Windows Analysis Report
LightSpoofer.exe

Overview

General Information

Sample name:	LightSpoofer.exe
Analysis ID:	1579340
MD5:	a65f59764e28b0a433ff248ea6af608a
SHA1:	c9f27343545ba7bb35e76d0886c4670fb2bbbbce
SHA256:	6ebfc0f62cd8b3d496858cbbbc489808087df835709a54415835e31208d1b515
Tags:	exeuser-aachum
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Potential thread-based time evasion detected

Query firmware table information (likely to detect VMs)

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Tries to harvest and steal browser information (history, passwords, etc)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: LightSpoofer.exe	Virustotal: Detection: 36%			Perma Link
Source: LightSpoofer.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LightSpoofer.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.26.9.59:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: LightSpoofer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.9.59 104.26.9.59

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 104.26.9.59:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43Host: api.myip.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43Host: api.myip.com

Source: global traffic

DNS traffic detected: DNS query: api.myip.com

Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://https/:://websocketpp.processorGeneric
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0E92000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/Russia
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: LightSpoofer.exe, LightSpoofer.exe, 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage
Source: LightSpoofer.exe, 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage(Hold
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mic
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1759955726.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1838201876.000002CCA2A22000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1869770850.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1869770850.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1821874330.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1815010928.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA29E3000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA2810000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.2306930819.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1825870311.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1939921750.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1787880746.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1762675022.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1920670025.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1751522050.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1805800803.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.2304535540.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1894061014.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1759955726.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1825870311.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA29A8000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA29FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1838201876.000002CCA2A22000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1833082467.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA29E3000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1844370263.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.3433586346.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1906545811.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA29E4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1787880746.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1739398693.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1760758571.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1741934343.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1779684507.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1912255604.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1859449285.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA29A8000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA29FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17kies
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17okiesyB
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.26.9.59:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: LightSpoofer.exe	Static PE information: section name: .}]=
Source: LightSpoofer.exe	Static PE information: section name: .:=`
Source: LightSpoofer.exe	Static PE information: section name: ..f;

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\LightSpoofer.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB8A74	0_2_00007FF661CB8A74
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CDC1D0	0_2_00007FF661CDC1D0
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CD251C	0_2_00007FF661CD251C
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CDACE4	0_2_00007FF661CDACE4
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CD2C90	0_2_00007FF661CD2C90
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB6D94	0_2_00007FF661CB6D94
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CBA110	0_2_00007FF661CBA110
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CCA920	0_2_00007FF661CCA920
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB28BC	0_2_00007FF661CB28BC
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB8028	0_2_00007FF661CB8028
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CA3F78	0_2_00007FF661CA3F78
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB97AC	0_2_00007FF661CB97AC

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\LightSpoofer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\DZY48GZ0.htm

Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA28A7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: LightSpoofer.exe	Virustotal: Detection: 36%
Source: LightSpoofer.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LightSpoofer.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LightSpoofer.exe

Static file information: File size 3796992 > 1048576

Source: LightSpoofer.exe

Static PE information: Raw size of ..f; is bigger than: 0x100000 < 0x39c600

Source: LightSpoofer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: ..f;

PE file contains sections with non-standard names

Source: LightSpoofer.exe	Static PE information: section name: .}]=
Source: LightSpoofer.exe	Static PE information: section name: .:=`
Source: LightSpoofer.exe	Static PE information: section name: ..f;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CA8C32 pushfq ; retn 0042h		0_2_00007FF661CA8C39
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF6620DCB2B push rdx; retf		0_2_00007FF6620DCB56

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\LightSpoofer.exe	Memory written: PID: 7328 base: 7FFE2237000D value: E9 BB CB EC FF			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Memory written: PID: 7328 base: 7FFE2223CBC0 value: E9 5A 34 13 00			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Malware Analysis System Evasion

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\LightSpoofer.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Special instruction interceptor: First address: 7FF6624B2055 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\LightSpoofer.exe	Special instruction interceptor: First address: 7FF6624B2076 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\LightSpoofer.exe

File opened / queried: VBoxMiniRdrDN

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LightSpoofer.exe

Code function: 0_2_00007FF66213F8A2 rdtsc

0_2_00007FF66213F8A2

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Window / User API: threadDelayed 5782			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Window / User API: foregroundWindowGot 1687			Jump to behavior

Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware ToolsNOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/LoadLibraryA
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsdvboxserviceu
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: Kernel32.dllKernel32.dll\\.\VBoxMiniRdrDN
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtrayx64dbgh
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4130559701.000002CCA0999000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: wiresharkvmwareuseri
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-gaVGAuthServicevmwaretrayv

Source: C:\Users\user\Desktop\LightSpoofer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LightSpoofer.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\LightSpoofer.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LightSpoofer.exe

Code function: 0_2_00007FF66213F8A2 rdtsc

0_2_00007FF66213F8A2

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662309FA1	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF66216B64E	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF6622D8A27	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF6621A84F7	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662171C72	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF662171C51	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtSetInformationProcess: Direct from: 0x7FF662309991	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662306851	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF6621C842C	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF66230F56F	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF6621D1F6B	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF6621B996E	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtSetInformationThread: Direct from: 0x7FF6621A8523	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF6622DBDC8	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF66248A3B6	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662171F10	Jump to behavior

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: LightSpoofer.exe, 00000000.00000003.2184192889.000002CCA09F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: LightSpoofer.exe, 00000000.00000003.2184192889.000002CCA09F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Jaxx
Source: LightSpoofer.exe, 00000000.00000002.4131031186.000002CCA0A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ming\Exodus\exodus.wallet
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Daedalus Mainnet\Ethereum\Guarda\Local Storage\leveldb\Zcash
Source: LightSpoofer.exe, 00000000.00000002.4131031186.000002CCA0A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ming\Exodus\exodus.wallet
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.LightSpoofer.exe.2cca0b881d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LightSpoofer.exe PID: 7328, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.9.59	api.myip.com	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
api.myip.com	104.26.9.59	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.myip.com/	false		high

AV Detection

Multi AV Scanner detection for submitted file

Source: LightSpoofer.exe	Virustotal: Detection: 36%			Perma Link
Source: LightSpoofer.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LightSpoofer.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.26.9.59:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: LightSpoofer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.26.9.59 104.26.9.59

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 104.26.9.59:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43Host: api.myip.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43Host: api.myip.com

Source: global traffic

DNS traffic detected: DNS query: api.myip.com

Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://https/:://websocketpp.processorGeneric
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0E92000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0E8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/Russia
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: LightSpoofer.exe, LightSpoofer.exe, 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage
Source: LightSpoofer.exe, 00000000.00000002.4136772725.00007FF661CED000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/ocornut/imgui/blob/master/docs/FAQ.md#qa-usage(Hold
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mic
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1759955726.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1838201876.000002CCA2A22000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1869770850.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1869770850.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1821874330.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1815010928.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA29E3000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA2810000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.2306930819.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1825870311.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1939921750.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1787880746.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1762675022.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1920670025.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1751522050.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1805800803.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.2304535540.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1894061014.000002CCA2808000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1759955726.000002CCA2809000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1825870311.000002CCA2854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA29A8000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA29FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA29CB000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1838201876.000002CCA2A22000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1771653224.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1833082467.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA29E3000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1844370263.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.3433586346.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1906545811.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA29E4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1787880746.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1739398693.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730997226.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1760758571.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1741934343.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1779684507.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1912255604.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1859449285.000002CCA299F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: LightSpoofer.exe, 00000000.00000003.1877956950.000002CCA29A8000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131769985.000002CCA29FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17kies
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17okiesyB
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: LightSpoofer.exe, 00000000.00000003.1730701144.000002CCA2ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: LightSpoofer.exe, 00000000.00000003.1735642826.000002CCA2974000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1991756112.000002CCA2952000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA2996000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.26.9.59:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: LightSpoofer.exe	Static PE information: section name: .}]=
Source: LightSpoofer.exe	Static PE information: section name: .:=`
Source: LightSpoofer.exe	Static PE information: section name: ..f;

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\LightSpoofer.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB8A74	0_2_00007FF661CB8A74
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CDC1D0	0_2_00007FF661CDC1D0
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CD251C	0_2_00007FF661CD251C
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CDACE4	0_2_00007FF661CDACE4
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CD2C90	0_2_00007FF661CD2C90
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB6D94	0_2_00007FF661CB6D94
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CBA110	0_2_00007FF661CBA110
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CCA920	0_2_00007FF661CCA920
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB28BC	0_2_00007FF661CB28BC
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB8028	0_2_00007FF661CB8028
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CA3F78	0_2_00007FF661CA3F78
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CB97AC	0_2_00007FF661CB97AC

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\LightSpoofer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\DZY48GZ0.htm

Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LightSpoofer.exe, 00000000.00000003.1898472222.000002CCA28A7000.00000004.00000020.00020000.00000000.sdmp

