Windows Analysis Report
01885599.exe

Overview

General Information

Sample Name: 01885599.exe
Analysis ID: 876999
MD5: a29c587c678826f4a44cf6a2a78599f1
SHA1: 92ea36730fa1f19300a27ebbb4d1359e7b8a16de
SHA256: b3fbcfd775b7c9bfc5b58f5df13eb8fbeb4844d98756f8fca41b63f060ae5132
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Found malware configuration
Source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Multi AV Scanner detection for submitted file
Source: 01885599.exe Virustotal: Detection: 37% Perma Link
Antivirus detection for URL or domain
Source: http://host-host-file8.com/ URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: host-file-host6.com Virustotal: Detection: 22% Perma Link
Source: host-host-file8.com Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\vbjjhwi ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\vbjjhwi Virustotal: Detection: 37% Perma Link
Machine Learning detection for sample
Source: 01885599.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\vbjjhwi Joe Sandbox ML: detected
Uses 32bit PE files
Source: 01885599.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: MHC:\nodiga.pdb source: 01885599.exe, vbjjhwi.3.dr
Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: C:\nodiga.pdb source: 01885599.exe, vbjjhwi.3.dr
Source: Binary string: eex.pdb source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_00403870 GetStringTypeExA,FindFirstVolumeMountPointW,GetPrivateProfileIntA,WaitForSingleObject,FreeConsole,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetVersionExW,GetConsoleAliasesLengthA,SleepEx,CreateFileMappingW,CreateMutexA,GetCommState,FreeConsole,MapGenericMask,DebugBreak,AttachConsole,MapGenericMask,DebugBreak,FreeConsole,AttachConsole,FreeConsole,InterlockedExchangeAdd,WaitForMultipleObjectsEx,GetCharWidthW,GetCharABCWidthsFloatW,GetCharWidthW,GetCharABCWidthsFloatW,GetLastError,GetLastError,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,GetLongPathNameA,WritePrivateProfileStructW,IsBadReadPtr,CancelWaitableTimer,GetFileType,GetModuleHandleA, 0_2_00403870

