Windows
Analysis Report
LG3adrtYi2.exe
Overview
General Information
Sample name: | LG3adrtYi2.exerenamed because original name is a hash value |
Original sample name: | de36bc2bfc3c67820ebd75c912fadc3d.exe |
Analysis ID: | 1448262 |
MD5: | de36bc2bfc3c67820ebd75c912fadc3d |
SHA1: | 38bd51e1052ae5bede5293827e87d6f494b204c8 |
SHA256: | 2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16 |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
LG3adrtYi2.exe (PID: 2708 cmdline:
"C:\Users\ user\Deskt op\LG3adrt Yi2.exe" MD5: DE36BC2BFC3C67820EBD75C912FADC3D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Phorpiex | Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_5 | Yara detected Phorpiex | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Phorpiex_5 | Yara detected Phorpiex | Joe Security | ||
JoeSecurity_Phorpiex_5 | Yara detected Phorpiex | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Phishing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00F028F0 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: | memstr_0978e8bc-c |
Spam, unwanted Advertisements and Ransom Demands |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | LNK file: | ||
Source: | LNK file: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00F03234 |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: | graph_0-544 | ||
Source: | Evasive API call chain: | graph_0-544 |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00F028F0 |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | API call chain: | graph_0-546 |
Anti Debugging |
---|
Source: | Process Stats: |
Source: | Code function: | 0_2_00F03358 |
Source: | Code function: | 0_2_00F01D30 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00F03358 |
Source: | Code function: | 0_2_00F03288 |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 122 Virtualization/Sandbox Evasion | 11 Input Capture | 1 System Time Discovery | Remote Services | 11 Input Capture | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 122 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 2 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
68% | ReversingLabs | Win32.Ransomware.GandCrab | ||
73% | Virustotal | Browse | ||
100% | Avira | TR/AD.Phorpiex.zicsf |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | W32/Infector.Gen | ||
100% | Avira | W32/Infector.Gen | ||
100% | Joe Sandbox ML | |||
79% | ReversingLabs | Win32.Ransomware.GandCrab | ||
71% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1448262 |
Start date and time: | 2024-05-28 07:12:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 7m 40s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | LG3adrtYi2.exerenamed because original name is a hash value |
Original Sample Name: | de36bc2bfc3c67820ebd75c912fadc3d.exe |
Detection: | MAL |
Classification: | mal96.troj.evad.winEXE@1/4@0/0 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
Time | Type | Description |
---|---|---|
01:12:54 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe | Get hash | malicious | Phorpiex | Browse | ||
Get hash | malicious | Phorpiex | Browse | |||
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe | Get hash | malicious | Phorpiex | Browse | ||
Get hash | malicious | Phorpiex | Browse |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe ![AV hit](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAXCAYAAAARIY8tAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyFpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMTQyIDc5LjE2MDkyNCwgMjAxNy8wNy8xMy0wMTowNjozOSAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6N0I2MkE5MENFMDExMTFFN0IwMUVBNjlCREU2MTc3OTIiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6N0I2MkE5MEJFMDExMTFFN0IwMUVBNjlCREU2MTc3OTIiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIChXaW5kb3dzKSI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOjUxREYxNzEwRTAxMTExRTc4NzA2RDNFQTNEMTNCRTY1IiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjUxREYxNzExRTAxMTExRTc4NzA2RDNFQTNEMTNCRTY1Ii8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+WYtJ4AAAArxJREFUeNqsVU2IUlEUPu89fxJnBkW30y4KElpFtRnTpSmBIuQmysiVEaSBJkHLCMbQTaQVhD+VWqDgOAhtQiKZaDG1aAaMFi4CUzDJ1Abt3JdPnvp8KnXgcO99597vO++cc8+lBoMB8IWiKBCSGx4PMZxHvbO/t3dMubJyXyKR3E7E4wdC+zlcah4BAqtwsKNeRz1Ovn3c3WVtMpmsp1QqX0plsltI9HUhAo/XewSHk0M9NRwl/D0cAd8puVzeQqIv+FdlhmG2kolEFiYPDmUflhTiZKfTWUU9gUuiLsJLbLTA/gP4R+GHWYjg57KANE2D3W4Hp9PJglM0PfhvBBhz8Pv94HA4oFgssuGiKaovRtBbxnOfzwd6vR6CwSBUq1XuuyhBbVECt9sNGxsbkM/noVQq8Ym7YgTfFgG3Wq1gNpuhVqtBNBods2GZ/hAj+DwPXKfTgcvlYufhcBja7fZkXipiBB94noDFYgGtVjsyKhQKCAQCbPzL5TKrk8JIJO/ECF6Tu0Mmh9fX4Swm8KbXCwaDgQW12Wyg0Wig3+9DJBIRriyGeTC6E0K9CPvPW5yeIetzJhMYjUbWVq/XWXAiJLGhUGgKHP+wmcvlVBwuPSPMj7lJYXsbKpW/IeXAsSVALBYTPHhIociMlfIMgufEYTIhoYjF49BqtUbGbDYLjUZjOvYM05dKpb65BMHNTXKb73FrAk5IyG/3ej3IZDKCXq2urb3Ctv19LB8i1UgC7EQ9ShYkTFuFAltFzWZzajO26y6+D5enGp/Yg4PJPo3DG1QpZ0MQeL+zM3VGo9VeeJZMvph8cGixC4WhIvV8jX+o2+1O7VOpVE/54IskmU/yEAf/LDuCF1Kp1KWZDXGRvoMkd3G4ivqbHxa1Wv0knU6bRDvuop0TSR4NL98nTOgvvBMX0fMr8879EWAAxCD3JoAqg14AAAAASUVORK5CYII=)
![malicious](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAXCAYAAAARIY8tAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyFpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMTQyIDc5LjE2MDkyNCwgMjAxNy8wNy8xMy0wMTowNjozOSAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIChXaW5kb3dzKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDo1MURGMTcxMEUwMTExMUU3ODcwNkQzRUEzRDEzQkU2NSIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDo1MURGMTcxMUUwMTExMUU3ODcwNkQzRUEzRDEzQkU2NSI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOjUxREYxNzBFRTAxMTExRTc4NzA2RDNFQTNEMTNCRTY1IiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOjUxREYxNzBGRTAxMTExRTc4NzA2RDNFQTNEMTNCRTY1Ii8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+ndzG2gAAA2JJREFUeNq0VVtIlEEU/nZXaTc1txbLMkrFxAuolA+Z3dQgqIdE0dSy1gclezJt1VWrh9TSBzUqKCorMs1L0ENJqV0helBMxTCSykUSzby77pKX7czorr/r6mLggcPMf/453zdz5pwzIoPBgNUUMVZZRJaM0evlUTRUrRArpmpouNIqAYFLaeggdV0hgYbUm0h01kJ0zhK4o9NGwdzJEsF20tRl74B270xDltC2RiZDpEqFTa7bTbbNHh6ISEvj/8xETRhbljtBPqm90JBV8xTa4WF8a2w02b5++oSJ0VGoq2vMCezmMBYTEPNOGpTmHjIHBwz09CyKB7OtXbfOUqhOEVagpROULJVVTCS2tjiafJYrm1vJzBIi4Vg2grTct5THjl2BiM5UQz8xwb8PxsXhc339ciTBDJa0UjyXloWWVsns7XmIjqWk8H29vH0Lz2/eoLmI29g/pktIAWHLJL4yqYo+IheckQAOxMZCVV4BhYuLKU19gvfCOygILp6eszcqlyPk5AmMDQ5C095uTiAn1TECVrGmbbj6+UFVVoag8HA8K7mGvzodnN3dIRaLURgXi8baFzxEM9PTNK9F3b27iL14CbvDj+FHSwuG+/qEJL4iOoZamFqn869AameHJ7mXMdLfj/tdGlxPSsSeiEhMjIxgemoKDooNeFv2GOdpIwlUHyyUx7NzwBrnwyy1kCCHZVExaZfRohsbw920VA5uFL1Wi5E//TicmIgjyckY6u0lsBnTf934OB5dyOG1YdY6iiRf9PopChNLdJZJ3PG3RjMPTs5JxSWccJu3z2wN/OrhlVyZl4vvzc3cZpiZYc7o7+42up6hvtQiEhTaB5aqIoo1XywQB4UCUekZ/ARMXt25g+rCAowNDCwsgHnfjwyLCAwS023IpK00JNEuRHaOjvwS2WIGHpOdjdD4eNSVlqKzqQmHlErYr5fzOUsCiY0NmA+bs8OwrCTwnkXtmk5RSkMCq9SQuBPw3b8P/qFh+NnaigfqTHR3dPB1W728kHDlKtwCAtD65jXa33/Au4pyTE9Ost8PCVxp8T2Y66adxobHct/N3w8tDQ0WKykgjMjb2oQJoSX1NO5+qQdHbd4RVyA5BJ5n7cFZkLYrfNGKrD76tAM9Den/QZBh/lwy+SfAAK5qO2iUYLhmAAAAAElFTkSuQmCC)
Download File
Process: | C:\Users\user\Desktop\LG3adrtYi2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4436200 |
Entropy (8bit): | 6.56749584340829 |
Encrypted: | false |
SSDEEP: | 98304:XlkkCqyDEY7+o3OBvfGVY+40yajyS+9s/pL:1kkCqaE68eV+0y8E6L |
MD5: | 3628A0C7F2AE1396600281E7EF409232 |
SHA1: | FF26E243C3CEAB3BA70D02663A9DF109F118504F |
SHA-256: | 334EB73AFEC7E581BC3D755494F1BF1C4164D4DB7671F2581EA0A1E48E94CCBA |
SHA-512: | 23D3CE5D3B49ECCBEB2E41C97E011128A034640CE5BAF7F9FABF898CB1C05FD88FA2DA1BA439FE213E99AFCE9F8530BB69A5C7EF0843985A514C8B64F9E1B060 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk
Download File
Process: | C:\Users\user\Desktop\LG3adrtYi2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1230 |
Entropy (8bit): | 4.632027866898637 |
Encrypted: | false |
SSDEEP: | 24:8mILQv/ErdOE47gLOCOUANHdx4dLoUUFcqEqCqySm:8mUQvcrdOmLLiNHdedL905h/yS |
MD5: | 350FA50DC58FD12A16E26A371ACC95CD |
SHA1: | 706EB6FDA3D19BD277C9E4ACFF30C6E73D27CE0C |
SHA-256: | BFC14A8741014EA128F0C07D657FE022FE05466BDDB322D20DDB54E3E6D92B5E |
SHA-512: | D8BC37B90B3D6931A72C8341D9E0FC1932B81717378D8241AA240258430C81A70D90300223FA71B51BB40429E1436CBB8A383A2428AB508FBEA7AE556D56BC89 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk
Download File
Process: | C:\Users\user\Desktop\LG3adrtYi2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1208 |
Entropy (8bit): | 4.62426465035476 |
Encrypted: | false |
SSDEEP: | 24:8m/HvtQv/ErdOE47gLO4jQA52dq4dLoUUFcQ+qySm:8mtQvcrdOmLXj52djdL903yS |
MD5: | 6E3815AD2A00A3C631CBE8A61788A64D |
SHA1: | 8ED178302DDFEC730D9195A9C053A6288FA73B5E |
SHA-256: | 091004254BC3CED0CC62046CDF4D252E7C626A4B444D966CC8F312BCD4AAC127 |
SHA-512: | 0BB6B9E89BC691A5E2B58E591C5F052B6FBF94B3C960ABAB5C40EBAFB23FF7D918222DCA30B42AE507AE057D27253AAAA1F21DA079EED7FCBE28FD89DAEB1F54 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\LG3adrtYi2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 654688 |
Entropy (8bit): | 7.191280968775951 |
Encrypted: | false |
SSDEEP: | 12288:enMwHskY7gjcjhVIEhqgM7bWvcsi6aVUfIy5U40vy3W/ceKSHMsiFyY6XN:4MysZgjS1hqgSC/izkfKjymk4HM5yJ |
MD5: | E58562571DD10FEE8B3236E647F7654F |
SHA1: | BBA519F10EBBBAED3DEE6DA9C9327191C5FEB6C7 |
SHA-256: | F6B6E8A5ECEABC8B6D2F96B1999E16034E32AB6A2FDE2254110A61A27817F956 |
SHA-512: | EDEF5991FFE0C5B19C091C549FC9E99E29506416A404F612E792C51853A6C50ABE3CE2C191ABE5780E8AC70246C89F37A0AD9A8BC7A3090BCAC930A9890D0064 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.902965139121553 |
TrID: |
|
File name: | LG3adrtYi2.exe |
File size: | 20'480 bytes |
MD5: | de36bc2bfc3c67820ebd75c912fadc3d |
SHA1: | 38bd51e1052ae5bede5293827e87d6f494b204c8 |
SHA256: | 2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16 |
SHA512: | efbc8a797e95f00c142c4c02c2f3faf4f46fabcdcd1a99d81df7581244a22f0b81f846d15de3b5f4b6d323deff555fd569db57aff3171ffebf27c03e4d53e6ef |
SSDEEP: | 384:5QpiPUjq7B0CiUAxIAtlYxJ4JVB00rXMSKRC:1PUu7cUyTYOvrX3 |
TLSH: | DE921906A95A539BE836187063B31D25A0797E72631D95CFFB8005791270EE4FA3335A |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\...=...=...=...EX..=...E^..=...EH..=.......=...=...=...EO..=...EZ..=..Rich.=..................PE..L...;[Kf.................&. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x402f0b |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x664B5B3B [Mon May 20 14:16:27 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | fb0ee5bafbb99ce467989526f0be15c6 |
Instruction |
---|
call 00007F9EE47DAA8Dh |
jmp 00007F9EE47DA44Bh |
mov edi, edi |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
mov eax, dword ptr [eax] |
cmp dword ptr [eax], E06D7363h |
jne 00007F9EE47DA73Ch |
cmp dword ptr [eax+10h], 03h |
jne 00007F9EE47DA736h |
mov eax, dword ptr [eax+14h] |
cmp eax, 19930520h |
je 00007F9EE47DA727h |
cmp eax, 19930521h |
je 00007F9EE47DA720h |
cmp eax, 19930522h |
je 00007F9EE47DA719h |
cmp eax, 01994000h |
jne 00007F9EE47DA717h |
call 00007F9EE47DAAE2h |
xor eax, eax |
pop ebp |
retn 0004h |
push 00402F15h |
call dword ptr [00404034h] |
xor eax, eax |
ret |
int3 |
jmp dword ptr [00404108h] |
push 00000014h |
push 00405500h |
call 00007F9EE47DA979h |
push dword ptr [00406384h] |
mov esi, dword ptr [004040B0h] |
call esi |
pop ecx |
mov dword ptr [ebp-1Ch], eax |
cmp eax, FFFFFFFFh |
jne 00007F9EE47DA71Eh |
push dword ptr [ebp+08h] |
call dword ptr [004040B4h] |
pop ecx |
jmp 00007F9EE47DA779h |
push 00000008h |
call 00007F9EE47DAAA3h |
pop ecx |
and dword ptr [ebp-04h], 00000000h |
push dword ptr [00406384h] |
call esi |
mov dword ptr [ebp-1Ch], eax |
