Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:753428
MD5:4ae4a84eba3264c433e0c1b92594c61b
SHA1:bc8ee7fb36f3e3c03638bc5b6bf0bc9dd7cc034b
SHA256:bb531c53e5dc8fcc1fe71ef481253b9d3fa86446e7205e750dc3d6ee5c2a5636
Tags:exe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged

Classification

  • System is w10x64
  • file.exe (PID: 5996 cmdline: C:\Users\user\Desktop\file.exe MD5: 4AE4A84EBA3264C433E0C1B92594C61B)
    • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • vvtsewb (PID: 5936 cmdline: C:\Users\user\AppData\Roaming\vvtsewb MD5: 4AE4A84EBA3264C433E0C1B92594C61B)
  • cleanup
{"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
SourceRuleDescriptionAuthorStrings
00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x5260:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      Click to see the 11 entries
      SourceRuleDescriptionAuthorStrings
      2.2.vvtsewb.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        0.2.file.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          2.3.vvtsewb.7c0000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            2.2.vvtsewb.7b0e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              0.2.file.exe.7e0e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 1 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: http://host-host-file8.com/URL Reputation: Label: malware
                Source: host-file-host6.comVirustotal: Detection: 19%Perma Link
                Source: host-host-file8.comVirustotal: Detection: 17%Perma Link
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\vvtsewbJoe Sandbox ML: detected
                Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                Source: Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
                Source: Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

                Networking

                barindex
                Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
                Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
                Source: Malware configuration extractorURLs: http://host-file-host6.com/
                Source: Malware configuration extractorURLs: http://host-host-file8.com/
                Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                Source: Joe Sandbox ViewIP Address: 84.21.172.159 84.21.172.159
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com
                Source: explorer.exe, 00000001.00000000.333055694.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303883320.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com
                Source: unknownDNS traffic detected: queries for: host-file-host6.com

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: Yara matchFile source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: vvtsewb, 00000002.00000002.412945082.00000000009CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F025
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004170DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004138E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413E2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C635
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414370
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004157C9
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_0040F025
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_004170DC
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_004138E8
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_00413E2C
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_0040C635
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_00414370
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_004157C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040180C Sleep,NtTerminateProcess,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401818 Sleep,NtTerminateProcess,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401822 Sleep,NtTerminateProcess,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401826 Sleep,NtTerminateProcess,
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401834 Sleep,NtTerminateProcess,
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_0040180C Sleep,NtTerminateProcess,
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_00401818 Sleep,NtTerminateProcess,
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_00401822 Sleep,NtTerminateProcess,
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_00401826 Sleep,NtTerminateProcess,
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_00401834 Sleep,NtTerminateProcess,
                Source: file.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: vvtsewb.1.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\explorer.exeSection loaded: webio.dll
                Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
                Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\vvtsewb C:\Users\user\AppData\Roaming\vvtsewb
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vvtsewbJump to behavior
                Source: classification engineClassification label: mal100.troj.evad.winEXE@2/2@4/1
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_009DD28E CreateToolhelp32Snapshot,Module32First,
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
                Source: Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\vvtsewbUnpacked PE file: 2.2.vvtsewb.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004011D0 push ebx; iretd
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004011D7 push ebx; iretd
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004011EB push ebx; iretd
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B4C1 push ecx; ret
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1252 push ebx; iretd
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E123E push ebx; iretd
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E1237 push ebx; iretd
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_004011D0 push ebx; iretd
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_004011D7 push ebx; iretd
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_004011EB push ebx; iretd
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_0040B4C1 push ecx; ret
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_009E2DA3 pushad ; iretd
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_009DDF19 push ebx; iretd
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_009DDF04 push ebx; iretd
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vvtsewbJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vvtsewbJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\vvtsewb:Zone.Identifier read attributes | delete
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\vvtsewbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\vvtsewbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\vvtsewbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\vvtsewbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\vvtsewbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Users\user\AppData\Roaming\vvtsewbKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                Source: C:\Windows\explorer.exe TID: 2772Thread sleep count: 663 > 30
                Source: C:\Windows\explorer.exe TID: 5792Thread sleep count: 479 > 30
                Source: C:\Windows\explorer.exe TID: 5792Thread sleep time: -47900s >= -30000s
                Source: C:\Windows\explorer.exe TID: 5820Thread sleep count: 497 > 30
                Source: C:\Windows\explorer.exe TID: 5820Thread sleep time: -49700s >= -30000s
                Source: C:\Windows\explorer.exe TID: 3100Thread sleep count: 577 > 30
                Source: C:\Windows\explorer.exe TID: 5068Thread sleep count: 413 > 30
                Source: C:\Windows\explorer.exe TID: 5068Thread sleep time: -41300s >= -30000s
                Source: C:\Windows\explorer.exe TID: 2372Thread sleep count: 395 > 30
                Source: C:\Windows\explorer.exe TID: 2372Thread sleep time: -39500s >= -30000s
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 663
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 479
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 497
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 577
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 413
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 395
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformation
                Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
                Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000001.00000000.304766305.00000000043B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\file.exeSystem information queried: CodeIntegrityInformation
                Source: C:\Users\user\AppData\Roaming\vvtsewbSystem information queried: CodeIntegrityInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E092B mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E0D90 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Roaming\vvtsewbCode function: 2_2_009DCB6B push dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                Source: C:\Users\user\AppData\Roaming\vvtsewbProcess queried: DebugPort

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Windows\explorer.exeFile created: vvtsewb.1.drJump to dropped file
                Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
                Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
                Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                Source: C:\Users\user\AppData\Roaming\vvtsewbSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                Source: C:\Users\user\AppData\Roaming\vvtsewbSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                Source: C:\Users\user\Desktop\file.exeThread created: C:\Windows\explorer.exe EIP: 2901930
                Source: C:\Users\user\AppData\Roaming\vvtsewbThread created: unknown EIP: 2971930
                Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.356626269.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
                Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 00000001.00000000.332831091.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.351679837.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303801289.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Exploitation for Client Execution
                1
                DLL Side-Loading
                32
                Process Injection
                11
                Masquerading
                1
                Input Capture
                211
                Security Software Discovery
                Remote Services1
                Input Capture
                Exfiltration Over Other Network Medium1
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading
                12
                Virtualization/Sandbox Evasion
                LSASS Memory12
                Virtualization/Sandbox Evasion
                Remote Desktop Protocol1
                Archive Collected Data
                Exfiltration Over Bluetooth2
                Non-Application Layer Protocol
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)32
                Process Injection
                Security Account Manager3
                Process Discovery
                SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration112
                Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                Hidden Files and Directories
                NTDS1
                Application Window Discovery
                Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information
                LSA Secrets3
                System Information Discovery
                SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Software Packing
                Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                DLL Side-Loading
                DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                File Deletion
                Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\vvtsewb100%Joe Sandbox ML
                SourceDetectionScannerLabelLinkDownload
                2.3.vvtsewb.7c0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                2.2.vvtsewb.7b0e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                2.2.vvtsewb.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.3.file.exe.800000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.file.exe.7e0e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                SourceDetectionScannerLabelLink
                host-file-host6.com20%VirustotalBrowse
                host-host-file8.com18%VirustotalBrowse
                SourceDetectionScannerLabelLink
                http://host-file-host6.com/0%URL Reputationsafe
                http://host-host-file8.com/100%URL Reputationmalware
                NameIPActiveMaliciousAntivirus DetectionReputation
                host-file-host6.com
                84.21.172.159
                truetrueunknown
                host-host-file8.com
                unknown
                unknowntrueunknown
                NameMaliciousAntivirus DetectionReputation
                http://host-file-host6.com/true
                • URL Reputation: safe
                unknown
                http://host-host-file8.com/true
                • URL Reputation: malware
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000001.00000000.333055694.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303883320.000000000091F000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  84.21.172.159
                  host-file-host6.comGermany
                  30823COMBAHTONcombahtonGmbHDEtrue
                  Joe Sandbox Version:36.0.0 Rainbow Opal
                  Analysis ID:753428
