Play interactive tour

Edit tour

Windows Analysis Report LRios3pM39

Overview

General Information

Sample Name:	LRios3pM39 (renamed file extension from none to exe)
Analysis ID:	458972
MD5:	bbd9c29060936aa812c2b8aefb14258c
SHA1:	6fea71fbb8f46179942b99101c5b66e6801d43e6
SHA256:	469e5cd00ef10c7cdc37c647e0beca77e233ed11a5f34df087277a7ff3584a72
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Creates processes via WMI

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LRios3pM39.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\LRios3pM39.exe' MD5: BBD9C29060936AA812C2B8AEFB14258C)

conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

LRios3pM39.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\LRios3pM39.exe' -a MD5: BBD9C29060936AA812C2B8AEFB14258C)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: google.vrthcobj.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\sqlite.dll

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: LRios3pM39.exe	Virustotal: Detection: 21%			Perma Link
Source: LRios3pM39.exe	ReversingLabs: Detection: 57%

Source: LRios3pM39.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.4:49739 version: TLS 1.2

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp, sqlite.dll.2.dr

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1948 DNS zone transfer UDP 192.168.2.4:61523 -> 34.97.69.225:53

Source: Joe Sandbox View

IP Address: 172.67.146.70 172.67.146.70

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: a.goatgame.co

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_004048ED

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD

Source: LRios3pM39.exe, 00000000.00000002.648380780.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662144820.00000000020B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000000.647874488.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662171088.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662159981.00000000020D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662179091.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662149645.00000000020C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe

Source: LRios3pM39.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.winEXE@5/2@3/1

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01

Source: C:\Users\user\Desktop\LRios3pM39.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dat

Jump to behavior

Source: LRios3pM39.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LRios3pM39.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\LRios3pM39.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LRios3pM39.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\LRios3pM39.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\LRios3pM39.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: LRios3pM39.exe	Virustotal: Detection: 21%
Source: LRios3pM39.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\LRios3pM39.exe

File read: C:\Users\user\Desktop\LRios3pM39.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe'
Source: C:\Users\user\Desktop\LRios3pM39.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LRios3pM39.exe	Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a
Source: C:\Users\user\Desktop\LRios3pM39.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LRios3pM39.exe	Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a

Source: C:\Users\user\Desktop\LRios3pM39.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp, sqlite.dll.2.dr

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_00406590 push eax; ret

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Users\user\Desktop\LRios3pM39.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\LRios3pM39.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\LRios3pM39.exe

Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\LRios3pM39.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\LRios3pM39.exe TID: 7144

Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

Source: C:\Users\user\Desktop\LRios3pM39.exe	Code function: 0_2_004053C2 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\LRios3pM39.exe	Code function: 0_2_004053B0 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\LRios3pM39.exe

Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_0040267E EntryPoint,GetVersion,GetCommandLineA,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LRios3pM39.exe	22%	Virustotal		Browse
LRios3pM39.exe	57%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	14%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\sqlite.dll	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
google.vrthcobj.com	8%	Virustotal		Browse
a.goatgame.co	2%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.vrthcobj.com	34.97.69.225	true	true	8%, Virustotal, Browse	unknown
a.goatgame.co	172.67.146.70	true	false	2%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.146.70	a.goatgame.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458972
Start date:	03.08.2021
Start time:	23:29:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	LRios3pM39 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.winEXE@5/2@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 93.6%) Quality average: 79.3% Quality standard deviation: 29%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, rundll32.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.64.90.137, 40.88.32.150, 104.43.139.144 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:30:08	API Interceptor	3x Sleep call for process: LRios3pM39.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.146.70	85d8c.exe	Get hash	malicious	Browse
	QfVER41Fwx.exe	Get hash	malicious	Browse
	O3h9kRdG7d.exe	Get hash	malicious	Browse
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse
	U7HCBc2SVy.exe	Get hash	malicious	Browse
	76xAf6BYg8.exe	Get hash	malicious	Browse
	E4lwAiXNCE.exe	Get hash	malicious	Browse
	pLF8TJmHlD.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
google.vrthcobj.com	85d8c.exe	Get hash	malicious	Browse	34.97.69.225
	QfVER41Fwx.exe	Get hash	malicious	Browse	34.97.69.225
	93ejLcdBh5.exe	Get hash	malicious	Browse	34.97.69.225
	k2VFD3gNGE.exe	Get hash	malicious	Browse	34.97.69.225
	MIN56KgzBN.exe	Get hash	malicious	Browse	34.97.69.225
	U7HCBc2SVy.exe	Get hash	malicious	Browse	34.97.69.225
	TIoFSlDlv6.exe	Get hash	malicious	Browse	34.97.69.225
	76xAf6BYg8.exe	Get hash	malicious	Browse	34.97.69.225
	E4lwAiXNCE.exe	Get hash	malicious	Browse	34.97.69.225
	pLF8TJmHlD.exe	Get hash	malicious	Browse	34.97.69.225
	sonia_6.exe	Get hash	malicious	Browse	34.97.69.225
	5H4iRfY1ek.exe	Get hash	malicious	Browse	34.97.69.225
	Copy.exe	Get hash	malicious	Browse	34.97.69.225
	pMVkvSyeIy.exe	Get hash	malicious	Browse	34.97.69.225
	w7pR0EOMwd.exe	Get hash	malicious	Browse	34.97.69.225
	BoLQVCmIZB.exe	Get hash	malicious	Browse	34.97.69.225
	DhWFvSKvSb.exe	Get hash	malicious	Browse	34.97.69.225
	U2HHCJvDj4.exe	Get hash	malicious	Browse	34.97.69.225
	CLnraL1yNc.exe	Get hash	malicious	Browse	34.97.69.225
	UAD1AhRXY7.exe	Get hash	malicious	Browse	34.97.69.225
a.goatgame.co	85d8c.exe	Get hash	malicious	Browse	104.21.79.144
	85d8c.exe	Get hash	malicious	Browse	172.67.146.70
	QfVER41Fwx.exe	Get hash	malicious	Browse	172.67.146.70
	O3h9kRdG7d.exe	Get hash	malicious	Browse	172.67.146.70
	puzlXYxqKK.exe	Get hash	malicious	Browse	104.21.79.144
	k2VFD3gNGE.exe	Get hash	malicious	Browse	104.21.79.144
	MIN56KgzBN.exe	Get hash	malicious	Browse	104.21.79.144
	U7HCBc2SVy.exe	Get hash	malicious	Browse	172.67.146.70
	TIoFSlDlv6.exe	Get hash	malicious	Browse	104.21.79.144
	76xAf6BYg8.exe	Get hash	malicious	Browse	172.67.146.70
	E4lwAiXNCE.exe	Get hash	malicious	Browse	172.67.146.70
	pLF8TJmHlD.exe	Get hash	malicious	Browse	172.67.146.70
	sonia_6.exe	Get hash	malicious	Browse	104.21.79.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	State Settlement Copy.html	Get hash	malicious	Browse	172.67.75.3
	Request Quotation.exe	Get hash	malicious	Browse	172.67.188.154
	invoice.vbs	Get hash	malicious	Browse	162.159.130.233
	kKZZ0J8y0c.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 29.exe	Get hash	malicious	Browse	104.21.19.200
	ATT80307.HTM	Get hash	malicious	Browse	104.16.19.94
	2C.TA9.HTML	Get hash	malicious	Browse	104.18.11.207
	Dosusign_Na_Sign.htm	Get hash	malicious	Browse	172.67.145.176
	RoyalMail_Requestform0729.exe	Get hash	malicious	Browse	172.67.188.154
	sbcss_Richard.DeNava_#inv0549387TWQYqzTPaYeqvaYMnpdIfJAwwzbguzauViQVRRplvOktNmAire.HTM	Get hash	malicious	Browse	104.16.18.94
	Fake.HTM	Get hash	malicious	Browse	104.16.19.94
	RoyalMail_Requestform1.exe	Get hash	malicious	Browse	172.67.188.154
	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	172.67.188.154
	ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe	Get hash	malicious	Browse	172.67.176.89
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	items.doc	Get hash	malicious	Browse	104.21.19.200
	ZI09484474344.exe	Get hash	malicious	Browse	104.21.49.41
	#Ud83d#Udda8rocket.com 7335931#Ufffd90-queue-1675.htm	Get hash	malicious	Browse	104.16.19.94
	ATT66004.HTM	Get hash	malicious	Browse	104.16.19.94

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	24um7vU1BD.exe	Get hash	malicious	Browse	172.67.146.70
	JQ2bNBDOcO.exe	Get hash	malicious	Browse	172.67.146.70
	Dpwipnj1gx.exe	Get hash	malicious	Browse	172.67.146.70
	19G1ZLyqr2.exe	Get hash	malicious	Browse	172.67.146.70
	ULylDR5F36.exe	Get hash	malicious	Browse	172.67.146.70
	SecuriteInfo.com.W32.AIDetect.malware2.26285.exe	Get hash	malicious	Browse	172.67.146.70
	banload.msi	Get hash	malicious	Browse	172.67.146.70
	yQShMhZ7Hi.exe	Get hash	malicious	Browse	172.67.146.70
	zW4oE2ASRB.exe	Get hash	malicious	Browse	172.67.146.70
	run.exe	Get hash	malicious	Browse	172.67.146.70
	RNrtE1qOSL.exe	Get hash	malicious	Browse	172.67.146.70
	hDJzf1oo7U.exe	Get hash	malicious	Browse	172.67.146.70
	hpDcwMoScr.exe	Get hash	malicious	Browse	172.67.146.70
	JGJtVyC9dr.exe	Get hash	malicious	Browse	172.67.146.70
	QqcQ1EteWS.exe	Get hash	malicious	Browse	172.67.146.70
	Ya50avl5OT.exe	Get hash	malicious	Browse	172.67.146.70
	8xCetBLoAt.exe	Get hash	malicious	Browse	172.67.146.70
	7xt9iOfzN2.exe	Get hash	malicious	Browse	172.67.146.70
	5mTnLT28B7.exe	Get hash	malicious	Browse	172.67.146.70
	CknLcKyFEZ.exe	Get hash	malicious	Browse	172.67.146.70

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\sqlite.dll	CyLELjM5zk.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\sqlite.dll	setup_x86_x64_install.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\sqlite.dat Download File
Process:	C:\Users\user\Desktop\LRios3pM39.exe
File Type:	data
Category:	dropped
Size (bytes):	578665
Entropy (8bit):	7.9654565999316835
Encrypted:	false
SSDEEP:	12288:811ticqWIMMXa2ad3KNjU++VUYgokNxcg8aVg1gKtY7SQOO:YPeBaRKNjFklalbVygKtY7xx
MD5:	9C6F0C8D94B0B9761A327548F56F6256
SHA1:	E8BB880A2A8B8F40509CDE71F56F1D02CD58E03E
SHA-256:	4706A707EDEB1B676C1C396345729DCA100F1FBEAF660DAAEA442C69403DB0D3
SHA-512:	47E2A5BD6D8866CD86A0F5E38C913601092C28D0FB9CBF564C4D16C25918818E96CC303651EA7D3511716567B3E4785942FB567ACD7DB766975A53587F2DCCEE
Malicious:	false
Reputation:	low
Preview:	.<..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V...)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..jj.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2\|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i\|..y.Q'....k...}FT.X.jY..Y....o......y..=\|6..%..z/........s....>.j.-s.k../.:..........>\|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...\|/h..jfDX.S...`&...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^.......aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./

C:\Users\user\AppData\Local\Temp\sqlite.dll Download File
Process:	C:\Users\user\Desktop\LRios3pM39.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81408
Entropy (8bit):	6.295064838876099
Encrypted:	false
SSDEEP:	1536:jkOh0YR+kfbE+2AJk64OceTbkS9Co5sWzcdSzEdY+wJpxpbcNop//:jkcjHY+fJhPN9H2SIdY+wJpxpQ8//
MD5:	05250AA12AD3C6A86DAB6DAB708D17FF
SHA1:	E41AD72C9A43070BB11FD7411800F71DDDF6BDD8
SHA-256:	7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD
SHA-512:	A56DF11AF5243150753154E1CBA74E3CDD0CDECF09269B88A3944AC12B73DE59909CE6DBBBD3B1B6DA691D144FAC2599645B2017F66BAC64A106437168EC38C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 15%
Joe Sandbox View:	Filename: CyLELjM5zk.exe, Detection: malicious, Browse Filename: setup_x86_x64_install.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..f.x.5.x.5.x.5..r5.x.5..p5dx.5..q5.x.5@..4.x.5@..4.x.5@..4.x.5...5.x.5.x.5Jx.5...4.x.5...4.x.5..\|5.x.5...4.x.5Rich.x.5........................PE..L...f@.a...........!................8........................................p............@..........................&..L...<'..(....P.......................`...... ...p...................0...........@............................................text...M........................... ..`.rdata...].......^..................@..@.data........0....... ..............@....rsrc........P.......(..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	4.579085192120164
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LRios3pM39.exe
File size:	57344
MD5:	bbd9c29060936aa812c2b8aefb14258c
SHA1:	6fea71fbb8f46179942b99101c5b66e6801d43e6
SHA256:	469e5cd00ef10c7cdc37c647e0beca77e233ed11a5f34df087277a7ff3584a72
SHA512:	80d101a71f3d074be3053420158ed0d100dde722e77c6cfbbe0e462e1e5b6038e31efdb304d749b393e45de0e87dae957e39179acb9becdc609f7e0a23977ee3
SSDEEP:	768:PQR+JJlY3yGJxNojkTnJI6TWzzejkZy/xbD9BxufhqXKCljb9:TAoITdT0Zy5bZXYmljb9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../Q..N?..N?..N?.CF`..N?..l4..N?.NR1..N?..h4..N?..h5..N?.NFb..N?..N>..N?..m...N?.Rich.N?.........PE..L....E.a.................p.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40267e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x610745F4 [Mon Aug 2 01:10:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2cdeda7a0aa27475a825e9c41d4d95f0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00408150h
push 00403E38h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00408050h]
xor edx, edx
mov dl, ah
mov dword ptr [0040CF70h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040CF6Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040CF68h], ecx
shr eax, 10h
mov dword ptr [0040CF64h], eax
push 00000001h
call 00007F7EE483BFCBh
pop ecx
test eax, eax
jne 00007F7EE483A8DAh
push 0000001Ch
call 00007F7EE483A980h
pop ecx
call 00007F7EE483B433h
test eax, eax
jne 00007F7EE483A8DAh
push 00000010h
call 00007F7EE483A96Fh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007F7EE483BC73h
call dword ptr [0040804Ch]
mov dword ptr [0040D658h], eax
call 00007F7EE483BB31h
mov dword ptr [0040CF54h], eax
call 00007F7EE483B8DAh
call 00007F7EE483B81Ch
call 00007F7EE483B57Fh
mov eax, dword ptr [0040CF80h]
mov dword ptr [0040CF84h], eax
push eax
push dword ptr [0040CF78h]
push dword ptr [0040CF74h]
call 00007F7EE483A3A2h
add esp, 0Ch

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8af0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x3d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6ba7	0x7000	False	0.592808314732	data	6.44090698985	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1186	0x2000	False	0.27001953125	data	3.62785728692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x365c	0x3000	False	0.0802408854167	data	0.841200769543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1000	0x1000	False	0.111083984375	data	1.09363315293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe058	0x37c	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, LoadLibraryA, lstrlenW, InterlockedDecrement, CloseHandle, WriteFile, CreateFileW, lstrcatW, GetModuleFileNameW, RaiseException, LocalFree, lstrlenA, InterlockedIncrement, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, HeapSize
USER32.dll	wsprintfW
ole32.dll	CoInitializeSecurity, CoUninitialize, CoInitialize, CoCreateInstance, CoSetProxyBlanket
OLEAUT32.dll	VariantInit, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData, SysStringLen, SysAllocStringLen, SysAllocString, VariantClear, SysFreeString, GetErrorInfo

Version Infos

Description	Data
LegalCopyright	Copyright (C) 1995-2018 VanDyke Software, Inc.
InternalName	License Helper
FileVersion	8.5.0.1740
CompanyName	VanDyke Software, Inc.
Comments	\$Revision: 122570 \$
ProductName	License Helper
ProductVersion	8.5.0.1740
FileDescription	License Helper
OriginalFilename	LicenseHelper.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-23:30:25.906443	UDP	1948	DNS zone transfer UDP	61523	53	192.168.2.4	34.97.69.225
08/03/21-23:30:32.336214	UDP	1948	DNS zone transfer UDP	61523	53	192.168.2.4	34.97.69.225
08/03/21-23:30:45.138738	UDP	1948	DNS zone transfer UDP	61523	53	192.168.2.4	34.97.69.225
08/03/21-23:30:52.389943	UDP	1948	DNS zone transfer UDP	61523	53	192.168.2.4	34.97.69.225
08/03/21-23:30:58.627455	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225
08/03/21-23:30:59.347406	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225
08/03/21-23:31:00.428363	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225
08/03/21-23:31:02.050949	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225
08/03/21-23:31:03.007850	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:30:05.307374001 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.324290037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.324474096 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.328849077 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.345643997 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.349910975 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.349936008 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.349947929 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.350028992 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.357999086 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.374893904 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.376185894 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.426561117 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.440557003 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.457418919 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.991862059 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.991976023 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992001057 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992023945 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992038965 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992060900 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992082119 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992108107 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992130995 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992340088 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.993311882 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993371964 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993395090 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993412971 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993432999 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993781090 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.248852968 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.248888969 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.248912096 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.248923063 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.248992920 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249017954 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249033928 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249066114 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.249093056 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.249475956 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249505997 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249528885 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249551058 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249566078 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.249712944 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.250284910 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.250382900 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.250983953 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251009941 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251044035 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251059055 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251091003 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.251127958 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.251254082 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251276970 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251291037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251358986 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.251729965 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251754999 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251775026 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251796007 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251820087 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.251868963 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.252494097 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252566099 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252583027 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252636909 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.252655983 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.252774000 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252796888 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252819061 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252834082 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252882957 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.252896070 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.253429890 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.301661968 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.504026890 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504053116 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504065037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504071951 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504200935 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.504245043 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504261971 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504272938 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504334927 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.504657984 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504673958 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504744053 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.504981995 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504996061 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505039930 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.505115032 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505132914 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505148888 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505165100 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.505214930 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505250931 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.505769014 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505808115 CEST	443	49739	172.67.146.70	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:29:55.561557055 CEST	58028	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:55.590217113 CEST	53	58028	8.8.8.8	192.168.2.4
Aug 3, 2021 23:29:56.562306881 CEST	53097	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:56.594803095 CEST	53	53097	8.8.8.8	192.168.2.4
Aug 3, 2021 23:29:57.433166981 CEST	49257	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:57.468291998 CEST	53	49257	8.8.8.8	192.168.2.4
Aug 3, 2021 23:29:58.369524002 CEST	62389	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:58.403479099 CEST	53	62389	8.8.8.8	192.168.2.4
Aug 3, 2021 23:29:59.030754089 CEST	49910	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:59.055938005 CEST	53	49910	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:00.170743942 CEST	55854	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:00.206274033 CEST	53	55854	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:00.866367102 CEST	64549	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:00.901896000 CEST	53	64549	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:01.905112028 CEST	63153	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:01.933101892 CEST	53	63153	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:02.607628107 CEST	52991	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:02.632546902 CEST	53	52991	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:03.644952059 CEST	53700	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:03.675741911 CEST	53	53700	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:04.500962973 CEST	51726	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:04.533834934 CEST	53	51726	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:05.245203018 CEST	56794	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:05.253396034 CEST	56534	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:05.280611992 CEST	53	56794	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:05.290131092 CEST	53	56534	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:06.291057110 CEST	56627	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:06.316445112 CEST	53	56627	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:07.023241043 CEST	56621	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:07.055711985 CEST	53	56621	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:08.034720898 CEST	63116	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:08.070385933 CEST	53	63116	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:08.872760057 CEST	64078	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:08.907968044 CEST	53	64078	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:09.665730953 CEST	64801	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:09.698440075 CEST	53	64801	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:10.310719013 CEST	61721	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:10.346422911 CEST	53	61721	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:13.649374962 CEST	51255	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:13.650245905 CEST	61522	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:13.678105116 CEST	53	61522	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:13.681931973 CEST	53	51255	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 23:30:05.253396034 CEST	192.168.2.4	8.8.8.8	0x2608	Standard query (0)	a.goatgame.co	A (IP address)	IN (0x0001)
Aug 3, 2021 23:30:13.649374962 CEST	192.168.2.4	8.8.8.8	0x59c6	Standard query (0)	google.vrthcobj.com	A (IP address)	IN (0x0001)
Aug 3, 2021 23:30:13.650245905 CEST	192.168.2.4	8.8.8.8	0x7714	Standard query (0)	google.vrthcobj.com	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 23:30:05.290131092 CEST	8.8.8.8	192.168.2.4	0x2608	No error (0)	a.goatgame.co	172.67.146.70	A (IP address)	IN (0x0001)
Aug 3, 2021 23:30:05.290131092 CEST	8.8.8.8	192.168.2.4	0x2608	No error (0)	a.goatgame.co	104.21.79.144	A (IP address)	IN (0x0001)
Aug 3, 2021 23:30:13.681931973 CEST	8.8.8.8	192.168.2.4	0x59c6	No error (0)	google.vrthcobj.com	34.97.69.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 3, 2021 23:30:05.349936008 CEST	172.67.146.70	443	192.168.2.4	49739	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jul 18 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jul 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Aug 3, 2021 23:30:05.349936008 CEST	172.67.146.70	443	192.168.2.4	49739	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: LRios3pM39.exe PID: 6960 Parent PID: 5908

General

Start time:	23:30:01
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\LRios3pM39.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LRios3pM39.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	BBD9C29060936AA812C2B8AEFB14258C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 6976 Parent PID: 6960

General

Start time:	23:30:02
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: LRios3pM39.exe PID: 7064 Parent PID: 6960

General

Start time:	23:30:03
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\LRios3pM39.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LRios3pM39.exe' -a
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	BBD9C29060936AA812C2B8AEFB14258C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 7084 Parent PID: 7064

General

Start time:	23:30:04
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report LRios3pM39

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: LRios3pM39.exe PID: 6960 Parent PID: 5908

General