Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1559273 |
| MD5: | 211dd0cc3da148c5bc61389693fd284f |
| SHA1: | 75e6bd440e37240fee4bf7ae01109093490ac5a7 |
| SHA256: | 645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe |
| Tags: | exeuser-Bitsight |
| Infos: |   |
 | |
Detection
SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
file.exe (PID: 3984 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 211DD0CC3DA148C5BC61389693FD284F) 
cmd.exe (PID: 5300 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Fr equently F requently. cmd & Freq uently.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6692 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 6548 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 4932 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 3500 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6464 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 5460 cmdline:
cmd /c md 390641 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 6588 cmdline:
findstr /V "Conventi onTroopsSt udiedTooth " Version MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 5916 cmdline:
cmd /c cop y /b ..\Ac cessing + ..\Entire + ..\Perip herals + . .\Et B MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Imposed.com (PID: 6188 cmdline: Imposed.co m B MD5: 78BA0653A340BAC5FF152B21A83626CC) - Imposed.com (PID: 5268 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\390641\ Imposed.co m MD5: 78BA0653A340BAC5FF152B21A83626CC) - Imposed.com (PID: 3040 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\390641\ Imposed.co m MD5: 78BA0653A340BAC5FF152B21A83626CC) 
explorer.exe (PID: 4084 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - explorer.exe (PID: 4540 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8) - explorer.exe (PID: 5664 cmdline:
C:\Windows \explorer. exe MD5: 662F4F92FDE3557E86D110526BB578D5) - explorer.exe (PID: 3616 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8) - explorer.exe (PID: 5180 cmdline:
C:\Windows \explorer. exe MD5: 662F4F92FDE3557E86D110526BB578D5) - explorer.exe (PID: 2736 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8) - explorer.exe (PID: 6168 cmdline:
C:\Windows \explorer. exe MD5: 662F4F92FDE3557E86D110526BB578D5) - explorer.exe (PID: 4312 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: DD6597597673F72E10C9DE7901FBA0A8) - choice.exe (PID: 5776 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- chhfaci (PID: 4128 cmdline:
C:\Users\u ser\AppDat a\Roaming\ chhfaci MD5: 78BA0653A340BAC5FF152B21A83626CC)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://quantumqube.org/index.php", "https://quantumqube.org/index.php", "http://innovixus.org/index.php", "https://innovixus.org/index.php"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| Click to see the 5 entries | ||||
System Summary |   |
|---|
| Source: | Author: Max Altgelt (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-20T11:21:12.079442+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.8 | 49713 | 85.192.60.190 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-20T11:21:08.814571+0100 | 2039103 | 1 | A Network Trojan was detected | 192.168.2.8 | 49712 | 85.192.60.190 | 80 | TCP |
| 2024-11-20T11:21:17.156382+0100 | 2039103 | 1 | A Network Trojan was detected | 192.168.2.8 | 49718 | 150.241.91.218 | 80 | TCP |
| 2024-11-20T11:21:20.758779+0100 | 2039103 | 1 | A Network Trojan was detected | 192.168.2.8 | 49719 | 150.241.91.218 | 80 | TCP |
| 2024-11-20T11:21:44.962979+0100 | 2039103 | 1 | A Network Trojan was detected | 192.168.2.8 | 49799 | 150.241.91.218 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-20T11:21:17.356859+0100 | 2829848 | 2 | Potentially Bad Traffic | 150.241.91.218 | 80 | 192.168.2.8 | 49718 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 20_2_028E3098 | |
| Source: | Code function: | 20_2_028E3717 | |
| Source: | Code function: | 20_2_028E3E04 | |
| Source: | Code function: | 20_2_028E123B | |
| Source: | Code function: | 20_2_028E1198 | |
| Source: | Code function: | 20_2_028E11E1 | |
| Source: | Code function: | 20_2_028E1FCE | |
| Source: | Static PE information: | ||
| Source: | File created: | ||
| Source: | File created: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | Code function: | 11_2_009FDB0B | |
| Source: | Code function: | 11_2_00A0A32C | |
| Source: | Code function: | 11_2_009FE334 | |
| Source: | Code function: | 11_2_00A065AE | |
| Source: | Code function: | 11_2_009CC6C2 | |
| Source: | Code function: | 11_2_00A072A6 | |
| Source: | Code function: | 11_2_00A07205 | |
| Source: | Code function: | 11_2_009FD7CC | |
| Source: | Code function: | 11_2_00A09E43 | |
| Source: | Code function: | 11_2_00A09F9E | |
| Source: | Code function: | 14_2_00A0A32C | |
| Source: | Code function: | 14_2_009FE334 | |
| Source: | Code function: | 14_2_00A065AE | |
| Source: | Code function: | 14_2_009CC6C2 | |
| Source: | Code function: | 14_2_00A072A6 | |
| Source: | Code function: | 14_2_00A07205 | |
| Source: | Code function: | 14_2_009FD7CC | |
| Source: | Code function: | 14_2_009FDB0B | |
| Source: | Code function: | 14_2_00A09E43 | |
| Source: | Code function: | 14_2_00A09F9E | |
| Source: | Code function: | 19_2_0077E334 | |
| Source: | Code function: | 19_2_0078A32C | |
| Source: | Code function: | 19_2_007865AE | |
| Source: | Code function: | 19_2_0074C6C2 | |
| Source: | Code function: | 19_2_00787205 | |
| Source: | Code function: | 19_2_007872A6 | |
| Source: | Code function: | 19_2_0077D7CC | |
| Source: | Code function: | 19_2_0077DB0B | |
| Source: | Code function: | 19_2_00789E43 | |
| Source: | Code function: | 19_2_00789F9E | |
| Source: | Code function: | 20_2_028E2B15 | |
| Source: | Code function: | 20_2_028E3ED9 | |
| Source: | Code function: | 20_2_028E1D4A | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Network Connect: | |||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 11_2_00A0D672 | |
| Source: | String found in binary or memory: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||