                  Start date and time:2022-11-24 20:12:05 +01:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 6m 15s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:file.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@2/2@4/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 14% (good quality ratio 11.9%)
                  • Quality average: 45.2%
                  • Quality standard deviation: 27.1%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                  • Not all processes where analyzed, report is missing behavior information
                  TimeTypeDescription
                  20:13:46Task SchedulerRun new task: Firefox Default Browser Agent 0A8EA222D941D8E8 path: C:\Users\user\AppData\Roaming\vvtsewb
                  No context
                  No context
                  No context
                  No context
                  No context
                  Process:C:\Windows\explorer.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):192512
                  Entropy (8bit):6.91435980932861
                  Encrypted:false
                  SSDEEP:3072:WsKq2R3GPBzO0uLLO1PtKl5JOLAtsDXi2D4VSZAwbUOrsIUwUT7:0qmLLObVAtsDXi2lrbUOrwNP
                  MD5:4AE4A84EBA3264C433E0C1B92594C61B
                  SHA1:BC8EE7FB36F3E3C03638BC5B6BF0BC9DD7CC034B
                  SHA-256:BB531C53E5DC8FCC1FE71EF481253B9D3FA86446E7205E750DC3D6EE5C2A5636
                  SHA-512:E9E1878DE9D124BD52EAE169A398C2DB91B12B5B832D5ED03B659EDA9B0B105892339ED47A8890EA5363F03D35EF8E0C59D19A36D98F321601C70FC05C144BE9
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.................................4................=................Rich...........................PE..L......a.....................>#......o............@...........................$......S......................................\...d.....$.............................p...............................P<..@............... ............................text............................... ..`.data.....".........................@....rsrc.........$..0..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................
                  Process:C:\Windows\explorer.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:[ZoneTransfer]....ZoneId=0
                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.91435980932861
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:192512
                  MD5:4ae4a84eba3264c433e0c1b92594c61b
                  SHA1:bc8ee7fb36f3e3c03638bc5b6bf0bc9dd7cc034b
                  SHA256:bb531c53e5dc8fcc1fe71ef481253b9d3fa86446e7205e750dc3d6ee5c2a5636
                  SHA512:e9e1878de9d124bd52eae169a398c2db91b12b5b832d5ed03b659eda9b0b105892339ed47a8890ea5363f03d35ef8e0c59d19a36d98f321601c70fc05c144be9
                  SSDEEP:3072:WsKq2R3GPBzO0uLLO1PtKl5JOLAtsDXi2D4VSZAwbUOrsIUwUT7:0qmLLObVAtsDXi2lrbUOrwNP
                  TLSH:3F14C03236C0C432C5AB55708D24EAA0EF7EB9315579964B7BE80B6D5F702D0A63B34B
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.......................................4...................=...................Rich............................PE..L......a...
                  Icon Hash:20e0c4ccccc6b214
                  Entrypoint:0x406fe6
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                  Time Stamp:0x612E2E88 [Tue Aug 31 13:28:40 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:0
                  File Version Major:5
                  File Version Minor:0
                  Subsystem Version Major:5
                  Subsystem Version Minor:0
                  Import Hash:5a0f5eee1a1d8df02fd40c6cf3174a3d
                  Instruction
                  call 00007FBFFCA0D3C6h
                  jmp 00007FBFFCA05A4Eh
                  mov ecx, dword ptr [esp+04h]
                  test ecx, 00000003h
                  je 00007FBFFCA05BF6h
                  mov al, byte ptr [ecx]
                  add ecx, 01h
                  test al, al
                  je 00007FBFFCA05C20h
                  test ecx, 00000003h
                  jne 00007FBFFCA05BC1h
                  add eax, 00000000h
                  lea esp, dword ptr [esp+00000000h]
                  lea esp, dword ptr [esp+00000000h]
                  mov eax, dword ptr [ecx]
                  mov edx, 7EFEFEFFh
                  add edx, eax
                  xor eax, FFFFFFFFh
                  xor eax, edx
                  add ecx, 04h
                  test eax, 81010100h
                  je 00007FBFFCA05BBAh
                  mov eax, dword ptr [ecx-04h]
                  test al, al
                  je 00007FBFFCA05C04h
                  test ah, ah
                  je 00007FBFFCA05BF6h
                  test eax, 00FF0000h
                  je 00007FBFFCA05BE5h
                  test eax, FF000000h
                  je 00007FBFFCA05BD4h
                  jmp 00007FBFFCA05B9Fh
                  lea eax, dword ptr [ecx-01h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-02h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-03h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  lea eax, dword ptr [ecx-04h]
                  mov ecx, dword ptr [esp+04h]
                  sub eax, ecx
                  ret
                  cmp ecx, dword ptr [0042B980h]
                  jne 00007FBFFCA05BD4h
                  rep ret
                  jmp 00007FBFFCA0D3BDh
                  push eax
                  push dword ptr fs:[00000000h]
                  lea eax, dword ptr [esp+0Ch]
                  sub esp, dword ptr [esp+0Ch]
                  push ebx
                  push esi
                  push edi
                  mov dword ptr [eax], ebp
                  mov ebp, eax
                  mov eax, dword ptr [0042B980h]
                  xor eax, ebp
                  push eax
                  push dword ptr [ebp-04h]
                  mov dword ptr [ebp+00h], 00000000h
                  Programming Language:
                  • [ASM] VS2008 build 21022
                  • [ C ] VS2008 build 21022
                  • [IMP] VS2005 build 50727
                  • [C++] VS2008 build 21022
                  • [RES] VS2008 build 21022
                  • [LNK] VS2008 build 21022
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1a05c0x64.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2490000x2ee8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x12700x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3c500x40.text
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x220.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x19cf40x19e00False0.5225505736714976data6.34350345002809IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .data0x1b0000x22dae80x11e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x2490000x2ee80x3000False0.537353515625data4.913683051285504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x2491f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsRaeto-RomanceSwitzerland
                  RT_ICON0x2498b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRaeto-RomanceSwitzerland
                  RT_ICON0x249e200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096Raeto-RomanceSwitzerland
                  RT_ICON0x24aec80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304Raeto-RomanceSwitzerland
                  RT_ICON0x24b8500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024Raeto-RomanceSwitzerland
                  RT_ACCELERATOR0x24bd080x98dataRaeto-RomanceSwitzerland
                  RT_GROUP_ICON0x24bcb80x4cdataRaeto-RomanceSwitzerland
                  RT_VERSION0x24bda00x148x86 executable not stripped
                  DLLImport
                  KERNEL32.dllWriteConsoleInputA, EnumDateFormatsA, OpenMutexA, GetConsoleAliasExesLengthW, CopyFileExA, ReadConsoleOutputCharacterA, GetEnvironmentStrings, FreeUserPhysicalPages, QueryDosDeviceA, EnumCalendarInfoExA, GetProcessPriorityBoost, LocalSize, AddConsoleAliasW, CreateFileW, GetMailslotInfo, GetWindowsDirectoryA, GetModuleHandleW, VirtualFree, CreateDirectoryExA, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerW, GetVersionExA, SearchPathA, RequestWakeupLatency, CallNamedPipeW, GetCurrentDirectoryW, GetDriveTypeA, CreateMailslotW, BuildCommDCBAndTimeoutsA, GetProcAddress, GetModuleHandleA, LocalAlloc, FindNextFileA, TerminateThread, GetCommandLineW, FindFirstChangeNotificationA, VerifyVersionInfoA, DeleteTimerQueue, FindFirstVolumeA, GlobalFlags, GetTickCount, GetACP, GlobalWire, GetTapeParameters, HeapWalk, GetConsoleTitleA, InterlockedCompareExchange, EnumCalendarInfoA, GetNamedPipeHandleStateW, InterlockedDecrement, SetCalendarInfoA, TerminateProcess, MoveFileA, AddAtomW, FreeEnvironmentStringsW, SetConsoleTitleW, SetVolumeMountPointA, VirtualAlloc, SetConsoleActiveScreenBuffer, GetCPInfo, GetProcessIoCounters, GlobalFindAtomA, CreateFileA, CloseHandle, GetVolumeInformationA, EnumSystemCodePagesA, MoveFileWithProgressA, LoadLibraryW, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, RtlUnwind, GetLastError, DeleteFileA, GetStartupInfoW, HeapAlloc, HeapFree, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameW, GetEnvironmentStringsW, HeapCreate, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, GetOEMCP, IsValidCodePage, HeapSize, LoadLibraryA, InitializeCriticalSectionAndSpinCount, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile
                  USER32.dllGetComboBoxInfo, GetMessageExtraInfo, GetListBoxInfo
                  GDI32.dllGetBoundsRect
                  ADVAPI32.dllSetThreadToken
                  Language of compilation systemCountry where language is spokenMap
                  Raeto-RomanceSwitzerland
                  TimestampSource PortDest PortSource IPDest IP
                  Nov 24, 2022 20:13:47.187021017 CET4970780192.168.2.584.21.172.159
                  Nov 24, 2022 20:13:47.215519905 CET804970784.21.172.159192.168.2.5
                  Nov 24, 2022 20:13:47.216058016 CET4970780192.168.2.584.21.172.159
                  Nov 24, 2022 20:13:47.216236115 CET4970780192.168.2.584.21.172.159
                  Nov 24, 2022 20:13:47.216314077 CET4970780192.168.2.584.21.172.159
                  Nov 24, 2022 20:13:47.244088888 CET804970784.21.172.159192.168.2.5
                  Nov 24, 2022 20:13:47.335669041 CET804970784.21.172.159192.168.2.5
                  Nov 24, 2022 20:13:47.335818052 CET4970780192.168.2.584.21.172.159
                  Nov 24, 2022 20:13:47.337459087 CET4970780192.168.2.584.21.172.159
                  Nov 24, 2022 20:13:47.366754055 CET804970784.21.172.159192.168.2.5
                  TimestampSource PortDest PortSource IPDest IP
                  Nov 24, 2022 20:13:46.928529978 CET6145253192.168.2.58.8.8.8
                  Nov 24, 2022 20:13:47.183770895 CET53614528.8.8.8192.168.2.5
                  Nov 24, 2022 20:13:47.349159956 CET5148453192.168.2.58.8.8.8
                  Nov 24, 2022 20:13:48.338735104 CET5148453192.168.2.58.8.8.8
                  Nov 24, 2022 20:13:49.370031118 CET5148453192.168.2.58.8.8.8
                  Nov 24, 2022 20:13:51.378423929 CET53514848.8.8.8192.168.2.5
                  Nov 24, 2022 20:13:52.380325079 CET53514848.8.8.8192.168.2.5
                  Nov 24, 2022 20:13:53.396895885 CET53514848.8.8.8192.168.2.5
                  TimestampSource IPDest IPChecksumCodeType
                  Nov 24, 2022 20:13:52.380429983 CET192.168.2.58.8.8.8cff8(Port unreachable)Destination Unreachable
                  Nov 24, 2022 20:13:53.397217989 CET192.168.2.58.8.8.8cff8(Port unreachable)Destination Unreachable
                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Nov 24, 2022 20:13:46.928529978 CET192.168.2.58.8.8.80xa2c5Standard query (0)host-file-host6.comA (IP address)IN (0x0001)false
                  Nov 24, 2022 20:13:47.349159956 CET192.168.2.58.8.8.80x417eStandard query (0)host-host-file8.comA (IP address)IN (0x0001)false
                  Nov 24, 2022 20:13:48.338735104 CET192.168.2.58.8.8.80x417eStandard query (0)host-host-file8.comA (IP address)IN (0x0001)false
                  Nov 24, 2022 20:13:49.370031118 CET192.168.2.58.8.8.80x417eStandard query (0)host-host-file8.comA (IP address)IN (0x0001)false
                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Nov 24, 2022 20:13:47.183770895 CET8.8.8.8192.168.2.50xa2c5No error (0)host-file-host6.com84.21.172.159A (IP address)IN (0x0001)false
                  Nov 24, 2022 20:13:51.378423929 CET8.8.8.8192.168.2.50x417eServer failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
                  Nov 24, 2022 20:13:52.380325079 CET8.8.8.8192.168.2.50x417eServer failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
                  Nov 24, 2022 20:13:53.396895885 CET8.8.8.8192.168.2.50x417eServer failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
                  • dkkgeh.net
                    • host-file-host6.com

                  Click to jump to process

                  Target ID:0
                  Start time:20:12:55
                  Start date:24/11/2022
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\file.exe
                  Imagebase:0x400000
                  File size:192512 bytes
                  MD5 hash:4AE4A84EBA3264C433E0C1B92594C61B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  Reputation:low

                  Target ID:1
                  Start time:20:13:02
                  Start date:24/11/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff69bc80000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high

                  Target ID:2
                  Start time:20:13:46
                  Start date:24/11/2022
                  Path:C:\Users\user\AppData\Roaming\vvtsewb
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\vvtsewb
                  Imagebase:0x400000
                  File size:192512 bytes
                  MD5 hash:4AE4A84EBA3264C433E0C1B92594C61B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  Reputation:low

                  No disassembly