Windows Analysis Report T3AtsGGHEL.exe

Overview

General Information

Sample Name: T3AtsGGHEL.exe
Analysis ID: 534006
MD5: 89611c7a85fb5ccd4dd7edc076bc4ee8
SHA1: a29812244684e248d7fe4f9e65e180bb4cd3098a
SHA256: a5cf8668fc9624b386bbdad3a3dba28c029945048a7d15a0b0ee41dfe9e0a2df
Tags: exeSmokeLoader
Infos:

Most interesting Screenshot:
Errors
  • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database
  • Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service
  • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing
  • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP
  • Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog
  • Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy
  • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: T3AtsGGHEL.exe Virustotal: Detection: 60% Perma Link
Source: T3AtsGGHEL.exe ReversingLabs: Detection: 48%
Multi AV Scanner detection for domain / URL
Source: wfsdragon.ru Virustotal: Detection: 5% Perma Link
Source: http://wfsdragon.ru/api/setStats.php Virustotal: Detection: 6% Perma Link
Machine Learning detection for sample
Source: T3AtsGGHEL.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: T3AtsGGHEL.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: T3AtsGGHEL.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00ECA061 FindFirstFileExW, 1_2_00ECA061

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2010595 ET MALWARE User-Agent (???) 192.168.2.3:49741 -> 212.193.30.45:80
Source: Traffic Snort IDS: 2010595 ET MALWARE User-Agent (???) 192.168.2.3:49742 -> 172.67.133.215:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPD-NETTR SPD-NETTR
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 212.193.30.45 212.193.30.45
Source: Joe Sandbox View IP Address: 172.67.133.215 172.67.133.215
Source: Joe Sandbox View IP Address: 172.67.133.215 172.67.133.215
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: unknown TCP traffic detected without corresponding DNS query: 212.193.30.45
Source: T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp String found in binary or memory: http://212.193.30.45/
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275124847.0000000001159000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp String found in binary or memory: http://212.193.30.45/proxies.txt
Source: T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp String found in binary or memory: http://212.193.30.45/proxies.txtOP-
Source: T3AtsGGHEL.exe, 00000001.00000002.275117847.000000000114A000.00000004.00000020.sdmp String found in binary or memory: http://wfsdragon.ru/(
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp String found in binary or memory: http://wfsdragon.ru/api/setStats.php
Source: T3AtsGGHEL.exe, 00000001.00000002.275106056.0000000001138000.00000004.00000020.sdmp String found in binary or memory: http://wfsdragon.ru/api/setStats.php3t
Source: T3AtsGGHEL.exe, 00000001.00000002.275140606.0000000001185000.00000004.00000020.sdmp String found in binary or memory: http://wfsdragon.ru/api/setStats.phpAX
Source: unknown DNS traffic detected: queries for: wfsdragon.ru
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC1820 InternetOpenA,InternetOpenA,InternetOpenUrlA,InternetReadFile,__aulldiv,InternetReadFile,InternetReadFile,__aulldiv,InternetReadFile,CreateFileA,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_00EC1820
Source: global traffic HTTP traffic detected: GET /proxies.txt HTTP/1.1Connection: Keep-AliveUser-Agent: ????Host: 212.193.30.45
Source: global traffic HTTP traffic detected: GET /api/setStats.php HTTP/1.1Connection: Keep-AliveUser-Agent: ????llHost: wfsdragon.ru

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: T3AtsGGHEL.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Sample file is different than original file name gathered from version info
Source: T3AtsGGHEL.exe Binary or memory string: OriginalFilename vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe, 00000001.00000002.275043561.0000000000ED5000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe, 00000001.00000000.270223923.0000000000ED5000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe
Source: T3AtsGGHEL.exe Binary or memory string: OriginalFilenameSetToken.exe< vs T3AtsGGHEL.exe
PE file contains strange resources
Source: T3AtsGGHEL.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC2040 1_2_00EC2040
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC1820 1_2_00EC1820
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBC830 1_2_00EBC830
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBD500 1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EB7630 1_2_00EB7630
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EB8600 1_2_00EB8600
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EB98FC 1_2_00EB98FC
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EB98F4 1_2_00EB98F4
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EB592D 1_2_00EB592D
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBC280 1_2_00EBC280
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC24F0 1_2_00EC24F0
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBEED0 1_2_00EBEED0
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00ED0E50 1_2_00ED0E50
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EB6E30 1_2_00EB6E30
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00ECFF12 1_2_00ECFF12
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: String function: 00EC3DA0 appears 33 times
Source: T3AtsGGHEL.exe Virustotal: Detection: 60%
Source: T3AtsGGHEL.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\T3AtsGGHEL.exe "C:\Users\user\Desktop\T3AtsGGHEL.exe"
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
Source: classification engine Classification label: mal68.winEXE@2/0@1/2
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: T3AtsGGHEL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T3AtsGGHEL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T3AtsGGHEL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T3AtsGGHEL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T3AtsGGHEL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T3AtsGGHEL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: T3AtsGGHEL.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: T3AtsGGHEL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC3DE6 push ecx; ret 1_2_00EC3DF9
PE file contains sections with non-standard names
Source: T3AtsGGHEL.exe Static PE information: section name: .code

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC3002 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00EC3002

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00ECA061 FindFirstFileExW, 1_2_00ECA061
Source: T3AtsGGHEL.exe, 00000001.00000002.275133735.0000000001175000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW{
Source: T3AtsGGHEL.exe, 00000001.00000002.275133735.0000000001175000.00000004.00000020.sdmp, T3AtsGGHEL.exe, 00000001.00000002.275094413.000000000111A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC73C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00EC73C4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBC830 mov eax, dword ptr fs:[00000030h] 1_2_00EBC830
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBD500 mov eax, dword ptr fs:[00000030h] 1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h] 1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h] 1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EBD500 mov ecx, dword ptr fs:[00000030h] 1_2_00EBD500
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC6DF1 mov eax, dword ptr fs:[00000030h] 1_2_00EC6DF1
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC8752 mov eax, dword ptr fs:[00000030h] 1_2_00EC8752
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC2040 __aulldiv,HeapFree,GetProcessHeap,HeapFree, 1_2_00EC2040
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC3D29 SetUnhandledExceptionFilter, 1_2_00EC3D29
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC38A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00EC38A6
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC73C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00EC73C4
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC3BC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00EC3BC4

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC39E4 cpuid 1_2_00EC39E4
Source: C:\Users\user\Desktop\T3AtsGGHEL.exe Code function: 1_2_00EC703C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_00EC703C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534006 Sample: T3AtsGGHEL.exe Startdate: 04/12/2021 Architecture: WINDOWS Score: 68 15 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->15 17 Multi AV Scanner detection for domain / URL 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 6 T3AtsGGHEL.exe 1 2->6         started        process3 dnsIp4 11 212.193.30.45, 49741, 80 SPD-NETTR Russian Federation 6->11 13 wfsdragon.ru 172.67.133.215, 49742, 80 CLOUDFLARENETUS United States 6->13 9 conhost.exe 6->9         started        process5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.193.30.45
 unknown Russian Federation
57844 SPD-NETTR true
172.67.133.215
 wfsdragon.ru United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
wfsdragon.ru 172.67.133.215 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://wfsdragon.ru/api/setStats.php true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://212.193.30.45/proxies.txt true
  • Avira URL Cloud: safe
 unknown