Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 800803
MD5: 04a988e37b8ea5facd28a7d42764f597
SHA1: 1182f9d0de33e9363c7777f3f76d26c179a856e6
SHA256: 7b734abb20157ca48892547a61f80013138e9659b0942895991a9ab49fdadf79
Tags: exe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found evaded block containing many API calls
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 46%
Source: file.exe Virustotal: Detection: 35% Perma Link
Antivirus detection for URL or domain
Source: http://host-host-file8.com/ URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: host-file-host6.com Virustotal: Detection: 17% Perma Link
Source: host-host-file8.com Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\vhefigi ReversingLabs: Detection: 46%
Source: C:\Users\user\AppData\Roaming\vhefigi Virustotal: Detection: 35% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\vhefigi Joe Sandbox ML: detected
Source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\bonibewejed-jubezilopezibi\bun.pdb source: file.exe, vhefigi.2.dr
Source: Binary string: C:\bonibewejed-jubezilopezibi\bun.pdbx source: file.exe, vhefigi.2.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Network Connect: 185.246.221.63 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://host-file-host6.com/
Source: Malware configuration extractor URLs: http://host-host-file8.com/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.246.221.63 185.246.221.63
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uclahet.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: host-file-host6.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uclahet.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: host-file-host6.com
Source: unknown DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0.2.file.exe.5815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.vhefigi.7d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.vhefigi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: vhefigi, 0000000B.00000002.387737312.00000000008BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.270582685.00000000005B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.270582685.00000000005B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041546C 0_2_0041546C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B413 0_2_0040B413
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00411D60 0_2_00411D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413E31 0_2_00413E31
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00412EE0 0_2_00412EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004122A4 0_2_004122A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004127E8 0_2_004127E8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040B9DC appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040180C Sleep,NtTerminateProcess, 1_2_0040180C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401818 Sleep,NtTerminateProcess, 1_2_00401818
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401822 Sleep,NtTerminateProcess, 1_2_00401822
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401826 Sleep,NtTerminateProcess, 1_2_00401826
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401834 Sleep,NtTerminateProcess, 1_2_00401834
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 12_2_0040180C Sleep,NtTerminateProcess, 12_2_0040180C
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 12_2_00401818 Sleep,NtTerminateProcess, 12_2_00401818
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 12_2_00401822 Sleep,NtTerminateProcess, 12_2_00401822
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 12_2_00401826 Sleep,NtTerminateProcess, 12_2_00401826
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 12_2_00401834 Sleep,NtTerminateProcess, 12_2_00401834
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe ReversingLabs: Detection: 46%
Source: file.exe Virustotal: Detection: 35%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\vhefigi C:\Users\user\AppData\Roaming\vhefigi
Source: C:\Users\user\AppData\Roaming\vhefigi Process created: C:\Users\user\AppData\Roaming\vhefigi C:\Users\user\AppData\Roaming\vhefigi
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Process created: C:\Users\user\AppData\Roaming\vhefigi C:\Users\user\AppData\Roaming\vhefigi Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DAC2C1E-7C5C-40eb-833B-323E85A1CE84}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/2@4/2
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 11_2_008CC0D2 CreateToolhelp32Snapshot,Module32First, 11_2_008CC0D2
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\bonibewejed-jubezilopezibi\bun.pdb source: file.exe, vhefigi.2.dr
Source: Binary string: C:\bonibewejed-jubezilopezibi\bun.pdbx source: file.exe, vhefigi.2.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vhefigi Unpacked PE file: 12.2.vhefigi.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BA21 push ecx; ret 0_2_0040BA34
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406EB0 push eax; ret 0_2_00406ECE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004011D0 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004011D7 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004011EB push ebx; iretd 1_2_00401217
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 11_2_008CCFD0 push ebx; iretd 11_2_008CD010
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 11_2_008CCFE5 push ebx; iretd 11_2_008CD010
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 11_2_008D1E71 pushad ; iretd 11_2_008D1E77
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 12_2_004011D0 push ebx; iretd 12_2_00401217
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 12_2_004011D7 push ebx; iretd 12_2_00401217
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 12_2_004011EB push ebx; iretd 12_2_00401217
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004046F6 LoadLibraryA,GetProcAddress,VirtualProtect, 0_2_004046F6
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vhefigi Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vhefigi Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\vhefigi:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5944 Thread sleep count: 389 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1316 Thread sleep count: 340 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1316 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5924 Thread sleep count: 203 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3588 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1012 Thread sleep count: 487 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1200 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1184 Thread sleep count: 129 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 389 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 487 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 866 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 858 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\file.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000002.00000000.305414665.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.305414665.0000000007B66000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000002.00000000.288276761.0000000005FAA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.305414665.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.286848877.0000000005EF4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.305414665.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
Source: explorer.exe, 00000002.00000000.286848877.0000000005F12000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040689F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040689F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004046F6 LoadLibraryA,GetProcAddress,VirtualProtect, 0_2_004046F6
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\vhefigi Code function: 11_2_008CB9AF push dword ptr fs:[00000030h] 11_2_008CB9AF
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040689F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040689F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CAD1 SetUnhandledExceptionFilter, 0_2_0040CAD1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040730B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040730B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041030E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 0_2_0041030E

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: vhefigi.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Network Connect: 185.246.221.63 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 4501930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Thread created: unknown EIP: 4581930 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi Process created: C:\Users\user\AppData\Roaming\vhefigi C:\Users\user\AppData\Roaming\vhefigi Jump to behavior
Source: explorer.exe, 00000002.00000000.281790475.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.281790475.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.286308744.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.305414665.0000000007B83000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.281790475.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.281543571.00000000004C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.281790475.0000000000B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetComboBoxInfo,SetLastError,EnumTimeFormatsA,FindNextFileW,EnumCalendarInfoW,VerifyVersionInfoA,EnumTimeFormatsA,InterlockedDecrement,GetLongPathNameW,WaitForSingleObject,QueryMemoryResourceNotification,GetUserDefaultLangID,WritePrivateProfileStringA,AddRefActCtx,MoveFileWithProgressA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,CreateActCtxA,EnumTimeFormatsA,_hwrite,SetHandleInformation,EnumResourceLanguagesA,CreateNamedPipeA,GetCurrentProcessId,GetComputerNameA,GetLocaleInfoW,HeapAlloc,GetModuleHandleW,SetVolumeMountPointW,FindResourceW,DeleteVolumeMountPointA,GetConsoleAliasesLengthA,LoadLibraryA,LoadLibraryA,GlobalFlags,WritePrivateProfileSectionA,GetConsoleAliasW,SetConsoleCursorInfo,GetProfileSectionA,LoadLibraryA,GetLastError,EndUpdateResourceA,GetModuleHandleW,FreeConsole,FindResourceW,SearchPathA,GetConsoleTitleA,OpenMutexW,GetUserDefaultLangID,InterlockedExchange,GetBinaryTypeW,GetCommandLineW, 0_2_00404BB9
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,DebugActiveProcessStop,WriteConsoleOutputAttribute,FreeUserPhysicalPages,GetProcessId,ReadConsoleInputA,WaitForMultipleObjects,LocalSize,CreateDirectoryExA,FindFirstVolumeMountPointW,WriteFile,ClearCommBreak,WriteConsoleInputA,FindActCtxSectionStringA,CreateFileA, 0_2_004045DF
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_00415238
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404BB9 GetComboBoxInfo,SetLastError,EnumTimeFormatsA,FindNextFileW,EnumCalendarInfoW,VerifyVersionInfoA,EnumTimeFormatsA,InterlockedDecrement,GetLongPathNameW,WaitForSingleObject,QueryMemoryResourceNotification,GetUserDefaultLangID,WritePrivateProfileStringA,AddRefActCtx,MoveFileWithProgressA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,CreateActCtxA,EnumTimeFormatsA,_hwrite,SetHandleInformation,EnumResourceLanguagesA,CreateNamedPipeA,GetCurrentProcessId,GetComputerNameA,GetLocaleInfoW,HeapAlloc,GetModuleHandleW,SetVolumeMountPointW,FindResourceW,DeleteVolumeMountPointA,GetConsoleAliasesLengthA,LoadLibraryA,LoadLibraryA,GlobalFlags,WritePrivateProfileSectionA,GetConsoleAliasW,SetConsoleCursorInfo,GetProfileSectionA,LoadLibraryA,GetLastError,EndUpdateResourceA,GetModuleHandleW,FreeConsole,FindResourceW,SearchPathA,GetConsoleTitleA,OpenMutexW,GetUserDefaultLangID,InterlockedExchange,GetBinaryTypeW,GetCommandLineW, 0_2_00404BB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D77B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0040D77B

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0.2.file.exe.5815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.vhefigi.7d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.vhefigi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0.2.file.exe.5815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.vhefigi.7d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.vhefigi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800803 Sample: file.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for domain / URL 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 4 other signatures 2->38 7 file.exe 2->7         started        10 vhefigi 2->10         started        process3 signatures4 48 Detected unpacking (changes PE section rights) 7->48 12 file.exe 7->12         started        50 Multi AV Scanner detection for dropped file 10->50 52 Machine Learning detection for dropped file 10->52 15 vhefigi 10->15         started        process5 signatures6 54 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->54 56 Maps a DLL or memory area into another process 12->56 58 Checks if the current machine is a virtual machine (disk enumeration) 12->58 17 explorer.exe 3 8 12->17 injected 60 Creates a thread in another existing process (thread injection) 15->60 process7 dnsIp8 26 host-file-host6.com 185.246.221.63, 49722, 80 LVLT-10753US Germany 17->26 28 host-host-file8.com 17->28 30 192.168.2.1 unknown unknown 17->30 22 C:\Users\user\AppData\Roaming\vhefigi, PE32 17->22 dropped 24 C:\Users\user\...\vhefigi:Zone.Identifier, ASCII 17->24 dropped 40 System process connects to network (likely due to code injection or exploit) 17->40 42 Benign windows process drops PE files 17->42 44 Deletes itself after installation 17->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.246.221.63
 host-file-host6.com Germany
10753 LVLT-10753US true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
host-file-host6.com 185.246.221.63 true
host-host-file8.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://host-file-host6.com/ true
  • URL Reputation: safe
 unknown
http://host-host-file8.com/ true
  • URL Reputation: malware
 unknown