Source: LightSpoofer.exe	Virustotal: Detection: 36%
Source: LightSpoofer.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\LightSpoofer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LightSpoofer.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LightSpoofer.exe

Static file information: File size 3796992 > 1048576

Source: LightSpoofer.exe

Static PE information: Raw size of ..f; is bigger than: 0x100000 < 0x39c600

Source: LightSpoofer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: ..f;

PE file contains sections with non-standard names

Source: LightSpoofer.exe	Static PE information: section name: .}]=
Source: LightSpoofer.exe	Static PE information: section name: .:=`
Source: LightSpoofer.exe	Static PE information: section name: ..f;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF661CA8C32 pushfq ; retn 0042h		0_2_00007FF661CA8C39
Source: C:\Users\user\Desktop\LightSpoofer.exe	Code function: 0_2_00007FF6620DCB2B push rdx; retf		0_2_00007FF6620DCB56

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\LightSpoofer.exe	Memory written: PID: 7328 base: 7FFE2237000D value: E9 BB CB EC FF			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Memory written: PID: 7328 base: 7FFE2223CBC0 value: E9 5A 34 13 00			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Malware Analysis System Evasion

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\LightSpoofer.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Special instruction interceptor: First address: 7FF6624B2055 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\LightSpoofer.exe	Special instruction interceptor: First address: 7FF6624B2076 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\LightSpoofer.exe

File opened / queried: VBoxMiniRdrDN

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LightSpoofer.exe

Code function: 0_2_00007FF66213F8A2 rdtsc

0_2_00007FF66213F8A2

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\LightSpoofer.exe	Window / User API: threadDelayed 5782			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Window / User API: foregroundWindowGot 1687			Jump to behavior

Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware ToolsNOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/LoadLibraryA
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsdvboxserviceu
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: Kernel32.dllKernel32.dll\\.\VBoxMiniRdrDN
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtrayx64dbgh
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: LightSpoofer.exe, 00000000.00000002.4136809939.00007FF661FAC000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4131654747.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000002.4130559701.000002CCA0999000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1735330542.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1730804959.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp, LightSpoofer.exe, 00000000.00000003.1736758764.000002CCA0ED4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: wiresharkvmwareuseri
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-gaVGAuthServicevmwaretrayv

Source: C:\Users\user\Desktop\LightSpoofer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LightSpoofer.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\LightSpoofer.exe

Handle closed: DEADC0DE

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LightSpoofer.exe

Code function: 0_2_00007FF66213F8A2 rdtsc

0_2_00007FF66213F8A2

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662309FA1	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF66216B64E	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF6622D8A27	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF6621A84F7	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662171C72	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF662171C51	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtSetInformationProcess: Direct from: 0x7FF662309991	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662306851	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF6621C842C	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF66230F56F	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF6621D1F6B	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQuerySystemInformation: Direct from: 0x7FF6621B996E	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtSetInformationThread: Direct from: 0x7FF6621A8523	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtQueryInformationProcess: Direct from: 0x7FF6622DBDC8	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF66248A3B6	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	NtProtectVirtualMemory: Direct from: 0x7FF662171F10	Jump to behavior

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: LightSpoofer.exe, 00000000.00000003.2184192889.000002CCA09F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: LightSpoofer.exe, 00000000.00000003.1986371452.000002CCA0EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: LightSpoofer.exe, 00000000.00000003.2184192889.000002CCA09F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Jaxx
Source: LightSpoofer.exe, 00000000.00000002.4131031186.000002CCA0A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ming\Exodus\exodus.wallet
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Daedalus Mainnet\Ethereum\Guarda\Local Storage\leveldb\Zcash
Source: LightSpoofer.exe, 00000000.00000002.4131031186.000002CCA0A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ming\Exodus\exodus.wallet
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: LightSpoofer.exe, 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\LightSpoofer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.LightSpoofer.exe.2cca0b881d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4131199142.000002CCA0A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LightSpoofer.exe PID: 7328, type: MEMORYSTR

ID:	1579340
Product:	CloudBasic
Start time:	19:50:07
Start date:	21.12.2024
Sample:	LightSpoofer.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a65f59764e28b0a433ff248ea6af608a
SHA1:	c9f27343545ba7bb35e76d0886c4670fb2bbbbce
SHA256:	6ebfc0f62cd8b3d496858cbbbc489808087df835709a54415835e31208d1b515
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
LightSpoofer.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report LightSpoofer.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
LightSpoofer.exe