Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:file.exe
Analysis ID:808616


Djvu, RHADAMANTHYS, SmokeLoader
Range:0 - 100


Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Tries to harvest and steal Bitcoin Wallet information
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Detected VMProtect packer
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Yara detected Keylogger Generic
Connects to a URL shortener service
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
Uses cacls to modify the permissions of files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Connects to several IPs in different countries
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider


  • System is w10x64
  • file.exe (PID: 5176 cmdline: C:\Users\user\Desktop\file.exe MD5: 0A0416B98547FB41EC314C676979779E)
    • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • 1128.exe (PID: 4608 cmdline: C:\Users\user\AppData\Local\Temp\1128.exe MD5: 93CEC9D367D574FC3120469D0340FB39)
        • conhost.exe (PID: 920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • rundll32.exe (PID: 5500 cmdline: "C:\Users\user\AppData\Roaming\vcredist_5f4680.dll",Options_RunDLL 0600cc00-00e0-0478-0ea3-ae35d8b7780b MD5: 73C519F050C20580F8A62C849D49215A)
      • A4A.exe (PID: 1332 cmdline: C:\Users\user\AppData\Local\Temp\A4A.exe MD5: 34365553C6887DD20EEE38713CEEDECA)
        • A4A.exe (PID: 2208 cmdline: C:\Users\user\AppData\Local\Temp\A4A.exe MD5: 34365553C6887DD20EEE38713CEEDECA)
          • icacls.exe (PID: 5428 cmdline: icacls "C:\Users\user\AppData\Local\45128750-4e19-4c02-b365-166e0d776172" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)
      • 8EAD.exe (PID: 4784 cmdline: C:\Users\user\AppData\Local\Temp\8EAD.exe MD5: 422BAE02B141829FF15435A9116E33F7)
      • F207.exe (PID: 4780 cmdline: C:\Users\user\AppData\Local\Temp\F207.exe MD5: A87C48E5E8F12F9FF6F6D868BF9D9252)
      • DE4C.exe (PID: 4776 cmdline: C:\Users\user\AppData\Local\Temp\DE4C.exe MD5: EDB228CBA3FC937A6008E00B44A28343)
        • WerFault.exe (PID: 6112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • 42FE.exe (PID: 1092 cmdline: C:\Users\user\AppData\Local\Temp\42FE.exe MD5: 710475FAD4072F93192DB19F14847C42)
        • llpb1133.exe (PID: 4428 cmdline: "C:\Users\user\AppData\Local\Temp\llpb1133.exe" MD5: E80EFC25A192B860387B90C209EF9D6B)
        • yuzhenzhang.exe (PID: 1788 cmdline: "C:\Users\user\AppData\Local\Temp\yuzhenzhang.exe" MD5: B9363486500E209C05F97330226BBF8A)
          • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • 352F.exe (PID: 1328 cmdline: C:\Users\user\AppData\Local\Temp\352F.exe MD5: 710475FAD4072F93192DB19F14847C42)
        • llpb1133.exe (PID: 3952 cmdline: "C:\Users\user\AppData\Local\Temp\llpb1133.exe" MD5: E80EFC25A192B860387B90C209EF9D6B)
      • 9760.exe (PID: 3960 cmdline: C:\Users\user\AppData\Local\Temp\9760.exe MD5: 42FBE2A0D64819B3D2FF1E29208A5D77)
        • WerFault.exe (PID: 4572 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 520 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • 849F.exe (PID: 4968 cmdline: C:\Users\user\AppData\Local\Temp\849F.exe MD5: 8D702FEEDAFB6BA663FA84DD131E049A)
      • ECAC.exe (PID: 6092 cmdline: C:\Users\user\AppData\Local\Temp\ECAC.exe MD5: 34365553C6887DD20EEE38713CEEDECA)
        • ECAC.exe (PID: 5488 cmdline: C:\Users\user\AppData\Local\Temp\ECAC.exe MD5: 34365553C6887DD20EEE38713CEEDECA)