Windows Analysis Report
ofAn3uUEPe.exe

Overview

General Information

Sample Name: ofAn3uUEPe.exe
Analysis ID: 677968
MD5: db5723c9308cb986eae4262297a51fa0
SHA1: ee4130dcb4052dddcd66a5833b18661187a28f76
SHA256: 2d2bdc891614f50e1574787d7728654c02c70eb829a04bd6411ef874f92aa1eb
Tags: ArkeiStealerexe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ofAn3uUEPe.exe Virustotal: Detection: 34% Perma Link
Source: ofAn3uUEPe.exe ReversingLabs: Detection: 47%
Antivirus detection for URL or domain
Source: http://host-host-file8.com/ URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: host-file-host6.com Virustotal: Detection: 25% Perma Link
Source: host-host-file8.com Virustotal: Detection: 21% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\hbjebed Virustotal: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Roaming\hbjebed ReversingLabs: Detection: 47%
Machine Learning detection for sample
Source: ofAn3uUEPe.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\hbjebed Joe Sandbox ML: detected
Source: 00000001.00000002.349396035.0000000000580000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Uses 32bit PE files
Source: ofAn3uUEPe.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: +C:\xefuzucikeki\kujidurupij\pahikuy\venut_hipe.pdb0?D source: ofAn3uUEPe.exe, hbjebed.5.dr
Source: Binary string: C:\xefuzucikeki\kujidurupij\pahikuy\venut_hipe.pdb source: ofAn3uUEPe.exe, hbjebed.5.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.4:49768 -> 34.118.39.10:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://host-file-host6.com/
Source: Malware configuration extractor URLs: http://host-host-file8.com/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://akycjr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: host-file-host6.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://akycjr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: host-file-host6.com
Source: unknown DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 17.2.hbjebed.5515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ofAn3uUEPe.exe.6e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.hbjebed.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ofAn3uUEPe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.349529334.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.349396035.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.406226962.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.328538195.0000000002701000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.406410596.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: ofAn3uUEPe.exe, 00000000.00000002.248826027.00000000007DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Uses 32bit PE files
Source: ofAn3uUEPe.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00418170 0_2_00418170
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_004261B0 0_2_004261B0
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00418F50 0_2_00418F50
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: String function: 0040E300 appears 171 times
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: String function: 0040F610 appears 127 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 1_2_0040180C Sleep,NtTerminateProcess, 1_2_0040180C
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 1_2_00401818 Sleep,NtTerminateProcess, 1_2_00401818
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 1_2_00401822 Sleep,NtTerminateProcess, 1_2_00401822
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 1_2_00401826 Sleep,NtTerminateProcess, 1_2_00401826
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 1_2_00401834 Sleep,NtTerminateProcess, 1_2_00401834
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 17_2_00550110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 17_2_00550110
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 18_2_0040180C Sleep,NtTerminateProcess, 18_2_0040180C
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 18_2_00401818 Sleep,NtTerminateProcess, 18_2_00401818
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 18_2_00401822 Sleep,NtTerminateProcess, 18_2_00401822
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 18_2_00401826 Sleep,NtTerminateProcess, 18_2_00401826
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 18_2_00401834 Sleep,NtTerminateProcess, 18_2_00401834
PE file contains strange resources
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ofAn3uUEPe.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hbjebed.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: ofAn3uUEPe.exe Virustotal: Detection: 34%
Source: ofAn3uUEPe.exe ReversingLabs: Detection: 47%
Source: ofAn3uUEPe.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ofAn3uUEPe.exe "C:\Users\user\Desktop\ofAn3uUEPe.exe"
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Process created: C:\Users\user\Desktop\ofAn3uUEPe.exe "C:\Users\user\Desktop\ofAn3uUEPe.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\hbjebed C:\Users\user\AppData\Roaming\hbjebed
Source: C:\Users\user\AppData\Roaming\hbjebed Process created: C:\Users\user\AppData\Roaming\hbjebed C:\Users\user\AppData\Roaming\hbjebed
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Process created: C:\Users\user\Desktop\ofAn3uUEPe.exe "C:\Users\user\Desktop\ofAn3uUEPe.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Process created: C:\Users\user\AppData\Roaming\hbjebed C:\Users\user\AppData\Roaming\hbjebed Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hbjebed Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/2@4/1
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00409A08 GetCursorInfo,CharUpperA,GetConsoleAliasesLengthW,GetDefaultCommConfigW,GetProfileSectionW,_puts,GetFileInformationByHandle,_realloc,_realloc,_realloc,_fseek,SetCalendarInfoA,GetBinaryTypeW,SetCurrentDirectoryA,BuildCommDCBAndTimeoutsW,CreateFileW,OpenJobObjectW,WriteConsoleOutputCharacterA,MapUserPhysicalPages,AddAtomA,GetThreadPriority,GetFullPathNameW,FindNextVolumeMountPointW,FillConsoleOutputCharacterA,EnumResourceNamesW,OpenWaitableTimerA,LocalSize,_hread,GetPrivateProfileStructW,GetComputerNameW,EnumDateFormatsExW,GetConsoleAliasesW,GetComputerNameW,GetConsoleTitleA,GetSystemWindowsDirectoryW,SetCalendarInfoW,GetFileAttributesA,HeapLock,lstrcpyW,LocalAlloc,GetConsoleFontSize,EnumDateFormatsW,ConvertThreadToFiber,InterlockedCompareExchange,VerifyVersionInfoA,FormatMessageA,GetCommState,FindResourceW,CreateMutexA,MoveFileA,LockFileEx,ResetEvent,FindNextFileW,lstrcmpW,GetTapeParameters,GlobalWire,GetComputerNameExW,CopyFileW,FileTimeToSystemTime,GetFileAttributesW,OpenMutexW,GetPrivateProfileSectionNamesW,EnumSystemLocalesA,GetComputerNameW,WriteConsoleA,GlobalGetAtomNameW,LoadLibraryA,SetConsoleWindowInfo,GetCPInfoExA,EnumResourceLanguagesA,TerminateProcess,TerminateProcess,GetDiskFreeSpaceExA,GetPrivateProfileStructW,GetConsoleAliasA,lstrcpyA,GetOEMCP,TerminateProcess,VirtualAlloc,GetComputerNameA,GetModuleHandleW, 0_2_00409A08
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00409717 GetComputerNameW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,VerifyVersionInfoW,SetLastError,DebugBreak,GetConsoleAliasExesLengthW,GetPrivateProfileIntA,GetLastError,GetSystemWow64DirectoryW,GetCPInfoExW,CreateMailslotA,GetStartupInfoW,InterlockedExchangeAdd,_hwrite,HeapFree,VerifyVersionInfoW,InterlockedIncrement,InterlockedIncrement,AddAtomA,WriteProfileSectionW,GetConsoleAliasesLengthW,GetSystemDefaultLangID,CreateNamedPipeW,LoadLibraryA,GetOverlappedResult,FindNextVolumeW,EnterCriticalSection,GetModuleHandleW,FormatMessageW,CreateActCtxA,CopyFileW,GetConsoleTitleW,VerifyVersionInfoW,InterlockedIncrement,InterlockedExchange,InterlockedIncrement,GetCommandLineW,SetLastError,MoveFileWithProgressW,VerifyVersionInfoA, 0_2_00409717
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_007EB32B CreateToolhelp32Snapshot,Module32First, 0_2_007EB32B
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00409495 BuildCommDCBAndTimeoutsA,SetCurrentDirectoryA,GetSystemDirectoryA,GetModuleHandleW,CallNamedPipeW,OpenEventA,GetComputerNameExW,GetConsoleTitleA,WriteConsoleInputA,WriteConsoleInputW,SizeofResource,TlsGetValue,FindNextVolumeMountPointW,lstrlenA,GlobalGetAtomNameA,GetDriveTypeW,GetProcessPriorityBoost,IsSystemResumeAutomatic,QueryDosDeviceW,VerifyVersionInfoA,GetProfileSectionW,LockFile, 0_2_00409495
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Command line argument: Risejigav 0_2_00409A08
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Command line argument: Bot 0_2_00409A08
Source: ofAn3uUEPe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: +C:\xefuzucikeki\kujidurupij\pahikuy\venut_hipe.pdb0?D source: ofAn3uUEPe.exe, hbjebed.5.dr
Source: Binary string: C:\xefuzucikeki\kujidurupij\pahikuy\venut_hipe.pdb source: ofAn3uUEPe.exe, hbjebed.5.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_0040AD78 push eax; ret 0_2_0040AD96
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_007F10CA pushad ; iretd 0_2_007F10D0
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_007EC23E push ebx; iretd 0_2_007EC269
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_007EC229 push ebx; iretd 0_2_007EC269
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 1_2_004011D0 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 1_2_004011D7 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 1_2_004011EB push ebx; iretd 1_2_00401217
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 17_2_00551977 push ebx; iretd 17_2_005519B7
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 17_2_00551970 push ebx; iretd 17_2_005519B7
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 17_2_0055198B push ebx; iretd 17_2_005519B7
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 18_2_004011D0 push ebx; iretd 18_2_00401217
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 18_2_004011D7 push ebx; iretd 18_2_00401217
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 18_2_004011EB push ebx; iretd 18_2_00401217
PE file contains sections with non-standard names
Source: ofAn3uUEPe.exe Static PE information: section name: .zuja
Source: ofAn3uUEPe.exe Static PE information: section name: .miw
Source: ofAn3uUEPe.exe Static PE information: section name: .kagivu
Source: hbjebed.5.dr Static PE information: section name: .zuja
Source: hbjebed.5.dr Static PE information: section name: .miw
Source: hbjebed.5.dr Static PE information: section name: .kagivu
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_0040961A LoadLibraryA,GetProcAddress,VirtualProtect, 0_2_0040961A
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hbjebed Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hbjebed Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\ofan3uuepe.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\hbjebed:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 1448 Thread sleep count: 568 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4640 Thread sleep count: 286 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1584 Thread sleep count: 268 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1992 Thread sleep count: 402 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4196 Thread sleep count: 167 > 30 Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 568 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 402 Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000005.00000000.266115692.00000000051AC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.266275737.00000000051F7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
Source: explorer.exe, 00000005.00000000.273416392.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.273416392.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.302639231.0000000005EAB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.273416392.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.266275737.00000000051F7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.273416392.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
Source: explorer.exe, 00000005.00000000.265903387.0000000005148000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.273416392.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0cY

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00427880 IsDebuggerPresent,DebuggerProbe, 0_2_00427880
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_0041CE42 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,_wcscat_s,__invoke_watson_if_error,__snwprintf_s,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_oneof,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__invoke_watson_if_oneof,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW, 0_2_0041CE42
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_0040961A LoadLibraryA,GetProcAddress,VirtualProtect, 0_2_0040961A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_007EAC08 push dword ptr fs:[00000030h] 0_2_007EAC08
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 17_2_00550042 push dword ptr fs:[00000030h] 17_2_00550042
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_0040DC00 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040DC00
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00415A50 SetUnhandledExceptionFilter, 0_2_00415A50
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_0040F680 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040F680
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_0040E7A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040E7A0

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: hbjebed.5.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\hbjebed Memory written: C:\Users\user\AppData\Roaming\hbjebed base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Roaming\hbjebed Code function: 17_2_00550110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 17_2_00550110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Thread created: C:\Windows\explorer.exe EIP: 2701930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Thread created: unknown EIP: 4771930 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Process created: C:\Users\user\Desktop\ofAn3uUEPe.exe "C:\Users\user\Desktop\ofAn3uUEPe.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbjebed Process created: C:\Users\user\AppData\Roaming\hbjebed C:\Users\user\AppData\Roaming\hbjebed Jump to behavior
Source: explorer.exe, 00000005.00000000.338134805.0000000005E60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.268055732.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.302399610.0000000005E60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.292131314.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.260747834.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327282053.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.260747834.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327282053.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.292696453.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager,
Source: explorer.exe, 00000005.00000000.260747834.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327282053.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.292696453.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: GetCursorInfo,CharUpperA,GetConsoleAliasesLengthW,GetDefaultCommConfigW,GetProfileSectionW,_puts,GetFileInformationByHandle,_realloc,_realloc,_realloc,_fseek,SetCalendarInfoA,GetBinaryTypeW,SetCurrentDirectoryA,BuildCommDCBAndTimeoutsW,CreateFileW,OpenJobObjectW,WriteConsoleOutputCharacterA,MapUserPhysicalPages,AddAtomA,GetThreadPriority,GetFullPathNameW,FindNextVolumeMountPointW,FillConsoleOutputCharacterA,EnumResourceNamesW,OpenWaitableTimerA,LocalSize,_hread,GetPrivateProfileStructW,GetComputerNameW,EnumDateFormatsExW,GetConsoleAliasesW,GetComputerNameW,GetConsoleTitleA,GetSystemWindowsDirectoryW,SetCalendarInfoW,GetFileAttributesA,HeapLock,lstrcpyW,LocalAlloc,GetConsoleFontSize,EnumDateFormatsW,ConvertThreadToFiber,InterlockedCompareExchange,VerifyVersionInfoA,FormatMessageA,GetCommState,FindResourceW,CreateMutexA,MoveFileA,LockFileEx,ResetEvent,FindNextFileW,lstrcmpW,GetTapeParameters,GlobalWire,GetComputerNameExW,CopyFileW,FileTimeToSystemTime,GetFileAttributesW,OpenMutexW,GetPrivateProfileSectionNamesW,EnumSystemLocalesA,GetComputerNameW,WriteConsoleA,GlobalGetAtomNameW,LoadLibraryA,SetConsoleWindowInfo,GetCPInfoExA,EnumResourceLanguagesA,TerminateProcess,TerminateProcess,GetDiskFreeSpaceExA,GetPrivateProfileStructW,GetConsoleAliasA,lstrcpyA,GetOEMCP,TerminateProcess,VirtualAlloc,GetComputerNameA,GetModuleHandleW, 0_2_00409A08
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: GetLocaleInfoA, 0_2_00427940
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00409717 GetComputerNameW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,VerifyVersionInfoW,SetLastError,DebugBreak,GetConsoleAliasExesLengthW,GetPrivateProfileIntA,GetLastError,GetSystemWow64DirectoryW,GetCPInfoExW,CreateMailslotA,GetStartupInfoW,InterlockedExchangeAdd,_hwrite,HeapFree,VerifyVersionInfoW,InterlockedIncrement,InterlockedIncrement,AddAtomA,WriteProfileSectionW,GetConsoleAliasesLengthW,GetSystemDefaultLangID,CreateNamedPipeW,LoadLibraryA,GetOverlappedResult,FindNextVolumeW,EnterCriticalSection,GetModuleHandleW,FormatMessageW,CreateActCtxA,CopyFileW,GetConsoleTitleW,VerifyVersionInfoW,InterlockedIncrement,InterlockedExchange,InterlockedIncrement,GetCommandLineW,SetLastError,MoveFileWithProgressW,VerifyVersionInfoA, 0_2_00409717
Source: C:\Users\user\Desktop\ofAn3uUEPe.exe Code function: 0_2_00415A70 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00415A70

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 17.2.hbjebed.5515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ofAn3uUEPe.exe.6e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.hbjebed.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ofAn3uUEPe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.349529334.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.349396035.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.406226962.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.328538195.0000000002701000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.406410596.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 17.2.hbjebed.5515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ofAn3uUEPe.exe.6e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.hbjebed.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ofAn3uUEPe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.349529334.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.349396035.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.406226962.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.328538195.0000000002701000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.406410596.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 677968 Sample: ofAn3uUEPe.exe Startdate: 03/08/2022 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic 2->30 32 Multi AV Scanner detection for domain / URL 2->32 34 Antivirus detection for URL or domain 2->34 36 4 other signatures 2->36 7 ofAn3uUEPe.exe 2->7         started        9 hbjebed 2->9         started        process3 signatures4 12 ofAn3uUEPe.exe 7->12         started        46 Multi AV Scanner detection for dropped file 9->46 48 Machine Learning detection for dropped file 9->48 50 Contains functionality to inject code into remote processes 9->50 52 Injects a PE file into a foreign processes 9->52 15 hbjebed 9->15         started        process5 signatures6 54 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->54 56 Maps a DLL or memory area into another process 12->56 58 Checks if the current machine is a virtual machine (disk enumeration) 12->58 17 explorer.exe 2 12->17 injected 60 Creates a thread in another existing process (thread injection) 15->60 process7 dnsIp8 26 host-file-host6.com 34.118.39.10, 49768, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 17->26 28 host-host-file8.com 17->28 22 C:\Users\user\AppData\Roaming\hbjebed, PE32 17->22 dropped 24 C:\Users\user\...\hbjebed:Zone.Identifier, ASCII 17->24 dropped 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Benign windows process drops PE files 17->40 42 Deletes itself after installation 17->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.118.39.10
 host-file-host6.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG true

Contacted Domains

Name IP Active
dual-a-0001.dc-msedge.net 131.253.33.200 true
host-file-host6.com 34.118.39.10 true
host-host-file8.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://host-file-host6.com/ true
  • URL Reputation: safe
 unknown
http://host-host-file8.com/ true
  • URL Reputation: malware
 unknown