Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:764039
MD5:0d810e582a95debff5e1a72a76c602c9
SHA1:486a963c02b9e7d5ecc2941c4dcb7f589954d7d7
SHA256:c57cafedd2e4617e24315cde0de7a6393610fb924e8bd4d3561ee3c4b2d90372
Tags:exe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • file.exe (PID: 5164 cmdline: C:\Users\user\Desktop\file.exe MD5: 0D810E582A95DEBFF5E1A72A76C602C9)
    • file.exe (PID: 6088 cmdline: C:\Users\user\Desktop\file.exe MD5: 0D810E582A95DEBFF5E1A72A76C602C9)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • rudwagu (PID: 5400 cmdline: C:\Users\user\AppData\Roaming\rudwagu MD5: 0D810E582A95DEBFF5E1A72A76C602C9)
    • rudwagu (PID: 1324 cmdline: C:\Users\user\AppData\Roaming\rudwagu MD5: 0D810E582A95DEBFF5E1A72A76C602C9)
  • cleanup
{"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
SourceRuleDescriptionAuthorStrings
00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        Click to see the 7 entries
        SourceRuleDescriptionAuthorStrings
        1.2.file.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          11.2.rudwagu.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            11.0.rudwagu.400000.5.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              10.2.rudwagu.6e15a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                11.0.rudwagu.400000.6.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  Click to see the 2 entries
                  No Sigma rule has matched
                  No Snort rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: http://host-host-file8.com/URL Reputation: Label: malware
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\rudwaguJoe Sandbox ML: detected
                  Source: 11.0.rudwagu.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 11.0.rudwagu.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 11.0.rudwagu.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 11.0.rudwagu.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Binary string: C:\bicudo_cikiro\wuwud\cen26\rimitibifaru.pdb source: file.exe, rudwagu.2.dr
                  Source: Binary string: ZC:\bicudo_cikiro\wuwud\cen26\rimitibifaru.pdb source: file.exe, rudwagu.2.dr

                  Networking

                  barindex
                  Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
                  Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
                  Source: Malware configuration extractorURLs: http://host-file-host6.com/
                  Source: Malware configuration extractorURLs: http://host-host-file8.com/
                  Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                  Source: Joe Sandbox ViewIP Address: 84.21.172.159 84.21.172.159
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hhsselotxu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: host-file-host6.com
                  Source: explorer.exe, 00000002.00000000.299803671.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.329320639.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.259861471.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hhsselotxu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: host-file-host6.com
                  Source: unknownDNS traffic detected: queries for: host-file-host6.com

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: Yara matchFile source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.rudwagu.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rudwagu.6e15a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.8e15a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000000.00000002.248700871.0000000000573000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000000.00000002.248700871.0000000000573000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004148D1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413C95
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD0A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004141D9
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00415632
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413751
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407BA1
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00408168 appears 45 times
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040180C Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00401818 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00401822 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00401826 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00401834 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 11_2_0040180C Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 11_2_00401818 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 11_2_00401822 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 11_2_00401826 Sleep,NtTerminateProcess,
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 11_2_00401834 Sleep,NtTerminateProcess,
                  Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                  Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\explorer.exeSection loaded: webio.dll
                  Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
                  Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
                  Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\rudwagu C:\Users\user\AppData\Roaming\rudwagu
                  Source: C:\Users\user\AppData\Roaming\rudwaguProcess created: C:\Users\user\AppData\Roaming\rudwagu C:\Users\user\AppData\Roaming\rudwagu
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\AppData\Roaming\rudwaguProcess created: C:\Users\user\AppData\Roaming\rudwagu C:\Users\user\AppData\Roaming\rudwagu
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rudwaguJump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@6/2@4/1
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 10_2_00729CB9 CreateToolhelp32Snapshot,Module32First,
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: _.K>
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: Cgx
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: tf71
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: yLmc
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: /fY.
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: NKR[
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: mf:
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: 5[$'
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: ]q0r
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: EuY
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: +F28
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: eVS
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: pumitafoto
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: msimg32.dll
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: 0.txt
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: kernel32.dll
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\bicudo_cikiro\wuwud\cen26\rimitibifaru.pdb source: file.exe, rudwagu.2.dr
                  Source: Binary string: ZC:\bicudo_cikiro\wuwud\cen26\rimitibifaru.pdb source: file.exe, rudwagu.2.dr
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004081AD push ecx; ret
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E198B push ebx; iretd
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E1977 push ebx; iretd
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E1970 push ebx; iretd
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004011D0 push ebx; iretd
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004011D7 push ebx; iretd
                  Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004011EB push ebx; iretd
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 10_2_0072FA58 pushad ; iretd
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 10_2_0072ABCC push ebx; iretd
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 10_2_0072ABB7 push ebx; iretd
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 11_2_004011D0 push ebx; iretd
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 11_2_004011D7 push ebx; iretd
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 11_2_004011EB push ebx; iretd
                  Source: file.exeStatic PE information: section name: .lokeris
                  Source: file.exeStatic PE information: section name: .zoyan
                  Source: rudwagu.2.drStatic PE information: section name: .lokeris
                  Source: rudwagu.2.drStatic PE information: section name: .zoyan
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DAD4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rudwaguJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rudwaguJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
                  Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\rudwagu:Zone.Identifier read attributes | delete

