000001750000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000002.561545851.0000000003160000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000002.557928064.0000000000E10000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000002.564628449.00000000032E0000.00000002.00020000.sdmp, explorer.exe, 0000001D.00000002.562791958.00000000032A0000.00000002.00020000.sdmp, explorer.exe, 0000001E.00000002.557784723.00000000019E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.563078612.00000000031A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.322637021.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02ED518B cpuid 19_2_02ED518B
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E8227E GetSystemTimeAsFileTime,_alldiv,wsprintfA, 19_2_02E8227E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 19_2_02E82304 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary, 19_2_02E82304

Stealing of Sensitive Information:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.424469148.0000000003C21000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.345433901.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.424450951.0000000003C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.357762865.0000000002181000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.559721619.00000000027D1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.555611191.0000000000111000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.555126531.0000000000311000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.555346763.0000000000E91000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6908, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal Jump to behavior

Remote Access Functionality:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.424469148.0000000003C21000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.345433901.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.357733391.0000000002160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.424450951.0000000003C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.357762865.0000000002181000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.559721619.00000000027D1000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.555611191.0000000000111000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.555126531.0000000000311000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.555346763.0000000000E91000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6908, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524302 Sample: 1RMZ62tUAl.exe Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Found malware configuration 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 4 other signatures 2->43 7 1RMZ62tUAl.exe 2->7         started        10 favdejf 2->10         started        process3 signatures4 53 Detected unpacking (changes PE section rights) 7->53 55 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->55 57 Maps a DLL or memory area into another process 7->57 59 Creates a thread in another existing process (thread injection) 7->59 12 explorer.exe 3 7->12 injected 61 Multi AV Scanner detection for dropped file 10->61 63 Machine Learning detection for dropped file 10->63 65 Checks if the current machine is a virtual machine (disk enumeration) 10->65 process5 dnsIp6 33 rsuehfidvdkfvk.top 5.188.88.118, 49749, 49750, 49751 PINDC-ASRU Russian Federation 12->33 35 iosoftware.org 139.60.161.75, 80 HOSTKEY-USAUS United States 12->35 27 C:\Users\user\AppData\Roaming\favdejf, PE32 12->27 dropped 29 C:\Users\user\...\favdejf:Zone.Identifier, ASCII 12->29 dropped 67 System process connects to network (likely due to code injection or exploit) 12->67 69 Benign windows process drops PE files 12->69 71 Deletes itself after installation 12->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->73 17 explorer.exe 12 12->17         started        21 explorer.exe 2 12->21         started        23 explorer.exe 12->23         started        25 10 other processes 12->25 file7 signatures8 process9 dnsIp10 31 rsuehfidvdkfvk.top 17->31 45 System process connects to network (likely due to code injection or exploit) 17->45 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->47 49 Tries to steal Mail credentials (via file / registry access) 17->49 51 3 other signatures 17->51 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.188.88.118
 rsuehfidvdkfvk.top Russian Federation
34665 PINDC-ASRU true
139.60.161.75
 iosoftware.org United States
395839 HOSTKEY-USAUS true

Contacted Domains

Name IP Active
rsuehfidvdkfvk.top 5.188.88.118 true
iosoftware.org 139.60.161.75 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://rsuehfidvdkfvk.top/ true
  • Avira URL Cloud: safe
 unknown