Windows Analysis Report
p3jNeWT0GE.exe

Overview

General Information

Sample Name: p3jNeWT0GE.exe
Analysis ID: 652394
MD5: 25b54f50600604a53e80163b9049421e
SHA1: be28d831c5183368f057f8bec104a2b0babb406c
SHA256: 9904784c707abb24585e3e61fa5cc094380206385cbb7d087c968d7dc5ee0991
Tags: DofoilexeSmokeLoader
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://host-host-file8.com/ URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: host-file-host6.com Virustotal: Detection: 18% Perma Link
Source: host-host-file8.com Virustotal: Detection: 12% Perma Link
Machine Learning detection for sample
Source: p3jNeWT0GE.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\hdgaecu Joe Sandbox ML: detected
Source: 0000000D.00000002.501732921.00000000004B0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Uses 32bit PE files
Source: p3jNeWT0GE.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\kurokov covicaf\85\fodeta\yobil\vegemogix\wapa\x.pdb source: p3jNeWT0GE.exe, hdgaecu.4.dr
Source: Binary string: {JMC:\kurokov covicaf\85\fodeta\yobil\vegemogix\wapa\x.pdbP5D source: p3jNeWT0GE.exe, hdgaecu.4.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://host-file-host6.com/
Source: Malware configuration extractor URLs: http://host-host-file8.com/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xcxakxdec.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: host-file-host6.com
Source: explorer.exe, 00000004.00000000.397114425.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.374277431.00000000026D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobY
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xcxakxdec.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: host-file-host6.com
Source: unknown DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0.2.p3jNeWT0GE.exe.c215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.hdgaecu.c215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.p3jNeWT0GE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.hdgaecu.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.415791287.0000000002681000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.501978878.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.442558438.0000000001E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.501732921.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.442516398.0000000001E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: p3jNeWT0GE.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_0041FB80 0_2_0041FB80
Contains functionality to call native functions
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_00C20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_00C20110
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 1_2_0040180C Sleep,NtTerminateProcess, 1_2_0040180C
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 1_2_00401818 Sleep,NtTerminateProcess, 1_2_00401818
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 1_2_00401822 Sleep,NtTerminateProcess, 1_2_00401822
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 1_2_00401826 Sleep,NtTerminateProcess, 1_2_00401826
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 1_2_00401834 Sleep,NtTerminateProcess, 1_2_00401834
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 12_2_00C20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 12_2_00C20110
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 13_2_0040180C Sleep,NtTerminateProcess, 13_2_0040180C
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 13_2_00401818 Sleep,NtTerminateProcess, 13_2_00401818
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 13_2_00401822 Sleep,NtTerminateProcess, 13_2_00401822
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 13_2_00401826 Sleep,NtTerminateProcess, 13_2_00401826
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 13_2_00401834 Sleep,NtTerminateProcess, 13_2_00401834
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: p3jNeWT0GE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\p3jNeWT0GE.exe "C:\Users\user\Desktop\p3jNeWT0GE.exe"
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Process created: C:\Users\user\Desktop\p3jNeWT0GE.exe "C:\Users\user\Desktop\p3jNeWT0GE.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\hdgaecu C:\Users\user\AppData\Roaming\hdgaecu
Source: C:\Users\user\AppData\Roaming\hdgaecu Process created: C:\Users\user\AppData\Roaming\hdgaecu C:\Users\user\AppData\Roaming\hdgaecu
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Process created: C:\Users\user\Desktop\p3jNeWT0GE.exe "C:\Users\user\Desktop\p3jNeWT0GE.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Process created: C:\Users\user\AppData\Roaming\hdgaecu C:\Users\user\AppData\Roaming\hdgaecu Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hdgaecu Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/2@5/1
Source: p3jNeWT0GE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\kurokov covicaf\85\fodeta\yobil\vegemogix\wapa\x.pdb source: p3jNeWT0GE.exe, hdgaecu.4.dr
Source: Binary string: {JMC:\kurokov covicaf\85\fodeta\yobil\vegemogix\wapa\x.pdbP5D source: p3jNeWT0GE.exe, hdgaecu.4.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_00C21970 push ebx; iretd 0_2_00C219B7
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_00C21977 push ebx; iretd 0_2_00C219B7
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_00C2198B push ebx; iretd 0_2_00C219B7
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 1_2_004011D0 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 1_2_004011D7 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 1_2_004011EB push ebx; iretd 1_2_00401217
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 12_2_00C21970 push ebx; iretd 12_2_00C219B7
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 12_2_00C21977 push ebx; iretd 12_2_00C219B7
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 12_2_00C2198B push ebx; iretd 12_2_00C219B7
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 13_2_004011D0 push ebx; iretd 13_2_00401217
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 13_2_004011D7 push ebx; iretd 13_2_00401217
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 13_2_004011EB push ebx; iretd 13_2_00401217
PE file contains sections with non-standard names
Source: p3jNeWT0GE.exe Static PE information: section name: .zineha
Source: p3jNeWT0GE.exe Static PE information: section name: .cixu
Source: hdgaecu.4.dr Static PE information: section name: .zineha
Source: hdgaecu.4.dr Static PE information: section name: .cixu
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_0042A090 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer, 0_2_0042A090
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hdgaecu Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hdgaecu Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\p3jnewt0ge.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\hdgaecu:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6908 Thread sleep count: 558 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6996 Thread sleep count: 234 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6112 Thread sleep count: 306 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6112 Thread sleep time: -30600s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 964 Thread sleep count: 348 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6924 Thread sleep count: 158 > 30 Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 558 Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000000.401632230.0000000006389000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.437033264.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000004.00000000.437033264.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.398203824.0000000004150000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: explorer.exe, 00000004.00000000.437033264.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
Source: explorer.exe, 00000004.00000000.437472725.0000000007D2A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.404835251.0000000007BC5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f8b}
Source: explorer.exe, 00000004.00000000.437033264.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00Iy
Source: explorer.exe, 00000004.00000000.405019671.0000000007CCB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_00411CF0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00411CF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_0042A090 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer, 0_2_0042A090
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_00C20042 push dword ptr fs:[00000030h] 0_2_00C20042
Source: C:\Users\user\AppData\Roaming\hdgaecu Code function: 12_2_00C20042 push dword ptr fs:[00000030h] 12_2_00C20042
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_0040F170 _memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040F170
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_00411CF0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00411CF0
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_0040D690 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040D690