                  Malware Analysis System Evasion

                  barindex
                  Source: rudwagu, 0000000B.00000002.408364797.00000000004DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKC
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\rudwaguKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\rudwaguKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\rudwaguKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\rudwaguKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\rudwaguKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Users\user\AppData\Roaming\rudwaguKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                  Source: C:\Windows\explorer.exe TID: 4720Thread sleep count: 649 > 30
                  Source: C:\Windows\explorer.exe TID: 2216Thread sleep count: 338 > 30
                  Source: C:\Windows\explorer.exe TID: 2216Thread sleep time: -33800s >= -30000s
                  Source: C:\Windows\explorer.exe TID: 4784Thread sleep count: 384 > 30
                  Source: C:\Windows\explorer.exe TID: 4784Thread sleep time: -38400s >= -30000s
                  Source: C:\Windows\explorer.exe TID: 1272Thread sleep count: 527 > 30
                  Source: C:\Windows\explorer.exe TID: 1284Thread sleep count: 207 > 30
                  Source: C:\Windows\explorer.exeLast function: Thread delayed
                  Source: C:\Windows\explorer.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 649
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 384
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 527
                  Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformation
                  Source: explorer.exe, 00000002.00000000.288891686.000000000F5F1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000002.00000000.331858237.00000000045B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000002.00000000.317840368.00000000081DD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
                  Source: explorer.exe, 00000002.00000000.273864988.0000000006710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                  Source: explorer.exe, 00000002.00000000.288891686.000000000F5F1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ions-msP
                  Source: explorer.exe, 00000002.00000000.318294845.0000000008304000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                  Source: explorer.exe, 00000002.00000000.323608732.000000000F5F1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001^
                  Source: explorer.exe, 00000002.00000000.279146238.00000000082B2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                  Source: explorer.exe, 00000002.00000000.318036977.0000000008251000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

                  Anti Debugging

                  barindex
                  Source: C:\Users\user\Desktop\file.exeSystem information queried: CodeIntegrityInformation
                  Source: C:\Users\user\AppData\Roaming\rudwaguSystem information queried: CodeIntegrityInformation
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DAC5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DAD4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412320 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E0042 push dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Roaming\rudwaguCode function: 10_2_00729596 push dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Roaming\rudwaguProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C824 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411135 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040DAC5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040973F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Windows\explorer.exeFile created: rudwagu.2.drJump to dropped file
                  Source: C:\Windows\explorer.exeDomain query: host-file-host6.com
                  Source: C:\Windows\explorer.exeDomain query: host-host-file8.com
                  Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                  Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                  Source: C:\Users\user\AppData\Roaming\rudwaguSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                  Source: C:\Users\user\AppData\Roaming\rudwaguSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,
                  Source: C:\Users\user\Desktop\file.exeThread created: C:\Windows\explorer.exe EIP: 4EC1930
                  Source: C:\Users\user\AppData\Roaming\rudwaguThread created: unknown EIP: 2B11930
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                  Source: C:\Users\user\AppData\Roaming\rudwaguProcess created: C:\Users\user\AppData\Roaming\rudwagu C:\Users\user\AppData\Roaming\rudwagu
                  Source: explorer.exe, 00000002.00000000.330057159.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.260169112.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.300570546.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
                  Source: explorer.exe, 00000002.00000000.330057159.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.273784795.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.341545832.000000000833A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 00000002.00000000.299803671.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.330057159.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.329320639.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 00000002.00000000.330057159.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.260169112.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.300570546.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CBB2 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.rudwagu.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rudwagu.6e15a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.8e15a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.rudwagu.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rudwagu.6e15a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.rudwagu.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.8e15a0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts2
                  Command and Scripting Interpreter
                  1
                  DLL Side-Loading
                  512
                  Process Injection
                  11
                  Masquerading
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  Exfiltration Over Other Network Medium1
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Native API
                  Boot or Logon Initialization Scripts1
                  DLL Side-Loading
                  12
                  Virtualization/Sandbox Evasion
                  LSASS Memory331
                  Security Software Discovery
                  Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
                  Non-Application Layer Protocol
                  Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts1
                  Exploitation for Client Execution
                  Logon Script (Windows)Logon Script (Windows)512
                  Process Injection
                  Security Account Manager12
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration112
                  Application Layer Protocol
                  Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Deobfuscate/Decode Files or Information
                  NTDS3
                  Process Discovery
                  Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Hidden Files and Directories
                  LSA Secrets1
                  Application Window Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information
                  Cached Domain Credentials14
                  System Information Discovery
                  VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Software Packing
                  DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading
                  Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                  File Deletion
                  /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 764039 Sample: file.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 Yara detected SmokeLoader 2->34 36 3 other signatures 2->36 7 file.exe 2->7         started        10 rudwagu 2->10         started        process3 signatures4 46 Contains functionality to inject code into remote processes 7->46 48 Injects a PE file into a foreign processes 7->48 12 file.exe 7->12         started        50 Machine Learning detection for dropped file 10->50 15 rudwagu 10->15         started        process5 signatures6 52 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->52 54 Maps a DLL or memory area into another process 12->54 56 Checks if the current machine is a virtual machine (disk enumeration) 12->56 17 explorer.exe 2 12->17 injected 58 Creates a thread in another existing process (thread injection) 15->58 process7 dnsIp8 26 host-file-host6.com 84.21.172.159, 49718, 80 COMBAHTONcombahtonGmbHDE Germany 17->26 28 host-host-file8.com 17->28 22 C:\Users\user\AppData\Roaming\rudwagu, PE32 17->22 dropped 24 C:\Users\user\...\rudwagu:Zone.Identifier, ASCII 17->24 dropped 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Benign windows process drops PE files 17->40 42 Deletes itself after installation 17->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 file9 signatures10

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  file.exe100%Joe Sandbox ML
                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\rudwagu100%Joe Sandbox ML
                  SourceDetectionScannerLabelLinkDownload
                  1.0.file.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  11.0.rudwagu.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  11.0.rudwagu.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  11.0.rudwagu.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                  11.0.rudwagu.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                  10.2.rudwagu.6e15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  11.2.rudwagu.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.0.file.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.0.file.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  11.0.rudwagu.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  11.0.rudwagu.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                  0.2.file.exe.8e15a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  11.0.rudwagu.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  http://host-file-host6.com/0%URL Reputationsafe
                  http://host-host-file8.com/100%URL Reputationmalware
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  host-file-host6.com
                  84.21.172.159
                  truetrue
                    unknown
                    host-host-file8.com
                    unknown
                    unknowntrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      http://host-file-host6.com/true
                      • URL Reputation: safe
                      unknown
                      http://host-host-file8.com/true
                      • URL Reputation: malware
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.299803671.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.329320639.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.259861471.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        84.21.172.159
                        host-file-host6.comGermany
                        30823COMBAHTONcombahtonGmbHDEtrue
                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:764039
                        Start date and time:2022-12-09 10:55:09 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 6m 46s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:file.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:13
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@6/2@4/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 91% (good quality ratio 83.5%)
                        • Quality average: 71.6%
                        • Quality standard deviation: 31.8%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, cdn.onenote.net
                        • Not all processes where analyzed, report is missing behavior information
                        TimeTypeDescription
                        10:57:01Task SchedulerRun new task: Firefox Default Browser Agent 635557CDEDEC7374 path: C:\Users\user\AppData\Roaming\rudwagu
                        No context
                        No context
                        No context
                        No context
                        No context
                        Process:C:\Windows\explorer.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):391680
                        Entropy (8bit):5.905176085960016
                        Encrypted:false
                        SSDEEP:6144:rc/EL7Tgx5oWtxKD82s8hh6K9W9Ix5nKded89kTR:rXHTgvz/2TIK9W9Ix5nLaw
                        MD5:0D810E582A95DEBFF5E1A72A76C602C9
                        SHA1:486A963C02B9E7D5ECC2941C4DCB7F589954D7D7
                        SHA-256:C57CAFEDD2E4617E24315CDE0DE7A6393610FB924E8BD4D3561EE3C4B2D90372
                        SHA-512:FA74B3FBE4C9EEE7CF9FA8C27760E8315693380683A29BABEF33B30F6AD1FEAB670C6E2ABE92B5E0CBF9D44598C5ACD571A5C885D6DB7CA37C8947A01068D4E7
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L......b.................n...........p............@..........................`......Z........................................s..<............................@......................................0I..@............................................text...Vm.......n.................. ..`.data................r..............@....lokeris.....p.......&..............@..@.zoyan..p............2..............@..@.rsrc................6..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................
                        Process:C:\Windows\explorer.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview:[ZoneTransfer]....ZoneId=0
                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):5.905176085960016
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:391680
                        MD5:0d810e582a95debff5e1a72a76c602c9
                        SHA1:486a963c02b9e7d5ecc2941c4dcb7f589954d7d7
                        SHA256:c57cafedd2e4617e24315cde0de7a6393610fb924e8bd4d3561ee3c4b2d90372
                        SHA512:fa74b3fbe4c9eee7cf9fa8c27760e8315693380683a29babef33b30f6ad1feab670c6e2abe92b5e0cbf9d44598c5acd571a5c885d6db7ca37c8947a01068d4e7
                        SSDEEP:6144:rc/EL7Tgx5oWtxKD82s8hh6K9W9Ix5nKded89kTR:rXHTgvz/2TIK9W9Ix5nLaw
                        TLSH:0384CF013195C8F2C7A20D774816CBF1EA3BB42BFB249927F7583B5F6EF22914562A05
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L......b.................n.
                        Icon Hash:8286dccea68c9c84
                        Entrypoint:0x407096
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x622EE3A4 [Mon Mar 14 06:41:40 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:eeffe9860bc9c6507e24465b9b5239be
                        Instruction
                        call 00007F3448BA22FCh
                        jmp 00007F3448B9C65Eh
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        sub esp, 28h
                        xor eax, eax
                        push ebx
                        mov ebx, dword ptr [ebp+0Ch]
                        push esi
                        mov esi, dword ptr [ebp+10h]
                        push edi
                        mov edi, dword ptr [ebp+08h]
                        mov byte ptr [ebp-08h], al
                        mov byte ptr [ebp-07h], al
                        mov byte ptr [ebp-06h], al
                        mov byte ptr [ebp-05h], al
                        mov byte ptr [ebp-04h], al
                        mov byte ptr [ebp-03h], al
                        mov byte ptr [ebp-02h], al
                        mov byte ptr [ebp-01h], al
                        cmp dword ptr [004432C4h], eax
                        je 00007F3448B9C7F0h
                        push dword ptr [00446268h]
                        call 00007F3448BA1228h
                        pop ecx
                        jmp 00007F3448B9C7E7h
                        mov eax, 0040CC48h
                        mov ecx, dword ptr [ebp+14h]
                        mov edx, 000000A6h
                        cmp ecx, edx
                        jg 00007F3448B9C95Ah
                        je 00007F3448B9C941h
                        cmp ecx, 19h
                        jg 00007F3448B9C8DEh
                        je 00007F3448B9C8CFh
                        mov edx, ecx
                        push 00000002h
                        pop ecx
                        sub edx, ecx
                        je 00007F3448B9C8B3h
                        dec edx
                        je 00007F3448B9C8A3h
                        sub edx, 05h
                        je 00007F3448B9C88Bh
                        dec edx
                        je 00007F3448B9C86Ch
                        sub edx, 05h
                        je 00007F3448B9C853h
                        dec edx
                        je 00007F3448B9C827h
                        sub edx, 09h
                        jne 00007F3448B9C9BAh
                        mov dword ptr [ebp-28h], 00000003h
                        mov dword ptr [ebp-24h], 00401348h
                        fld qword ptr [edi]
                        lea ecx, dword ptr [ebp-28h]
                        fstp qword ptr [ebp-20h]
                        push ecx
                        fld qword ptr [ebx]
                        fstp qword ptr [ebp+00h]
                        Programming Language:
                        • [C++] VS2008 build 21022
                        • [ASM] VS2008 build 21022
                        • [ C ] VS2008 build 21022
                        • [IMP] VS2005 build 50727
                        • [RES] VS2008 build 21022
                        • [LNK] VS2008 build 21022
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x173c40x3c.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x1a510.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x640000xda4.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x11f00x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x49300x40.text
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x19c.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x16d560x16e00False0.5953295765027322data6.7023696076283805IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .data0x180000x2e2840x2b400False0.484662888367052data4.836772173500047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .lokeris0x470000xbb80xc00False0.008138020833333334data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .zoyan0x480000x2700x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .rsrc0x490000x1a5100x1a600False0.6376721712085308data6.242624809610504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x640000x1c120x1e00False0.3893229166666667data3.8825366238972383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountry
                        AFX_DIALOG_LAYOUT0x614500x2dataSlovakSlovakia
                        AFX_DIALOG_LAYOUT0x614380x2dataSlovakSlovakia
                        AFX_DIALOG_LAYOUT0x614400xcdataSlovakSlovakia
                        SUXUMOWUDAKOLA0x5f2d00x2107ASCII text, with very long lines (8455), with no line terminatorsSlovakSlovakia
                        RT_CURSOR0x614580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SlovakSlovakia
                        RT_CURSOR0x623000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SlovakSlovakia
                        RT_CURSOR0x62bd00x130Device independent bitmap graphic, 32 x 64 x 1, image size 0SlovakSlovakia
                        RT_CURSOR0x62d000xb0Device independent bitmap graphic, 16 x 32 x 1, image size 0SlovakSlovakia
                        RT_ICON0x499900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SlovakSlovakia
                        RT_ICON0x4a0580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SlovakSlovakia
                        RT_ICON0x4c6000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SlovakSlovakia
                        RT_ICON0x4ca980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SlovakSlovakia
                        RT_ICON0x4d9400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SlovakSlovakia
                        RT_ICON0x4e1e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SlovakSlovakia
                        RT_ICON0x4e7500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SlovakSlovakia
                        RT_ICON0x50cf80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SlovakSlovakia
                        RT_ICON0x51da00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SlovakSlovakia
                        RT_ICON0x527280x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SlovakSlovakia
                        RT_ICON0x52bf80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SlovakSlovakia
                        RT_ICON0x53aa00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SlovakSlovakia
                        RT_ICON0x543480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SlovakSlovakia
                        RT_ICON0x54a100x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SlovakSlovakia
                        RT_ICON0x54f780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SlovakSlovakia
                        RT_ICON0x575200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SlovakSlovakia
                        RT_ICON0x585c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SlovakSlovakia
                        RT_ICON0x58a980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsSlovakSlovakia
                        RT_ICON0x599400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsSlovakSlovakia
                        RT_ICON0x5a1e80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsSlovakSlovakia
                        RT_ICON0x5a8b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsSlovakSlovakia
                        RT_ICON0x5ae180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216SlovakSlovakia
                        RT_ICON0x5d3c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096SlovakSlovakia
                        RT_ICON0x5e4680x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304SlovakSlovakia
                        RT_ICON0x5edf00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024SlovakSlovakia
                        RT_STRING0x62fc80x542dataSlovakSlovakia
                        RT_ACCELERATOR0x613d80x40dataSlovakSlovakia
                        RT_GROUP_CURSOR0x62ba80x22dataSlovakSlovakia
                        RT_GROUP_CURSOR0x62db00x22dataSlovakSlovakia
                        RT_GROUP_ICON0x58a300x68dataSlovakSlovakia
                        RT_GROUP_ICON0x4ca680x30dataSlovakSlovakia
                        RT_GROUP_ICON0x52b900x68dataSlovakSlovakia
                        RT_GROUP_ICON0x5f2580x76dataSlovakSlovakia
                        RT_VERSION0x62dd80x1f0MS Windows COFF PowerPC object fileSlovakSlovakia
                        None0x614180xadataSlovakSlovakia
                        None0x614280xadataSlovakSlovakia
                        DLLImport
                        KERNEL32.dllFillConsoleOutputCharacterA, GetCPInfo, GetProfileIntW, GetSystemDefaultLCID, GetModuleHandleW, WaitNamedPipeW, TlsSetValue, GetPriorityClass, GetVolumeInformationA, LoadLibraryW, IsProcessInJob, AssignProcessToJobObject, GetCalendarInfoW, GetFileAttributesA, TransactNamedPipe, WriteConsoleW, GetVolumePathNameA, CreateJobObjectA, GetVolumeNameForVolumeMountPointA, FillConsoleOutputCharacterW, GetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, SetFileAttributesA, LoadLibraryA, WriteConsoleA, GetProcessWorkingSetSize, LocalAlloc, OpenJobObjectW, FoldStringW, FoldStringA, FindFirstChangeNotificationA, GetFileInformationByHandle, FindActCtxSectionStringW, LCMapStringW, GetConsoleAliasesW, GetFullPathNameW, HeapFree, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, SetHandleCount, GetFileType, GetStartupInfoA, SetFilePointer, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, GetConsoleOutputCP, MultiByteToWideChar, SetStdHandle, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, GetModuleHandleA, HeapSize, GetLocaleInfoA, LCMapStringA, GetStringTypeA, GetStringTypeW, SetEndOfFile, GetProcessHeap, ReadFile
                        ADVAPI32.dllBackupEventLogW
                        Language of compilation systemCountry where language is spokenMap
                        SlovakSlovakia
                        TimestampSource PortDest PortSource IPDest IP
                        Dec 9, 2022 10:57:02.208288908 CET4971880192.168.2.684.21.172.159
                        Dec 9, 2022 10:57:02.234762907 CET804971884.21.172.159192.168.2.6
                        Dec 9, 2022 10:57:02.234988928 CET4971880192.168.2.684.21.172.159
                        Dec 9, 2022 10:57:02.237436056 CET4971880192.168.2.684.21.172.159
                        Dec 9, 2022 10:57:02.237474918 CET4971880192.168.2.684.21.172.159
                        Dec 9, 2022 10:57:02.264326096 CET804971884.21.172.159192.168.2.6
                        Dec 9, 2022 10:57:02.354650021 CET804971884.21.172.159192.168.2.6
                        Dec 9, 2022 10:57:02.354938984 CET4971880192.168.2.684.21.172.159
                        Dec 9, 2022 10:57:02.357903957 CET4971880192.168.2.684.21.172.159
                        Dec 9, 2022 10:57:02.386727095 CET804971884.21.172.159192.168.2.6
                        TimestampSource PortDest PortSource IPDest IP
                        Dec 9, 2022 10:57:02.137377977 CET6322953192.168.2.68.8.8.8
                        Dec 9, 2022 10:57:02.156404972 CET53632298.8.8.8192.168.2.6
                        Dec 9, 2022 10:57:02.368879080 CET6253853192.168.2.68.8.8.8
                        Dec 9, 2022 10:57:03.383023024 CET6253853192.168.2.68.8.8.8
                        Dec 9, 2022 10:57:04.449312925 CET6253853192.168.2.68.8.8.8
                        Dec 9, 2022 10:57:06.409364939 CET53625388.8.8.8192.168.2.6
                        Dec 9, 2022 10:57:07.409687996 CET53625388.8.8.8192.168.2.6
                        Dec 9, 2022 10:57:08.477850914 CET53625388.8.8.8192.168.2.6
                        TimestampSource IPDest IPChecksumCodeType
                        Dec 9, 2022 10:57:07.412796974 CET192.168.2.68.8.8.8cff9(Port unreachable)Destination Unreachable
                        Dec 9, 2022 10:57:08.478075027 CET192.168.2.68.8.8.8cff9(Port unreachable)Destination Unreachable
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Dec 9, 2022 10:57:02.137377977 CET192.168.2.68.8.8.80xe31cStandard query (0)host-file-host6.comA (IP address)IN (0x0001)false
                        Dec 9, 2022 10:57:02.368879080 CET192.168.2.68.8.8.80x7334Standard query (0)host-host-file8.comA (IP address)IN (0x0001)false
                        Dec 9, 2022 10:57:03.383023024 CET192.168.2.68.8.8.80x7334Standard query (0)host-host-file8.comA (IP address)IN (0x0001)false
                        Dec 9, 2022 10:57:04.449312925 CET192.168.2.68.8.8.80x7334Standard query (0)host-host-file8.comA (IP address)IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Dec 9, 2022 10:57:02.156404972 CET8.8.8.8192.168.2.60xe31cNo error (0)host-file-host6.com84.21.172.159A (IP address)IN (0x0001)false
                        Dec 9, 2022 10:57:06.409364939 CET8.8.8.8192.168.2.60x7334Server failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
                        Dec 9, 2022 10:57:07.409687996 CET8.8.8.8192.168.2.60x7334Server failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
                        Dec 9, 2022 10:57:08.477850914 CET8.8.8.8192.168.2.60x7334Server failure (2)host-host-file8.comnonenoneA (IP address)IN (0x0001)false
                        • hhsselotxu.net
                          • host-file-host6.com

                        Click to jump to process

                        Target ID:0
                        Start time:10:55:58
                        Start date:09/12/2022
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\file.exe
                        Imagebase:0x400000
                        File size:391680 bytes
                        MD5 hash:0D810E582A95DEBFF5E1A72A76C602C9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.248700871.0000000000573000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                        Reputation:low

                        Target ID:1
                        Start time:10:56:04
                        Start date:09/12/2022
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\file.exe
                        Imagebase:0x400000
                        File size:391680 bytes
                        MD5 hash:0D810E582A95DEBFF5E1A72A76C602C9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                        Reputation:low

                        Target ID:2
                        Start time:10:56:10
                        Start date:09/12/2022
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff647860000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                        Reputation:high

                        Target ID:10
                        Start time:10:57:01
                        Start date:09/12/2022
                        Path:C:\Users\user\AppData\Roaming\rudwagu
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\rudwagu
                        Imagebase:0x400000
                        File size:391680 bytes
                        MD5 hash:0D810E582A95DEBFF5E1A72A76C602C9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        Reputation:low

                        Target ID:11
                        Start time:10:57:13
                        Start date:09/12/2022
                        Path:C:\Users\user\AppData\Roaming\rudwagu
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\rudwagu
                        Imagebase:0x400000
                        File size:391680 bytes
                        MD5 hash:0D810E582A95DEBFF5E1A72A76C602C9
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        Reputation:low

                        No disassembly