push dword ptr [00406380h] |
call esi |
pop ecx |
pop ecx |
mov dword ptr [ebp-20h], eax |
lea eax, dword ptr [ebp-20h] |
push eax |
lea eax, dword ptr [ebp-1Ch] |
push eax |
push dword ptr [ebp+08h] |
mov esi, dword ptr [004040CCh] |
call esi |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x553c | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x7000 | 0x2a8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x8000 | 0x1f4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x5470 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x4000 | 0x138 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2464 | 0x2600 | c84b200cde39954c6014ca310200a419 | False | 0.5229235197368421 | data | 6.06274270454507 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x4000 | 0x1bf2 | 0x1c00 | a98880f3ac0c29ffd7f2d418a7f00788 | False | 0.4619140625 | OpenPGP Secret Key | 5.507400626408515 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x6000 | 0x38c | 0x200 | 202a0f14ba4a024e6a35d5895669b769 | False | 0.060546875 | data | 0.35275948821577235 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x7000 | 0x2a8 | 0x400 | 969c292b926b1e9b3c0ce2da6f58292a | False | 0.3564453125 | data | 5.177428148708584 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x8000 | 0x286 | 0x400 | f932fe66e3eea67c82e1853a32db63b5 | False | 0.4814453125 | data | 3.8079558155782713 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x7058 | 0x250 | ASCII text, with CRLF line terminators | English | United States | 0.5084459459459459 |
DLL | Import |
---|---|
SHLWAPI.dll | PathCombineW, StrCmpNW |
MSVCR90.dll | _crt_debugger_hook, _controlfp_s, _invoke_watson, _except_handler4_common, _decode_pointer, _onexit, _lock, __dllonexit, _unlock, ?terminate@@YAXXZ, __set_app_type, _encode_pointer, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _amsg_exit, wcsstr, memcpy, memset |
KERNEL32.dll | IsDebuggerPresent, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, InterlockedExchange, ExitThread, FindFirstFileW, lstrcmpW, FindNextFileW, GetLogicalDrives, GetDriveTypeW, QueryDosDeviceW, lstrcpyW, GetFileSize, CreateFileMappingA, MapViewOfFile, FlushViewOfFile, UnmapViewOfFile, SetFilePointer, SetEndOfFile, CreateFileW, CloseHandle, CreateThread, ExitProcess, GetLastError, CreateMutexA, Sleep |
USER32.dll | CharLowerW |
ADVAPI32.dll | RegCloseKey, RegOpenKeyExW, RegQueryValueExW |
ole32.dll | CoInitializeEx |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 28, 2024 07:13:14.417252064 CEST | 53 | 59055 | 1.1.1.1 | 192.168.2.4 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 0 |
Start time: | 01:12:52 |
Start date: | 28/05/2024 |
Path: | C:\Users\user\Desktop\LG3adrtYi2.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf00000 |
File size: | 20'480 bytes |
MD5 hash: | DE36BC2BFC3C67820EBD75C912FADC3D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage: | 19.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 16.7% |
Total number of Nodes: | 132 |
Total number of Limit Nodes: | 5 |
Graph
Callgraph
Function 00F028F0 Relevance: 52.7, APIs: 13, Strings: 17, Instructions: 152sleepfilestringCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00F02450 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 226fileCOMMON
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00F02830 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55registryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00F01000 Relevance: 10.5, APIs: 7, Instructions: 28sleepsynchronizationthreadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00F02B80 Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00F02750 Relevance: 1.3, APIs: 1, Instructions: 32stringCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00F01D30 Relevance: .0, Instructions: 5COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|