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: hdgaecu.4.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Memory written: C:\Users\user\Desktop\p3jNeWT0GE.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Memory written: C:\Users\user\AppData\Roaming\hdgaecu base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_00C20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_00C20110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Thread created: C:\Windows\explorer.exe EIP: 2681930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Thread created: unknown EIP: 47C1930 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Process created: C:\Users\user\Desktop\p3jNeWT0GE.exe "C:\Users\user\Desktop\p3jNeWT0GE.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdgaecu Process created: C:\Users\user\AppData\Roaming\hdgaecu C:\Users\user\AppData\Roaming\hdgaecu Jump to behavior
Source: explorer.exe, 00000004.00000000.374144806.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.415508246.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.396938172.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerG
Source: explorer.exe, 00000004.00000000.404889078.0000000007C08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.386698402.0000000007C08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.400270401.0000000005920000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.374144806.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.415508246.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.396938172.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.374144806.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.415508246.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.396938172.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.396362385.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.373840947.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.414885493.0000000000628000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanPV*
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\p3jNeWT0GE.exe Code function: 0_2_0041C570 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0041C570

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0.2.p3jNeWT0GE.exe.c215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.hdgaecu.c215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.p3jNeWT0GE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.hdgaecu.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.415791287.0000000002681000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.501978878.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.442558438.0000000001E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.501732921.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.442516398.0000000001E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0.2.p3jNeWT0GE.exe.c215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.hdgaecu.c215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.p3jNeWT0GE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.hdgaecu.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.415791287.0000000002681000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.501978878.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.442558438.0000000001E51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.501732921.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.442516398.0000000001E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652394 Sample: p3jNeWT0GE.exe Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Antivirus detection for URL or domain 2->32 34 Yara detected SmokeLoader 2->34 36 2 other signatures 2->36 7 p3jNeWT0GE.exe 2->7         started        10 hdgaecu 2->10         started        process3 signatures4 46 Contains functionality to inject code into remote processes 7->46 48 Injects a PE file into a foreign processes 7->48 12 p3jNeWT0GE.exe 7->12         started        50 Machine Learning detection for dropped file 10->50 15 hdgaecu 10->15         started        process5 signatures6 52 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->52 54 Maps a DLL or memory area into another process 12->54 56 Checks if the current machine is a virtual machine (disk enumeration) 12->56 17 explorer.exe 2 12->17 injected 58 Creates a thread in another existing process (thread injection) 15->58 process7 dnsIp8 26 host-file-host6.com 47.89.255.79, 49800, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 17->26 28 host-host-file8.com 17->28 22 C:\Users\user\AppData\Roaming\hdgaecu, PE32 17->22 dropped 24 C:\Users\user\...\hdgaecu:Zone.Identifier, ASCII 17->24 dropped 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Benign windows process drops PE files 17->40 42 Deletes itself after installation 17->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.89.255.79
 host-file-host6.com United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true

Contacted Domains

Name IP Active
host-file-host6.com 47.89.255.79 true
host-host-file8.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://host-file-host6.com/ true
  • URL Reputation: safe
 unknown
http://host-host-file8.com/ true
  • URL Reputation: malware
 unknown