Edit tour
Windows
Analysis Report
leBwnyHIgx.exe
Overview
General Information
| Sample name: | leBwnyHIgx.exerenamed because original name is a hash value |
| Original sample name: | 51434b554c4e3b123e0a90db3048ec6d5edaed4cdb245c8f9e3dbddb378f2845.exe |
| Analysis ID: | 1585743 |
| MD5: | 2a7776214c4870137fe8aabb231cf52e |
| SHA1: | 3134458ad9ff7a6e76543427794fbcee1d7eda07 |
| SHA256: | 51434b554c4e3b123e0a90db3048ec6d5edaed4cdb245c8f9e3dbddb378f2845 |
| Tags: | backdoorexesilverfoxwinosuser-zhuzhu0009 |
| Infos: |   |
 | |
Detection
GhostRat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
leBwnyHIgx.exe (PID: 2004 cmdline: "C:\Users\ user\Deskt op\leBwnyH Igx.exe" MD5: 2A7776214C4870137FE8AABB231CF52E) 
cmd.exe (PID: 6540 cmdline: "C:\Window s\System32 \cmd.exe" /C powersh ell -Execu tionPolicy Bypass -C ommand "Ad d-MpPrefer ence -Excl usionPath 'C:\'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 2032 cmdline: powershell -Executio nPolicy By pass -Comm and "Add-M pPreferenc e -Exclusi onPath 'C: \'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
WmiPrvSE.exe (PID: 2492 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - leBwnyHIgx.exe (PID: 180 cmdline:
"C:\Users\ user\AppDa ta\Roaming \leBwnyHIg x.exe" MD5: 2A7776214C4870137FE8AABB231CF52E) - cmd.exe (PID: 2180 cmdline:
cmd.exe /C powershel l -Command "Set-Exec utionPolic y Unrestri cted -Scop e CurrentU ser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5684 cmdline:
powershell -Command "Set-Execu tionPolicy Unrestric ted -Scope CurrentUs er" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 2664 cmdline:
cmd.exe /C powershel l -Executi onPolicy B ypass -Fil e C:\Users \user\AppD ata\Local\ updated.ps 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5444 cmdline:
powershell -Executio nPolicy By pass -File C:\Users\ user\AppDa ta\Local\u pdated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 5928 cmdline:
cmd.exe /C powershel l -Command "Set-Exec utionPolic y Unrestri cted -Scop e CurrentU ser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5288 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6616 cmdline:
powershell -Command "Set-Execu tionPolicy Unrestric ted -Scope CurrentUs er" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 2916 cmdline:
"C:\Window s\System32 \cmd.exe" /C powersh ell -Execu tionPolicy Bypass -F ile C:\Use rs\user\Ap pData\Loca l\Temp\\up dated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6100 cmdline:
powershell -Executio nPolicy By pass -File C:\Users\ user\AppDa ta\Local\T emp\\updat ed.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- cleanup
{"C2 url": ["154.82.85.107:15091", "154.82.85.107:15092"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| Click to see the 33 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
| JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security |