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Source: C:\Windows\explorer.exe Network Connect: 194.50.153.68 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://host-file-host6.com/
Source: Malware configuration extractor URLs: http://host-host-file8.com/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GAZ-IS-ASRU GAZ-IS-ASRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.50.153.68 194.50.153.68
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oncejkc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: host-file-host6.com
Source: explorer.exe, 00000003.00000000.570166430.00007FF883839000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
Source: explorer.exe, 00000003.00000000.570166430.00007FF883839000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oncejkc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: host-file-host6.com
Source: unknown DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 1.2.01885599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbjjhwi.8215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbjjhwi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.01885599.exe.7f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: 01885599.exe, 00000000.00000002.530524455.00000000008DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.622842996.00000000006B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.530540948.00000000008E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Uses 32bit PE files
Source: 01885599.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000005.00000002.622842996.00000000006B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.530540948.00000000008E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Detected potential crypto function
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_004118DE 0_2_004118DE
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0040A4AA 0_2_0040A4AA
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0041251A 0_2_0041251A
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_004132E1 0_2_004132E1
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0041139A 0_2_0041139A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\01885599.exe Code function: String function: 00407404 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_007F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_007F0110
Source: C:\Users\user\Desktop\01885599.exe Code function: 1_2_0040180C Sleep,NtTerminateProcess, 1_2_0040180C
Source: C:\Users\user\Desktop\01885599.exe Code function: 1_2_00401818 Sleep,NtTerminateProcess, 1_2_00401818
Source: C:\Users\user\Desktop\01885599.exe Code function: 1_2_00401822 Sleep,NtTerminateProcess, 1_2_00401822
Source: C:\Users\user\Desktop\01885599.exe Code function: 1_2_00401826 Sleep,NtTerminateProcess, 1_2_00401826
Source: C:\Users\user\Desktop\01885599.exe Code function: 1_2_00401834 Sleep,NtTerminateProcess, 1_2_00401834
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 5_2_00820110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 5_2_00820110
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 6_2_0040180C Sleep,NtTerminateProcess, 6_2_0040180C
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 6_2_00401818 Sleep,NtTerminateProcess, 6_2_00401818
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 6_2_00401822 Sleep,NtTerminateProcess, 6_2_00401822
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 6_2_00401826 Sleep,NtTerminateProcess, 6_2_00401826
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 6_2_00401834 Sleep,NtTerminateProcess, 6_2_00401834
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: 01885599.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vbjjhwi.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 01885599.exe Virustotal: Detection: 37%
Source: 01885599.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\01885599.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\01885599.exe C:\Users\user\Desktop\01885599.exe
Source: C:\Users\user\Desktop\01885599.exe Process created: C:\Users\user\Desktop\01885599.exe C:\Users\user\Desktop\01885599.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\vbjjhwi C:\Users\user\AppData\Roaming\vbjjhwi
Source: C:\Users\user\AppData\Roaming\vbjjhwi Process created: C:\Users\user\AppData\Roaming\vbjjhwi C:\Users\user\AppData\Roaming\vbjjhwi
Source: C:\Users\user\Desktop\01885599.exe Process created: C:\Users\user\Desktop\01885599.exe C:\Users\user\Desktop\01885599.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Process created: C:\Users\user\AppData\Roaming\vbjjhwi C:\Users\user\AppData\Roaming\vbjjhwi Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vbjjhwi Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/3@4/1
Source: C:\Users\user\Desktop\01885599.exe Command line argument: T#0y 0_2_00403FE0
Source: C:\Users\user\Desktop\01885599.exe Command line argument: #"# 0_2_00403FE0
Source: C:\Users\user\Desktop\01885599.exe Command line argument: .d|1 0_2_00403FE0
Source: C:\Users\user\Desktop\01885599.exe Command line argument: K[ 0_2_00403FE0
Source: C:\Users\user\Desktop\01885599.exe Command line argument: ZBE 0_2_00403FE0
Source: C:\Users\user\Desktop\01885599.exe Command line argument: kernel32.dll 0_2_00403FE0
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 01885599.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 01885599.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 01885599.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 01885599.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 01885599.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 01885599.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 01885599.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: MHC:\nodiga.pdb source: 01885599.exe, vbjjhwi.3.dr
Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: C:\nodiga.pdb source: 01885599.exe, vbjjhwi.3.dr
Source: Binary string: eex.pdb source: explorer.exe, 00000003.00000000.569751105.00007FF883751000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\01885599.exe Unpacked PE file: 1.2.01885599.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vbjjhwi Unpacked PE file: 6.2.vbjjhwi.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_00407449 push ecx; ret 0_2_0040745C
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_00403770 push ecx; mov dword ptr [esp], 00000000h 0_2_00403771
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_007F1977 push ebx; iretd 0_2_007F19B7
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_007F1970 push ebx; iretd 0_2_007F19B7
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_007F198B push ebx; iretd 0_2_007F19B7
Source: C:\Users\user\Desktop\01885599.exe Code function: 1_2_004011D0 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\01885599.exe Code function: 1_2_004011D7 push ebx; iretd 1_2_00401217
Source: C:\Users\user\Desktop\01885599.exe Code function: 1_2_004011EB push ebx; iretd 1_2_00401217
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 5_2_0082198B push ebx; iretd 5_2_008219B7
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 5_2_00821970 push ebx; iretd 5_2_008219B7
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 5_2_00821977 push ebx; iretd 5_2_008219B7
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 6_2_004011D0 push ebx; iretd 6_2_00401217
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 6_2_004011D7 push ebx; iretd 6_2_00401217
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 6_2_004011EB push ebx; iretd 6_2_00401217
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0040D6B0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_0040D6B0
Source: initial sample Static PE information: section name: .text entropy: 7.581715328183715
Source: initial sample Static PE information: section name: .text entropy: 7.581715328183715
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vbjjhwi Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vbjjhwi Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\01885599.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\vbjjhwi:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbjjhwi, 00000006.00000002.633709015.00000000005EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\01885599.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 860 Thread sleep count: 505 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 640 Thread sleep count: 300 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 640 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4628 Thread sleep count: 187 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3728 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6600 Thread sleep count: 516 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6588 Thread sleep count: 203 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6584 Thread sleep count: 248 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 505 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 516 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 850 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 867 Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_00403870 GetStringTypeExA,FindFirstVolumeMountPointW,GetPrivateProfileIntA,WaitForSingleObject,FreeConsole,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetVersionExW,GetConsoleAliasesLengthA,SleepEx,CreateFileMappingW,CreateMutexA,GetCommState,FreeConsole,MapGenericMask,DebugBreak,AttachConsole,MapGenericMask,DebugBreak,FreeConsole,AttachConsole,FreeConsole,InterlockedExchangeAdd,WaitForMultipleObjectsEx,GetCharWidthW,GetCharABCWidthsFloatW,GetCharWidthW,GetCharABCWidthsFloatW,GetLastError,GetLastError,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,GetLongPathNameA,WritePrivateProfileStructW,IsBadReadPtr,CancelWaitableTimer,GetFileType,GetModuleHandleA, 0_2_00403870
Source: C:\Users\user\Desktop\01885599.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000003.00000000.551747489.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.551747489.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000003.00000000.547717895.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000003.00000000.541592445.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.551747489.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.554336000.000000000CDC8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000003.00000000.551747489.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\01885599.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0040533B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040533B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0040D6B0 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_0040D6B0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_007F0042 push dword ptr fs:[00000030h] 0_2_007F0042
Source: C:\Users\user\AppData\Roaming\vbjjhwi Code function: 5_2_00820042 push dword ptr fs:[00000030h] 5_2_00820042
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\01885599.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_004084CF SetUnhandledExceptionFilter, 0_2_004084CF
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0040D9F8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 0_2_0040D9F8
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0040533B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040533B
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_004063C4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004063C4

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: vbjjhwi.3.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Source: C:\Windows\explorer.exe Network Connect: 194.50.153.68 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\01885599.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\01885599.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\01885599.exe Memory written: C:\Users\user\Desktop\01885599.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Memory written: C:\Users\user\AppData\Roaming\vbjjhwi base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_007F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 0_2_007F0110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\01885599.exe Thread created: C:\Windows\explorer.exe EIP: 4C01930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Thread created: unknown EIP: 4B01930 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\01885599.exe Process created: C:\Users\user\Desktop\01885599.exe C:\Users\user\Desktop\01885599.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\vbjjhwi Process created: C:\Users\user\AppData\Roaming\vbjjhwi C:\Users\user\AppData\Roaming\vbjjhwi Jump to behavior
Source: explorer.exe, 00000003.00000000.541706271.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000003.00000000.541706271.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.551747489.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.548723968.0000000005C70000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.541706271.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.541592445.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: explorer.exe, 00000003.00000000.541706271.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\01885599.exe Code function: GetLocaleInfoA, 0_2_00410F37
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_0040963C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0040963C
Source: C:\Users\user\Desktop\01885599.exe Code function: 0_2_00403870 GetStringTypeExA,FindFirstVolumeMountPointW,GetPrivateProfileIntA,WaitForSingleObject,FreeConsole,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetConsoleCursorInfo,GetModuleFileNameW,EnumFontsW,GetVersionExW,GetConsoleAliasesLengthA,SleepEx,CreateFileMappingW,CreateMutexA,GetCommState,FreeConsole,MapGenericMask,DebugBreak,AttachConsole,MapGenericMask,DebugBreak,FreeConsole,AttachConsole,FreeConsole,InterlockedExchangeAdd,WaitForMultipleObjectsEx,GetCharWidthW,GetCharABCWidthsFloatW,GetCharWidthW,GetCharABCWidthsFloatW,GetLastError,GetLastError,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,ReplaceFileA,WritePrivateProfileStringW,lstrcmpiW,CreateEventW,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,MulDiv,CreateActCtxA,GetFileAttributesExW,GetLogicalDriveStringsA,GetLongPathNameA,WritePrivateProfileStructW,IsBadReadPtr,CancelWaitableTimer,GetFileType,GetModuleHandleA, 0_2_00403870

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 1.2.01885599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbjjhwi.8215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbjjhwi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.01885599.exe.7f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 1.2.01885599.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbjjhwi.8215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbjjhwi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.01885599.exe.7f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.571005339.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.633668542.00000000004A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.570947519.0000000000420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.633696994.00000000005B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 876999 Sample: 01885599.exe Startdate: 28/05/2023 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 6 other signatures 2->36 7 01885599.exe 2->7         started        10 vbjjhwi 2->10         started        process3 signatures4 46 Detected unpacking (changes PE section rights) 7->46 48 Contains functionality to inject code into remote processes 7->48 50 Injects a PE file into a foreign processes 7->50 12 01885599.exe 7->12         started        52 Multi AV Scanner detection for dropped file 10->52 54 Machine Learning detection for dropped file 10->54 15 vbjjhwi 10->15         started        process5 signatures6 56 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Checks if the current machine is a virtual machine (disk enumeration) 12->60 17 explorer.exe 2 3 12->17 injected 62 Creates a thread in another existing process (thread injection) 15->62 process7 dnsIp8 26 host-file-host6.com 194.50.153.68, 49684, 80 GAZ-IS-ASRU United Kingdom 17->26 28 host-host-file8.com 17->28 22 C:\Users\user\AppData\Roaming\vbjjhwi, PE32 17->22 dropped 24 C:\Users\user\...\vbjjhwi:Zone.Identifier, ASCII 17->24 dropped 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Benign windows process drops PE files 17->40 42 Deletes itself after installation 17->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.50.153.68
 host-file-host6.com United Kingdom
198526 GAZ-IS-ASRU true

Contacted Domains

Name IP Active
host-file-host6.com 194.50.153.68 true
host-host-file8.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://host-file-host6.com/ true
  • URL Reputation: safe
 unknown
http://host-host-file8.com/ true
  • URL Reputation: malware
 unknown