Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
May check the online IP address of the machine
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Detected VMProtect packer
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Connects to several IPs in different countries
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- file.exe (PID: 5296 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 001AAF70FD33E2A1386C65AE04A8D602) - explorer.exe (PID: 3452 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - D3F7.exe (PID: 4472 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\D3F7.ex e MD5: 2FA5D266A3D92286FA470A39ACEC5B0E) - AppLaunch.exe (PID: 3228 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 6807F903AC06FF7E1670181378690B22) - WerFault.exe (PID: 5680 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 472 -s 280 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - 151.exe (PID: 3084 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\151.exe MD5: B913B72892BFD294A808D7E685DC3A19) - AppLaunch.exe (PID: 4996 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 6807F903AC06FF7E1670181378690B22) - WerFault.exe (PID: 4224 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 084 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - regsvr32.exe (PID: 5468 cmdline:
regsvr32 / s C:\Users \user\AppD ata\Local\ Temp\96E9. dll MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 4984 cmdline:
/s C:\Use rs\user\Ap pData\Loca l\Temp\96E 9.dll MD5: 426E7499F6A7346F0410DEAD0805586B) - A784.exe (PID: 4916 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\A784.ex e MD5: F236C35612EA884351F1D4A8694D8AA1) - WerFault.exe (PID: 2576 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 916 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - 39AF.exe (PID: 1076 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\39AF.ex e MD5: AE9E2CE4CF9B092A5BBFD1D5A609166E) - conhost.exe (PID: 2888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - 39AF.exe (PID: 2792 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\39AF.e xe" -h MD5: AE9E2CE4CF9B092A5BBFD1D5A609166E) - conhost.exe (PID: 6000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - 4962.exe (PID: 1668 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\4962.ex e MD5: 2679869D7C3C730553BDB94848DDEEA5)
- bwgdrja (PID: 1652 cmdline:
C:\Users\u ser\AppDat a\Roaming\ bwgdrja MD5: 001AAF70FD33E2A1386C65AE04A8D602)
- cegdrja (PID: 2764 cmdline:
C:\Users\u ser\AppDat a\Roaming\ cegdrja MD5: 6807F903AC06FF7E1670181378690B22)
- cleanup
{"C2 list": ["http://ilabbjjpbdzij.xyz/", "http://ilabtobpwsvme.me/", "http://ilabxctzzcbtw.top/", "http://ilaboqbdeqwem.xyz/", "http://ilabonjsnmwiy.top/", "http://ilabqemgfxxgi.info/", "http://ilabvankjnwka.online/", "http://ilabjmhrrygwf.top/", "http://ilablyqfvvqjs.site/", "http://ilabduzejekrk.online/"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Click to see the 21 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Click to see the 2 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.345.136.151.10249771802851115 08/31/22-08:34:45.213696 |
SID: | 2851115 |
Source Port: | 49771 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | Attempted Administrator Privilege Gain |
Timestamp: | 192.168.2.38.8.8.849874532023883 08/31/22-08:34:44.128637 |
SID: | 2023883 |
Source Port: | 49874 |
Destination Port: | 53 |
Protocol: | UDP |
Classtype: | Potentially Bad Traffic |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | URL Reputation: | ||
Source: | URL Reputation: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | ReversingLabs: |
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: |
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | DNS query: |
Source: | DNS query: |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |