Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	753428
MD5:	4ae4a84eba3264c433e0c1b92594c61b
SHA1:	bc8ee7fb36f3e3c03638bc5b6bf0bc9dd7cc034b
SHA256:	bb531c53e5dc8fcc1fe71ef481253b9d3fa86446e7205e750dc3d6ee5c2a5636
Tags:	exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Maps a DLL or memory area into another process

Machine Learning detection for sample

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: host-file-host6.com	Virustotal: Detection: 19%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 17%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\vvtsewb

Joe Sandbox ML: detected

Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
Source:	Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 84.21.172.159 84.21.172.159

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com

Source: explorer.exe, 00000001.00000000.333055694.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303883320.000000000091F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: vvtsewb, 00000002.00000002.412945082.00000000009CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F025	0_2_0040F025
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004170DC	0_2_004170DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004138E8	0_2_004138E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413E2C	0_2_00413E2C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C635	0_2_0040C635
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414370	0_2_00414370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004157C9	0_2_004157C9
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_0040F025	2_2_0040F025
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004170DC	2_2_004170DC
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004138E8	2_2_004138E8
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00413E2C	2_2_00413E2C
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_0040C635	2_2_0040C635
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00414370	2_2_00414370
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004157C9	2_2_004157C9

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040180C Sleep,NtTerminateProcess,	0_2_0040180C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401818 Sleep,NtTerminateProcess,	0_2_00401818
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401822 Sleep,NtTerminateProcess,	0_2_00401822
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401826 Sleep,NtTerminateProcess,	0_2_00401826
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401834 Sleep,NtTerminateProcess,	0_2_00401834
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_0040180C Sleep,NtTerminateProcess,	2_2_0040180C
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00401818 Sleep,NtTerminateProcess,	2_2_00401818
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00401822 Sleep,NtTerminateProcess,	2_2_00401822
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00401826 Sleep,NtTerminateProcess,	2_2_00401826
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00401834 Sleep,NtTerminateProcess,	2_2_00401834

PE file contains executable resources (Code or Archives)

Source: file.exe	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: vvtsewb.1.dr	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vvtsewb C:\Users\user\AppData\Roaming\vvtsewb

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vvtsewb

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/2@4/1

Source: C:\Users\user\AppData\Roaming\vvtsewb

Code function: 2_2_009DD28E CreateToolhelp32Snapshot,Module32First,

2_2_009DD28E

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
Source:	Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vvtsewb	Unpacked PE file: 2.2.vvtsewb.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004011D0 push ebx; iretd	0_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004011D7 push ebx; iretd	0_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004011EB push ebx; iretd	0_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B4C1 push ecx; ret	0_2_0040B4D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1252 push ebx; iretd	0_2_007E127E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E123E push ebx; iretd	0_2_007E127E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1237 push ebx; iretd	0_2_007E127E
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004011D0 push ebx; iretd	2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004011D7 push ebx; iretd	2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004011EB push ebx; iretd	2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_0040B4C1 push ecx; ret	2_2_0040B4D4
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_009E2DA3 pushad ; iretd	2_2_009E2DA9
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_009DDF19 push ebx; iretd	2_2_009DDF44
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_009DDF04 push ebx; iretd	2_2_009DDF44

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vvtsewb

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vvtsewb

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\vvtsewb:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 2772	Thread sleep count: 663 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5792	Thread sleep count: 479 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5792	Thread sleep time: -47900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5820	Thread sleep count: 497 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5820	Thread sleep time: -49700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3100	Thread sleep count: 577 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5068	Thread sleep count: 413 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5068	Thread sleep time: -41300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2372	Thread sleep count: 395 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2372	Thread sleep time: -39500s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 663	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 479	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 497	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 577	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 413	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 395	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.304766305.00000000043B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E092B mov eax, dword ptr fs:[00000030h]	0_2_007E092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E0D90 mov eax, dword ptr fs:[00000030h]	0_2_007E0D90
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_009DCB6B push dword ptr fs:[00000030h]	2_2_009DCB6B

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: vvtsewb.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 2901930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Thread created: unknown EIP: 2971930			Jump to behavior

Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.356626269.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.332831091.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.351679837.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303801289.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.21.172.159	host-file-host6.com	Germany		30823	COMBAHTONcombahtonGmbHDE	true

Contacted Domains

Name	IP	Active
host-file-host6.com	84.21.172.159	true
host-host-file8.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-file-host6.com/	true	URL Reputation: safe	unknown
http://host-host-file8.com/	true	URL Reputation: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: host-file-host6.com	Virustotal: Detection: 19%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 17%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\vvtsewb

Joe Sandbox ML: detected

Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
Source:	Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 84.21.172.159 84.21.172.159

Uses a known web browser user agent for HTTP communication

Source: global traffic

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: vvtsewb, 00000002.00000002.412945082.00000000009CA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F025	0_2_0040F025
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004170DC	0_2_004170DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004138E8	0_2_004138E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413E2C	0_2_00413E2C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C635	0_2_0040C635
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414370	0_2_00414370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004157C9	0_2_004157C9
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_0040F025	2_2_0040F025
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004170DC	2_2_004170DC
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004138E8	2_2_004138E8
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00413E2C	2_2_00413E2C
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_0040C635	2_2_0040C635
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00414370	2_2_00414370
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004157C9	2_2_004157C9

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040180C Sleep,NtTerminateProcess,	0_2_0040180C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401818 Sleep,NtTerminateProcess,	0_2_00401818
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401822 Sleep,NtTerminateProcess,	0_2_00401822
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401826 Sleep,NtTerminateProcess,	0_2_00401826
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401834 Sleep,NtTerminateProcess,	0_2_00401834
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_0040180C Sleep,NtTerminateProcess,	2_2_0040180C
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00401818 Sleep,NtTerminateProcess,	2_2_00401818
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00401822 Sleep,NtTerminateProcess,	2_2_00401822
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00401826 Sleep,NtTerminateProcess,	2_2_00401826
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_00401834 Sleep,NtTerminateProcess,	2_2_00401834

PE file contains executable resources (Code or Archives)

Source: file.exe	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: vvtsewb.1.dr	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vvtsewb C:\Users\user\AppData\Roaming\vvtsewb

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vvtsewb

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/2@4/1

Source: C:\Users\user\AppData\Roaming\vvtsewb

Code function: 2_2_009DD28E CreateToolhelp32Snapshot,Module32First,

2_2_009DD28E

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
Source:	Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vvtsewb	Unpacked PE file: 2.2.vvtsewb.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004011D0 push ebx; iretd	0_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004011D7 push ebx; iretd	0_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004011EB push ebx; iretd	0_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B4C1 push ecx; ret	0_2_0040B4D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1252 push ebx; iretd	0_2_007E127E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E123E push ebx; iretd	0_2_007E127E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1237 push ebx; iretd	0_2_007E127E
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004011D0 push ebx; iretd	2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004011D7 push ebx; iretd	2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_004011EB push ebx; iretd	2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_0040B4C1 push ecx; ret	2_2_0040B4D4
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_009E2DA3 pushad ; iretd	2_2_009E2DA9
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_009DDF19 push ebx; iretd	2_2_009DDF44
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_009DDF04 push ebx; iretd	2_2_009DDF44

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vvtsewb

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vvtsewb

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\vvtsewb:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 2772	Thread sleep count: 663 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5792	Thread sleep count: 479 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5792	Thread sleep time: -47900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5820	Thread sleep count: 497 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5820	Thread sleep time: -49700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3100	Thread sleep count: 577 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5068	Thread sleep count: 413 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5068	Thread sleep time: -41300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2372	Thread sleep count: 395 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2372	Thread sleep time: -39500s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 663	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 479	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 497	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 577	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 413	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 395	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.304766305.00000000043B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E092B mov eax, dword ptr fs:[00000030h]	0_2_007E092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E0D90 mov eax, dword ptr fs:[00000030h]	0_2_007E0D90
Source: C:\Users\user\AppData\Roaming\vvtsewb	Code function: 2_2_009DCB6B push dword ptr fs:[00000030h]	2_2_009DCB6B

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: vvtsewb.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 2901930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb	Thread created: unknown EIP: 2971930			Jump to behavior

Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.356626269.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.332831091.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.351679837.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303801289.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

ID:	753428
Product:	CloudBasic
Start time:	20:12:05
Start date:	24.11.2022
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4ae4a84eba3264c433e0c1b92594c61b
SHA1:	bc8ee7fb36f3e3c03638bc5b6bf0bc9dd7cc034b
SHA256:	bb531c53e5dc8fcc1fe71ef481253b9d3fa86446e7205e750dc3d6ee5c2a5636
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\vvtsewb	PE32 executable (GUI) Intel 80386, for MS Windows	4AE4A84EBA3264C433E0C1B92594C61B	BC8EE7FB36F3E3C03638BC5B6BF0BC9DD7CC034B	BB531C53E5DC8FCC1FE71EF481253B9D3FA86446E7205E750DC3D6EE5C2A5636
C:\Users\user\AppData\Roaming\vvtsewb:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe