Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:753428
MD5:4ae4a84eba3264c433e0c1b92594c61b
SHA1:bc8ee7fb36f3e3c03638bc5b6bf0bc9dd7cc034b
SHA256:bb531c53e5dc8fcc1fe71ef481253b9d3fa86446e7205e750dc3d6ee5c2a5636
Tags:exe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged

Classification

  • System is w10x64
  • file.exe (PID: 5996 cmdline: C:\Users\user\Desktop\file.exe MD5: 4AE4A84EBA3264C433E0C1B92594C61B)
    • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • vvtsewb (PID: 5936 cmdline: C:\Users\user\AppData\Roaming\vvtsewb MD5: 4AE4A84EBA3264C433E0C1B92594C61B)
  • cleanup
{"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
SourceRuleDescriptionAuthorStrings
00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x5260:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      Click to see the 11 entries
      SourceRuleDescriptionAuthorStrings
      2.2.vvtsewb.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        0.2.file.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          2.3.vvtsewb.7c0000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            2.2.vvtsewb.7b0e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              0.2.file.exe.7e0e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 1 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: http://host-host-file8.com/URL Reputation: Label: malware
                Source: host-file-host6.comVirustotal: Detection: 19%Perma Link
                Source: host-host-file8.comVirustotal: Detection: 17%Perma Link
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\vvtsewbJoe Sandbox ML: detected
                Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
                Source: Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

                Networking

                barindex
                Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
                Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
                Source: Malware configuration extractorURLs: http://host-file-host6.com/
                Source: Malware configuration extractorURLs: http://host-host-file8.com/
                Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                Source: Joe Sandbox ViewIP Address: 84.21.172.159 84.21.172.159
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com
                Source: explorer.exe, 00000001.00000000.333055694.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303883320.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com
                Source: unknownDNS traffic detected: queries for: host-file-host6.com

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: Yara matchFile source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: vvtsewb, 00000002.00000002.412945082.00000000009CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary