Windows Analysis Report TMB1fxNaqR

Overview

General Information

Sample Name: TMB1fxNaqR (renamed file extension from none to exe)
Analysis ID: 458974
MD5: a92922a71a9bf58cc2d95a6039c9a1b6
SHA1: f419ba1e6da5dfc295857598e44b0a4eb0b3ecfc
SHA256: 213ea943865069cf1210a58860c619a8fa8928258abe8919fee8180feafea547
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Creates processes via WMI
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: google.vrthcobj.com Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\sqlite.dll Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: TMB1fxNaqR.exe Virustotal: Detection: 44% Perma Link
Source: TMB1fxNaqR.exe ReversingLabs: Detection: 59%

Compliance:

barindex
Uses 32bit PE files
Source: TMB1fxNaqR.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: sqlite.dll.2.dr

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1948 DNS zone transfer UDP 192.168.2.3:58824 -> 34.97.69.225:53
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.146.70 172.67.146.70
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: unknown DNS traffic detected: queries for: a.goatgame.co
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: TMB1fxNaqR.exe, 00000000.00000002.199960320.000000000075A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Code function: 0_2_004048FD 0_2_004048FD
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD
Sample file is different than original file name gathered from version info
Source: TMB1fxNaqR.exe, 00000000.00000002.200008451.00000000020F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000000.197015002.000000000040E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000002.199945139.0000000000730000.00000002.00000001.sdmp Binary or memory string: originalfilename vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000002.199945139.0000000000730000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215054840.00000000021B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.214734311.000000000040E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215069964.0000000002200000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215033311.0000000002110000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215017751.0000000002100000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215012630.00000000020F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe
Uses 32bit PE files
Source: TMB1fxNaqR.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal76.winEXE@5/2@3/1
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 0_2_00401050
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_01
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe File created: C:\Users\user\AppData\Local\Temp\sqlite.dat Jump to behavior
Source: TMB1fxNaqR.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: TMB1fxNaqR.exe Virustotal: Detection: 44%
Source: TMB1fxNaqR.exe ReversingLabs: Detection: 59%
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe File read: C:\Users\user\Desktop\TMB1fxNaqR.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe'
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: sqlite.dll.2.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW, 0_2_004018A0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Code function: 0_2_004065A0 push eax; ret 0_2_004065CE

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe File created: C:\Users\user\AppData\Local\Temp\sqlite.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe TID: 3148 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe TID: 5076 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW, 0_2_004018A0
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Code function: 0_2_004053C0 SetUnhandledExceptionFilter, 0_2_004053C0
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Code function: 0_2_004053D2 SetUnhandledExceptionFilter, 0_2_004053D2

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe Code function: 0_2_0040268E EntryPoint,GetVersion,GetCommandLineA, 0_2_0040268E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458974 Sample: TMB1fxNaqR Startdate: 03/08/2021 Architecture: WINDOWS Score: 76 21 google.vrthcobj.com 2->21 25 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->25 27 Multi AV Scanner detection for domain / URL 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 8 TMB1fxNaqR.exe 2 2->8         started        signatures3 process4 signatures5 33 Creates processes via WMI 8->33 11 TMB1fxNaqR.exe 3 8->11         started        15 conhost.exe 8->15         started        process6 dnsIp7 23 a.goatgame.co 172.67.146.70, 443, 49708 CLOUDFLARENETUS United States 11->23 19 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 11->19 dropped 17 conhost.exe 11->17         started        file8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.146.70
 a.goatgame.co United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
google.vrthcobj.com 34.97.69.225 true
a.goatgame.co 172.67.146.70 true