Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	756294
MD5:	1cf06beb83d2bd1afd1b9b62994e7549
SHA1:	88bd7da7668fb669b5503696ee0a9c0f2dbeceb7
SHA256:	4dc0de570728f75f844c7afb84ac6c809ef4620dac3b12a884ff9916f5b5b0ee
Tags:	exeSmokeLoader
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Maps a DLL or memory area into another process

Machine Learning detection for sample

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Deletes itself after installation

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

AV process strings found (often used to terminate AV products)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Yara detected Keylogger Generic

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

file.exe (PID: 5200 cmdline: C:\Users\user\Desktop\file.exe MD5: 1CF06BEB83D2BD1AFD1B9B62994E7549)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

ADCA.exe (PID: 1432 cmdline: C:\Users\user\AppData\Local\Temp\ADCA.exe MD5: 2479739C5D062ECB325147623241F007)

rundll32.exe (PID: 4912 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4872 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 3808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

5AF.exe (PID: 5580 cmdline: C:\Users\user\AppData\Local\Temp\5AF.exe MD5: C81AB83835C2669DBE57C43DB54571B7)

dfhwrav (PID: 5440 cmdline: C:\Users\user\AppData\Roaming\dfhwrav MD5: 1CF06BEB83D2BD1AFD1B9B62994E7549)

5AF.exe (PID: 2388 cmdline: "C:\Users\user\AppData\Local\Temp\5AF.exe" MD5: C81AB83835C2669DBE57C43DB54571B7)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://piratia.su/tmp/", "http://dowe.at/tmp/", "http://xisac.com/tmp/", "http://newhorizonswv.com/tmp/", "http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.491008397.00000000005E9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xff0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x744:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.385320932.00000000020A1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.339969412.0000000000509000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x45a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000016.00000002.521716515.00000000020C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000A.00000002.477294048.00000000025CA000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.385296441.0000000002080000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x744:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000009.00000003.373157026.0000000002080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.384994661.00000000006D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.247155743.0000000002080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000016.00000002.517229882.0000000000413000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000000.327101814.0000000004E61000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000016.00000002.518252636.000000000059E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1218:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.486093572.0000000000413000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.340103222.0000000002070000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000009.00000002.385082783.00000000006F8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x49c0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.495741535.0000000002140000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.340254010.00000000020B1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x344:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000A.00000002.503903306.0000000002950000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: ADCA.exe PID: 1432	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.2070e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.2.file.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
9.3.dfhwrav.2080000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
9.2.dfhwrav.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
9.2.dfhwrav.6d0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.3.file.exe.2080000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
16.2.5AF.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.5AF.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10170:$s2: Elevation:Administrator!new:
22.2.5AF.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
22.2.5AF.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10170:$s2: Elevation:Administrator!new:
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 33%

Perma Link

Antivirus detection for URL or domain

Source: http://piratia.su/tmp/	URL Reputation: Label: malware
Source: http://piratia.su/tmp/	URL Reputation: Label: malware

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\dfhwrav	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5AF.exe	Joe Sandbox ML: detected

Source: 22.2.5AF.exe.23be12c.2.unpack

Avira: Label: TR/Patched.Ren.Gen7

Source: 00000000.00000002.340150414.0000000002080000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://piratia.su/tmp/", "http://dowe.at/tmp/", "http://xisac.com/tmp/", "http://newhorizonswv.com/tmp/", "http://cracker.biz/tmp/", "http://piratia-life.ru/tmp/"]}

Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Code function: 10_2_00878884 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	10_2_00878884
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Code function: 10_2_00881940 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	10_2_00881940
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Code function: 10_2_0087885C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,	10_2_0087885C
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Code function: 10_2_008799FF CryptDestroyHash,	10_2_008799FF
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Code function: 10_2_0087A511 CryptReleaseContext,	10_2_0087A511
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Code function: 10_2_00884967 CryptReleaseContext,	10_2_00884967
Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Code function: 10_2_00883F6C CryptDestroyHash,	10_2_00883F6C

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 16.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.5AF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.517229882.0000000000413000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.486093572.0000000000413000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\ADCA.exe	Unpacked PE file: 10.2.ADCA.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\5AF.exe	Unpacked PE file: 16.2.5AF.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\5AF.exe	Unpacked PE file: 22.2.5AF.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 5.135.247.111:443 -> 192.168.2.6:49739 version: TLS 1.2

Source:	Binary string: setupapi.pdbf source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.527754656.0000000004961000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.527963392.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5AF.exe, 00000016.00000002.637978186.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, 5AF.exe, 00000016.00000002.522529716.00000000023B8000.00000004.00000800.00020000.00000000.sdmp

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Windows Analysis Report
file.exe