Windows Analysis Report
ttguGDFHUX.exe

Overview

General Information

Sample Name: ttguGDFHUX.exe
Analysis ID: 678405
MD5: 17ea9707608c048bbc933e8fb365d483
SHA1: 430c8d8bcf6d095903ed3c1dcfe70a4a5cda32a1
SHA256: 22eae9c51337fd8dc6d1bb281a6e1ddb9990d906076cb3e1d89887eadbdfd374
Tags: ArkeiStealerexe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: http://host-host-file8.com/ URL Reputation: Label: malware
Source: host-file-host6.com Virustotal: Detection: 25% Perma Link
Source: host-host-file8.com Virustotal: Detection: 21% Perma Link
Source: ttguGDFHUX.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\vahfuah Joe Sandbox ML: detected
Source: 00000013.00000002.443589368.0000000000460000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Source: ttguGDFHUX.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\warozopocir.pdb source: ttguGDFHUX.exe, vahfuah.5.dr
Source: Binary string: k3C:\warozopocir.pdb`ZB source: ttguGDFHUX.exe, vahfuah.5.dr

Networking

barindex
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Source: Malware configuration extractor URLs: http://host-file-host6.com/
Source: Malware configuration extractor URLs: http://host-host-file8.com/
Source: Joe Sandbox View ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: Joe Sandbox View IP Address: 34.118.39.10 34.118.39.10
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://egppg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: host-file-host6.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://egppg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: host-file-host6.com
Source: unknown DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 0.2.ttguGDFHUX.exe.25615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vahfuah.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ttguGDFHUX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vahfuah.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.365673212.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.443589368.0000000000460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.443651918.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.349492248.00000000044F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.365633312.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: ttguGDFHUX.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 1_2_0040180C Sleep,NtTerminateProcess, 1_2_0040180C
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 1_2_00401818 Sleep,NtTerminateProcess, 1_2_00401818
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 1_2_00401822 Sleep,NtTerminateProcess, 1_2_00401822
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 1_2_00401826 Sleep,NtTerminateProcess, 1_2_00401826
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 1_2_00401834 Sleep,NtTerminateProcess, 1_2_00401834
Source: C:\Users\user\AppData\Roaming\vahfuah Code function: 19_2_0040180C Sleep,NtTerminateProcess, 19_2_0040180C
Source: C:\Users\user\AppData\Roaming\vahfuah Code function: 19_2_00401818 Sleep,NtTerminateProcess, 19_2_00401818
Source: C:\Users\user\AppData\Roaming\vahfuah Code function: 19_2_00401822 Sleep,NtTerminateProcess, 19_2_00401822
Source: C:\Users\user\AppData\Roaming\vahfuah Code function: 19_2_00401826 Sleep,NtTerminateProcess, 19_2_00401826
Source: C:\Users\user\AppData\Roaming\vahfuah Code function: 19_2_00401834 Sleep,NtTerminateProcess, 19_2_00401834
Source: ttguGDFHUX.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ttguGDFHUX.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vahfuah.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vahfuah.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: ttguGDFHUX.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vahfuah.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ttguGDFHUX.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ttguGDFHUX.exe "C:\Users\user\Desktop\ttguGDFHUX.exe"
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Process created: C:\Users\user\Desktop\ttguGDFHUX.exe "C:\Users\user\Desktop\ttguGDFHUX.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\vahfuah C:\Users\user\AppData\Roaming\vahfuah
Source: C:\Users\user\AppData\Roaming\vahfuah Process created: C:\Users\user\AppData\Roaming\vahfuah C:\Users\user\AppData\Roaming\vahfuah
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Process created: C:\Users\user\Desktop\ttguGDFHUX.exe "C:\Users\user\Desktop\ttguGDFHUX.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Process created: C:\Users\user\AppData\Roaming\vahfuah C:\Users\user\AppData\Roaming\vahfuah Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vahfuah Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/2@4/2
Source: ttguGDFHUX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\warozopocir.pdb source: ttguGDFHUX.exe, vahfuah.5.dr
Source: Binary string: k3C:\warozopocir.pdb`ZB source: ttguGDFHUX.exe, vahfuah.5.dr
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 1_2_004011D0 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 1_2_004011D7 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 1_2_004011EB push ebx; iretd 1_2_00401217
Source: C:\Users\user\AppData\Roaming\vahfuah Code function: 19_2_004011D0 push ebx; iretd 19_2_00401217
Source: C:\Users\user\AppData\Roaming\vahfuah Code function: 19_2_004011D7 push ebx; iretd 19_2_00401217
Source: C:\Users\user\AppData\Roaming\vahfuah Code function: 19_2_004011EB push ebx; iretd 19_2_00401217
Source: initial sample Static PE information: section name: .text entropy: 7.414029743857001
Source: initial sample Static PE information: section name: .text entropy: 7.414029743857001
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vahfuah Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vahfuah Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\ttgugdfhux.exe Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\vahfuah:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Windows\explorer.exe TID: 1320 Thread sleep count: 575 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1292 Thread sleep count: 266 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1300 Thread sleep count: 271 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5472 Thread sleep count: 440 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5476 Thread sleep count: 114 > 30 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 575 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 440 Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000005.00000000.356253114.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.356253114.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.316974919.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.317105362.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000005.00000000.301543334.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000005.00000000.319383324.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000005.00000000.356923821.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.356253114.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l

Anti Debugging

barindex
Source: C:\Users\user\Desktop\ttguGDFHUX.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe File created: vahfuah.5.dr Jump to dropped file
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Thread created: C:\Windows\explorer.exe EIP: 44F1930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Thread created: unknown EIP: 4A01930 Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Process created: C:\Users\user\Desktop\ttguGDFHUX.exe "C:\Users\user\Desktop\ttguGDFHUX.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\vahfuah Process created: C:\Users\user\AppData\Roaming\vahfuah C:\Users\user\AppData\Roaming\vahfuah Jump to behavior
Source: explorer.exe, 00000005.00000000.345762021.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.286557807.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.317011550.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.306306342.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.352465052.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.346490332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.346490332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.286913081.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.317787883.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.346490332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.286913081.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.317787883.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.345879179.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.286570440.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.317105362.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.346490332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.286913081.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.317787883.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\ttguGDFHUX.exe Code function: 0_2_0041C9B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0041C9B0

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0.2.ttguGDFHUX.exe.25615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vahfuah.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ttguGDFHUX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vahfuah.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.365673212.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.443589368.0000000000460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.443651918.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.349492248.00000000044F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.365633312.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 0.2.ttguGDFHUX.exe.25615a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vahfuah.26115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ttguGDFHUX.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vahfuah.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.365673212.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.443589368.0000000000460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.443651918.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.349492248.00000000044F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.365633312.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs