Windows Analysis Report
CraHZCrkGP.exe

Overview

General Information

Sample Name:	CraHZCrkGP.exe
Analysis ID:	678052
MD5:	a8ef2558341a5ca8ac58ee543e260ee4
SHA1:	5585cc5f17f424639dae06d6feba403c78232f6a
SHA256:	19e29cc8b874c3dd5fa4b724fb6d5d51db0b7c2fd4e954bb7b1dda228b2225fb
Tags:	ArkeiStealerexe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Maps a DLL or memory area into another process

Machine Learning detection for sample

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Contains functionality to call native functions

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: host-file-host6.com	Virustotal: Detection: 25%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 21%			Perma Link

Machine Learning detection for sample

Source: CraHZCrkGP.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\drsdbad

Joe Sandbox ML: detected

Source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Uses 32bit PE files

Source: CraHZCrkGP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: D#c'C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb`ZBP7@ source: CraHZCrkGP.exe, drsdbad.5.dr
Source:	Binary string: C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb source: CraHZCrkGP.exe, drsdbad.5.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qxhuehga.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-file-host6.com

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: CraHZCrkGP.exe, 00000000.00000002.247210114.000000000279A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Uses 32bit PE files

Source: CraHZCrkGP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Contains functionality to call native functions

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_0040180C Sleep,NtTerminateProcess,	1_2_0040180C
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_00401818 Sleep,NtTerminateProcess,	1_2_00401818
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_00401822 Sleep,NtTerminateProcess,	1_2_00401822
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_00401826 Sleep,NtTerminateProcess,	1_2_00401826
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_00401834 Sleep,NtTerminateProcess,	1_2_00401834
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_0040180C Sleep,NtTerminateProcess,	21_2_0040180C
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_00401818 Sleep,NtTerminateProcess,	21_2_00401818
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_00401822 Sleep,NtTerminateProcess,	21_2_00401822
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_00401826 Sleep,NtTerminateProcess,	21_2_00401826
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_00401834 Sleep,NtTerminateProcess,	21_2_00401834

PE file contains strange resources

Source: CraHZCrkGP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CraHZCrkGP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: drsdbad.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: drsdbad.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: CraHZCrkGP.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: drsdbad.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CraHZCrkGP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe"
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad
Source: C:\Users\user\AppData\Roaming\drsdbad	Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\drsdbad

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@4/1

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Code function: 0_2_027AB26D CreateToolhelp32Snapshot,Module32First,

0_2_027AB26D

Source: CraHZCrkGP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D#c'C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb`ZBP7@ source: CraHZCrkGP.exe, drsdbad.5.dr
Source:	Binary string: C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb source: CraHZCrkGP.exe, drsdbad.5.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A607B push edx; retf 0073h	0_2_027A608E
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027AC16B push ebx; iretd	0_2_027AC1AB
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A6035 push edi; retf 0073h	0_2_027A6046
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A601C push ecx; retf 0073h	0_2_027A602E
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A6514 push 000073CAh; retf 0073h	0_2_027A66EE
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027B100C pushad ; iretd	0_2_027B1012
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A60DC push edx; retf 0073h	0_2_027A60EE
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A60DC pushad ; retf 0073h	0_2_027A614E
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027AC180 push ebx; iretd	0_2_027AC1AB
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_004011D0 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_004011D7 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_004011EB push ebx; iretd	1_2_00401217
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_004011D0 push ebx; iretd	21_2_00401217
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_004011D7 push ebx; iretd	21_2_00401217
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_004011EB push ebx; iretd	21_2_00401217

Source: initial sample	Static PE information: section name: .text entropy: 7.43093136075961
Source: initial sample	Static PE information: section name: .text entropy: 7.43093136075961

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\drsdbad

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\drsdbad

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\crahzcrkgp.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\drsdbad:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 1912	Thread sleep count: 586 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4860	Thread sleep count: 393 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4860	Thread sleep time: -39300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1220	Thread sleep count: 411 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1220	Thread sleep time: -41100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2168	Thread sleep count: 399 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2536	Thread sleep count: 284 > 30	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 586	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 393	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 411	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 399	Jump to behavior

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000005.00000000.258357036.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.291787671.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.280302190.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.272179570.0000000008290000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.282454352.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000005.00000000.280302190.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000005.00000000.271968277.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.272560042.000000000832B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f$:s
Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Code function: 0_2_027AAB4A push dword ptr fs:[00000030h]

0_2_027AAB4A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: drsdbad.5.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Thread created: C:\Windows\explorer.exe EIP: 2631930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Thread created: unknown EIP: 4A01930			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad			Jump to behavior

Source: explorer.exe, 00000005.00000000.278658295.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.291768185.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.258363464.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.302629679.0000000008142000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.262213793.0000000005920000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.278681639.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.258377155.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.291787671.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Code function: 0_2_0041CC60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0041CC60

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.118.39.10	host-file-host6.com	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true

Contacted Domains

Name	IP	Active
host-file-host6.com	34.118.39.10	true
host-host-file8.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-file-host6.com/	true	URL Reputation: safe	unknown
http://host-host-file8.com/	true	URL Reputation: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: host-file-host6.com	Virustotal: Detection: 25%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 21%			Perma Link

Machine Learning detection for sample

Source: CraHZCrkGP.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\drsdbad

Joe Sandbox ML: detected

Source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Uses 32bit PE files

Source: CraHZCrkGP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: D#c'C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb`ZBP7@ source: CraHZCrkGP.exe, drsdbad.5.dr
Source:	Binary string: C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb source: CraHZCrkGP.exe, drsdbad.5.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: CraHZCrkGP.exe, 00000000.00000002.247210114.000000000279A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Uses 32bit PE files

Source: CraHZCrkGP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Contains functionality to call native functions

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_0040180C Sleep,NtTerminateProcess,	1_2_0040180C
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_00401818 Sleep,NtTerminateProcess,	1_2_00401818
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_00401822 Sleep,NtTerminateProcess,	1_2_00401822
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_00401826 Sleep,NtTerminateProcess,	1_2_00401826
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_00401834 Sleep,NtTerminateProcess,	1_2_00401834
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_0040180C Sleep,NtTerminateProcess,	21_2_0040180C
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_00401818 Sleep,NtTerminateProcess,	21_2_00401818
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_00401822 Sleep,NtTerminateProcess,	21_2_00401822
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_00401826 Sleep,NtTerminateProcess,	21_2_00401826
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_00401834 Sleep,NtTerminateProcess,	21_2_00401834

PE file contains strange resources

Source: CraHZCrkGP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CraHZCrkGP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: drsdbad.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: drsdbad.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: CraHZCrkGP.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: drsdbad.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CraHZCrkGP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe"
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad
Source: C:\Users\user\AppData\Roaming\drsdbad	Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\drsdbad

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@4/1

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Code function: 0_2_027AB26D CreateToolhelp32Snapshot,Module32First,

0_2_027AB26D

Source: CraHZCrkGP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D#c'C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb`ZBP7@ source: CraHZCrkGP.exe, drsdbad.5.dr
Source:	Binary string: C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb source: CraHZCrkGP.exe, drsdbad.5.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A607B push edx; retf 0073h	0_2_027A608E
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027AC16B push ebx; iretd	0_2_027AC1AB
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A6035 push edi; retf 0073h	0_2_027A6046
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A601C push ecx; retf 0073h	0_2_027A602E
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A6514 push 000073CAh; retf 0073h	0_2_027A66EE
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027B100C pushad ; iretd	0_2_027B1012
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A60DC push edx; retf 0073h	0_2_027A60EE
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027A60DC pushad ; retf 0073h	0_2_027A614E
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 0_2_027AC180 push ebx; iretd	0_2_027AC1AB
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_004011D0 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_004011D7 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Code function: 1_2_004011EB push ebx; iretd	1_2_00401217
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_004011D0 push ebx; iretd	21_2_00401217
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_004011D7 push ebx; iretd	21_2_00401217
Source: C:\Users\user\AppData\Roaming\drsdbad	Code function: 21_2_004011EB push ebx; iretd	21_2_00401217

Source: initial sample	Static PE information: section name: .text entropy: 7.43093136075961
Source: initial sample	Static PE information: section name: .text entropy: 7.43093136075961

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\drsdbad

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\drsdbad

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\crahzcrkgp.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\drsdbad:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 1912	Thread sleep count: 586 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4860	Thread sleep count: 393 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4860	Thread sleep time: -39300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1220	Thread sleep count: 411 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1220	Thread sleep time: -41100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2168	Thread sleep count: 399 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2536	Thread sleep count: 284 > 30	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 586	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 393	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 411	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 399	Jump to behavior

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000005.00000000.258357036.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.291787671.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.280302190.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.272179570.0000000008290000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.282454352.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000005.00000000.280302190.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000005.00000000.271968277.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.272560042.000000000832B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f$:s
Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Code function: 0_2_027AAB4A push dword ptr fs:[00000030h]

0_2_027AAB4A

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: drsdbad.5.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Thread created: C:\Windows\explorer.exe EIP: 2631930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Thread created: unknown EIP: 4A01930			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CraHZCrkGP.exe	Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\drsdbad	Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad			Jump to behavior

Source: explorer.exe, 00000005.00000000.278658295.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.291768185.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.258363464.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.302629679.0000000008142000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.262213793.0000000005920000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.278681639.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.258377155.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.291787671.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\CraHZCrkGP.exe

Code function: 0_2_0041CC60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0041CC60

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

ID:	678052
Product:	CloudBasic
Start time:	13:56:05
Start date:	03.08.2022
Sample:	CraHZCrkGP.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a8ef2558341a5ca8ac58ee543e260ee4
SHA1:	5585cc5f17f424639dae06d6feba403c78232f6a
SHA256:	19e29cc8b874c3dd5fa4b724fb6d5d51db0b7c2fd4e954bb7b1dda228b2225fb
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\drsdbad	PE32 executable (GUI) Intel 80386, for MS Windows	A8EF2558341A5CA8AC58EE543E260EE4	5585CC5F17F424639DAE06D6FEBA403C78232F6A	19E29CC8B874C3DD5FA4B724FB6D5D51DB0B7C2FD4E954BB7B1DDA228B2225FB
C:\Users\user\AppData\Roaming\drsdbad:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
CraHZCrkGP.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report CraHZCrkGP.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
CraHZCrkGP.exe