Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 756303
MD5: 2479739c5d062ecb325147623241f007
SHA1: 4394b6d2ca4ed82a5f2d70d10cd05cfa3b35ab2c
SHA256: 728de9789af5f2ebc9ac2fac80fee25b186bc5b3acb960650934377f0c77726d
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Yara signature match
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Keylogger Generic
Uses Microsoft's Enhanced Cryptographic Provider
PE file contains executable resources (Code or Archives)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 38% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00878884 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00878884
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00881940 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext, 0_2_00881940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087885C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash, 0_2_0087885C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008799FF CryptDestroyHash, 0_2_008799FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087A511 CryptReleaseContext, 0_2_0087A511
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00884967 CryptReleaseContext, 0_2_00884967
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00883F6C CryptDestroyHash, 0_2_00883F6C

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: file.exe
Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: file.exe
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D450 FindFirstFileW,FindClose, 0_2_0040D450
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004235B0 FindFirstFileW,FindClose, 0_2_004235B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 0_2_0040CE84
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.258207764.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: file.exe PID: 3548, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00881940 0_2_00881940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00897244 0_2_00897244
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00885B34 0_2_00885B34
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008770C4 0_2_008770C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006BA8DC 0_2_006BA8DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00889622 0_2_00889622
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088C79C 0_2_0088C79C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040ACB4 appears 34 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040A3C0 appears 76 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040A0C0 appears 300 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040AEFC appears 33 times
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: file.exe Virustotal: Detection: 38%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_027667C6 CreateToolhelp32Snapshot,Module32First, 0_2_027667C6
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5248
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll Jump to behavior
Source: classification engine Classification label: mal60.evad.winEXE@4/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 3776000 > 1048576
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x386000
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: file.exe
Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: file.exe

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.edata:R;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00422F40 push ecx; mov dword ptr [esp], ecx 0_2_00422F44
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02767597 pushad ; iretd 0_2_02767598
PE file contains sections with non-standard names
Source: Serpodtudpwhhta.dll.0.dr Static PE information: section name: .didata
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0085E760 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0085E760
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 00000000042A6EB0 second address: 00000000042A778E instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-0Ch], edx 0x00000005 mov dword ptr [ebp-24h], 0000000Dh 0x0000000c mov eax, 00000001h 0x00000011 cmp eax, 00000000h 0x00000014 jnbe 00007F93209DD1A3h 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 sub eax, dword ptr [ebp-04h] 0x0000001c cmp eax, dword ptr [ebp-24h] 0x0000001f jnl 00007F93209DD1AAh 0x00000021 inc dword ptr [ebp-14h] 0x00000024 jmp 00007F93209DD810h 0x00000029 mov eax, 00000000h 0x0000002e cmp eax, 00000000h 0x00000031 je 00007F93209DD1A3h 0x00000033 cmp dword ptr [ebp-14h], 02h 0x00000037 jng 00007F93209DD3DAh 0x0000003d rdtsc
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D450 FindFirstFileW,FindClose, 0_2_0040D450
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004235B0 FindFirstFileW,FindClose, 0_2_004235B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 0_2_0040CE84
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_027660A3 push dword ptr fs:[00000030h] 0_2_027660A3
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087C50C InitializeSecurityDescriptor,InitializeAcl,CreateWellKnownSid,CreateWellKnownSid,AddAccessAllowedAce,SetSecurityDescriptorDacl, 0_2_0087C50C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 0_2_0040D588
Source: C:\Users\user\Desktop\file.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0040CA28
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.243980722.000000007F700000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.252501992.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000000.255187116.0000000003EC1000.00000020.00000001.01000000.00000004.sdmp, Serpodtudpwhhta.dll.0.dr Binary or memory string: MSASCui.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756303 Sample: file.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 60 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Machine Learning detection for sample 2->22 7 file.exe 1 2->7         started        process3 file4 16 C:\Users\user\AppData\...\Serpodtudpwhhta.dll, PE32 7->16 dropped 24 Detected unpacking (changes PE section rights) 7->24 26 Detected unpacking (overwrites its own PE header) 7->26 11 rundll32.exe 7->11         started        signatures5 process6 signatures7 28 Tries to detect virtualization through RDTSC time measurements 11->28 14 WerFault.exe 23 9 11->14         started        process8
No contacted IP infos