Windows Analysis Report LRios3pM39

Overview

General Information

Sample Name: LRios3pM39 (renamed file extension from none to exe)
Analysis ID: 458972
MD5: bbd9c29060936aa812c2b8aefb14258c
SHA1: 6fea71fbb8f46179942b99101c5b66e6801d43e6
SHA256: 469e5cd00ef10c7cdc37c647e0beca77e233ed11a5f34df087277a7ff3584a72
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Creates processes via WMI
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: google.vrthcobj.com Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\sqlite.dll Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: LRios3pM39.exe Virustotal: Detection: 21% Perma Link
Source: LRios3pM39.exe ReversingLabs: Detection: 57%

Compliance:

barindex
Uses 32bit PE files
Source: LRios3pM39.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp, sqlite.dll.2.dr

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1948 DNS zone transfer UDP 192.168.2.4:61523 -> 34.97.69.225:53
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.146.70 172.67.146.70
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknown DNS traffic detected: queries for: a.goatgame.co
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\LRios3pM39.exe Code function: 0_2_004048ED 0_2_004048ED
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD
Sample file is different than original file name gathered from version info
Source: LRios3pM39.exe, 00000000.00000002.648380780.00000000021F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662144820.00000000020B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000000.647874488.000000000040E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662171088.00000000021F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662159981.00000000020D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameQt5Gui.dll( vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662179091.0000000002200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662149645.00000000020C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe
Uses 32bit PE files
Source: LRios3pM39.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal76.winEXE@5/2@3/1
Source: C:\Users\user\Desktop\LRios3pM39.exe Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 0_2_00401050
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Users\user\Desktop\LRios3pM39.exe File created: C:\Users\user\AppData\Local\Temp\sqlite.dat Jump to behavior
Source: LRios3pM39.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LRios3pM39.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\LRios3pM39.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LRios3pM39.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\LRios3pM39.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\LRios3pM39.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: LRios3pM39.exe Virustotal: Detection: 21%
Source: LRios3pM39.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\LRios3pM39.exe File read: C:\Users\user\Desktop\LRios3pM39.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe'
Source: C:\Users\user\Desktop\LRios3pM39.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LRios3pM39.exe Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a
Source: C:\Users\user\Desktop\LRios3pM39.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LRios3pM39.exe Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a Jump to behavior
Source: C:\Users\user\Desktop\LRios3pM39.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp, sqlite.dll.2.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LRios3pM39.exe Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW, 0_2_004018A0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LRios3pM39.exe Code function: 0_2_00406590 push eax; ret 0_2_004065BE

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\LRios3pM39.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\LRios3pM39.exe File created: C:\Users\user\AppData\Local\Temp\sqlite.dll Jump to dropped file
Source: C:\Users\user\Desktop\LRios3pM39.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\LRios3pM39.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LRios3pM39.exe TID: 7144 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LRios3pM39.exe Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW, 0_2_004018A0
Source: C:\Users\user\Desktop\LRios3pM39.exe Code function: 0_2_004053C2 SetUnhandledExceptionFilter, 0_2_004053C2
Source: C:\Users\user\Desktop\LRios3pM39.exe Code function: 0_2_004053B0 SetUnhandledExceptionFilter, 0_2_004053B0

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LRios3pM39.exe Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a Jump to behavior
Source: C:\Users\user\Desktop\LRios3pM39.exe Code function: 0_2_0040267E EntryPoint,GetVersion,GetCommandLineA, 0_2_0040267E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458972 Sample: LRios3pM39 Startdate: 03/08/2021 Architecture: WINDOWS Score: 76 21 google.vrthcobj.com 2->21 25 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->25 27 Multi AV Scanner detection for domain / URL 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 8 LRios3pM39.exe 2 2->8         started        signatures3 process4 signatures5 33 Creates processes via WMI 8->33 11 LRios3pM39.exe 3 8->11         started        15 conhost.exe 8->15         started        process6 dnsIp7 23 a.goatgame.co 172.67.146.70, 443, 49739 CLOUDFLARENETUS United States 11->23 19 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 11->19 dropped 17 conhost.exe 11->17         started        file8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.146.70
 a.goatgame.co United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
google.vrthcobj.com 34.97.69.225 true
a.goatgame.co 172.67.146.70 true