Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:764031
MD5:56df4686b20d79d1e9070c908dbf9058
SHA1:ceceec6ec094b4979a4b9ac4049a38449982f8b2
SHA256:f6a9c1724adebd1e1bc54cb2b2e6cc49b8a6f11910a3b6acdfc6c5531a1d742b
Tags:exe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1440 cmdline: C:\Users\user\Desktop\file.exe MD5: 56DF4686B20D79D1E9070C908DBF9058)
    • file.exe (PID: 864 cmdline: C:\Users\user\Desktop\file.exe MD5: 56DF4686B20D79D1E9070C908DBF9058)
      • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • ehddsbh (PID: 6128 cmdline: C:\Users\user\AppData\Roaming\ehddsbh MD5: 56DF4686B20D79D1E9070C908DBF9058)
    • ehddsbh (PID: 5140 cmdline: C:\Users\user\AppData\Roaming\ehddsbh MD5: 56DF4686B20D79D1E9070C908DBF9058)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.446345716.0000000000583000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x785e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.457448235.00000000005A1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000006.00000002.457448235.00000000005A1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000002.00000000.382917780.0000000002951000.00000020.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000002.00000000.382917780.0000000002951000.00000020.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.file.exe.400000.6.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        6.0.ehddsbh.400000.6.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          1.2.file.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            6.0.ehddsbh.400000.5.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              6.0.ehddsbh.400000.4.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 5 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://host-host-file8.com/URL Reputation: Label: malware
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\ehddsbhJoe Sandbox ML: detected
                Source: 6.0.ehddsbh.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 6.0.ehddsbh.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 1.0.file.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 6.0.ehddsbh.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 1.0.file.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 6.0.ehddsbh.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 1.0.file.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 1.0.file.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 00000006.00000002.457358703.0000000000570000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: C:\cumadococive\hitofi_riyax76_temihaxaki_fawavow.pdb source: file.exe, ehddsbh.2.dr
                Source: Binary string: l<C:\cumadococive\hitofi_riyax76_temihaxaki_fawavow.pdbl2D source: file.exe, ehddsbh.2.dr

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
                Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://host-file-host6.com/
                Source: Malware configuration extractorURLs: http://host-host-file8.com/
                Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                Source: Joe Sandbox ViewIP Address: 84.21.172.159 84.21.172.159