Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:764038
MD5:6b8486d9065fb3105e8c8a14c58dd0ed
SHA1:b341177019c21155a02477b71a613b6c427cf067
SHA256:6acc6c36c8492b91f4fe44aeabc3ad69eea2765259108bacbfbc9b57bff24133
Tags:exe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4700 cmdline: C:\Users\user\Desktop\file.exe MD5: 6B8486D9065FB3105E8C8A14C58DD0ED)
    • file.exe (PID: 3340 cmdline: C:\Users\user\Desktop\file.exe MD5: 6B8486D9065FB3105E8C8A14C58DD0ED)
      • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • dubewge (PID: 5576 cmdline: C:\Users\user\AppData\Roaming\dubewge MD5: 6B8486D9065FB3105E8C8A14C58DD0ED)
    • dubewge (PID: 4036 cmdline: C:\Users\user\AppData\Roaming\dubewge MD5: 6B8486D9065FB3105E8C8A14C58DD0ED)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.377043487.0000000002971000.00000020.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000002.00000000.377043487.0000000002971000.00000020.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000006.00000002.453507425.0000000000460000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000006.00000002.453507425.0000000000460000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      00000001.00000002.389552753.00000000005A1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.file.exe.400000.6.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          6.0.dubewge.400000.4.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            1.0.file.exe.400000.4.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              6.0.dubewge.400000.6.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                0.2.file.exe.4915a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.584.21.172.15949704802851815 12/09/22-10:55:01.226456
                  SID:2851815
                  Source Port:49704
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://host-host-file8.com/URL Reputation: Label: malware
                  Multi AV Scanner detection for domain / URL
                  Source: host-file-host6.comVirustotal: Detection: 19%Perma Link
                  Source: host-host-file8.comVirustotal: Detection: 17%Perma Link
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\dubewgeJoe Sandbox ML: detected
                  Source: 1.0.file.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 6.0.dubewge.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 1.0.file.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 6.0.dubewge.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 1.0.file.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 6.0.dubewge.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 1.0.file.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 6.0.dubewge.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 00000006.00000002.453507425.0000000000460000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Binary string: C:\ruren_yinevekow_hurawiya.pdb source: file.exe, dubewge.2.dr
                  Source: Binary string: DC:\ruren_yinevekow_hurawiya.pdb source: file.exe, dubewge.2.dr

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
                  Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.5:49704 -> 84.21.172.159:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://host-file-host6.com/
                  Source: Malware configuration extractorURLs: http://host-host-file8.com/
                  Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                  Source: Joe Sandbox ViewIP Address: 84.21.172.159 84.21.172.159
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quargeql.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: host-file-host6.com
                  Source: explorer.exe, 00000002.00000000.376090770.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.348098249.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.316275876.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quargeql.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: host-file-host6.com
                  Source: unknownDNS traffic detected: queries for: host-file-host6.com

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 1.0.file.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.dubewge.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.file.exe.400000.