Windows Analysis Report 666.exe

Overview

General Information

Sample Name: 666.exe
Analysis ID: 554441
MD5: fae2a60811bd10fd137f16c183ee1bc5
SHA1: a119e25fbe0e1419931d0c07ec37c9c7e0631679
SHA256: e6c357c2c7c70b4630dbdcd86df2d98ed28cbd47a9efcbf727fe0fdbc5d5fefa
Tags: Backdoorexe
Infos:

Most interesting Screenshot:

Detection

Young Lotus
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Young Lotus
Found evasive API chain (may stop execution after checking mutex)
Checks if browser processes are running
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Contains functionality to clear windows event logs (to hide its activities)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Found evasive API chain (may stop execution after accessing registry keys)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to delete services

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 666.exe Avira: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.666.exe.10000000.2.unpack Avira: Label: TR/Spy.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 666.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_004221FD FindFirstFileA,FindClose, 0_2_004221FD
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00421E04 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00421E04

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\666.exe Code function: 4x nop then push 0043963Ch 0_2_00403EF0
Source: C:\Users\user\Desktop\666.exe Code function: 4x nop then test esi, esi 0_2_00403EF0
Source: C:\Users\user\Desktop\666.exe Code function: 4x nop then mov al, 01h 0_2_00401081
Source: C:\Users\user\Desktop\666.exe Code function: 4x nop then add ebx, 00000000h 0_2_00403E90
Source: C:\Users\user\Desktop\666.exe Code function: 4x nop then mov cl, byte ptr [eax] 0_2_00403E90

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /sj.jpg HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.224.169.155Connection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49734 -> 185.224.169.155:1688
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: unknown TCP traffic detected without corresponding DNS query: 185.224.169.155
Source: 666.exe String found in binary or memory: http://185.224.169.155/sj.jpg
Source: 666.exe, 00000000.00000002.498166247.00000000023F0000.00000004.00000040.sdmp, 666.exe, 00000000.00000002.497591207.0000000000768000.00000004.00000020.sdmp, 666.exe, 00000000.00000002.497269142.000000000019C000.00000004.00000001.sdmp String found in binary or memory: http://185.224.169.155/sj.jpg(
Source: 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp String found in binary or memory: http://185.224.169.155/sj.jpg55F5B4A0
Source: 666.exe, 00000000.00000002.497671581.00000000007B4000.00000004.00000001.sdmp, 666.exe, 00000000.00000003.232507176.00000000007B3000.00000004.00000001.sdmp String found in binary or memory: http://185.224.169.155/sj.jpg8vd
Source: 666.exe String found in binary or memory: http://185.224.169.155/sj.jpg=J
Source: 666.exe, 00000000.00000002.497671581.00000000007B4000.00000004.00000001.sdmp, 666.exe, 00000000.00000003.232507176.00000000007B3000.00000004.00000001.sdmp String found in binary or memory: http://185.224.169.155/sj.jpgLMEM
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp String found in binary or memory: http://185.224.169.155/sj.jpgMZ
Source: 666.exe, 00000000.00000003.232609428.00000000007E8000.00000004.00000001.sdmp, 666.exe, 00000000.00000003.232507176.00000000007B3000.00000004.00000001.sdmp, 666.exe, 00000000.00000002.497783948.00000000007E9000.00000004.00000001.sdmp String found in binary or memory: http://185.224.169.155/sj.jpgPPC:
Source: 666.exe, 00000000.00000002.497577481.0000000000760000.00000004.00000020.sdmp String found in binary or memory: http://185.224.169.155/sj.jpgiC:
Source: 666.exe, 00000000.00000002.497808299.00000000007F2000.00000004.00000001.sdmp, 666.exe, 00000000.00000003.232552176.00000000007F2000.00000004.00000001.sdmp String found in binary or memory: http://185.224.169.155/sj.jpgk
Source: 666.exe, 00000000.00000002.497808299.00000000007F2000.00000004.00000001.sdmp, 666.exe, 00000000.00000003.232552176.00000000007F2000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10001509 select,memset,recv, 0_2_10001509
Source: global traffic HTTP traffic detected: GET /sj.jpg HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.224.169.155Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 666.exe, 00000000.00000002.497591207.0000000000768000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00427A90 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA, 0_2_00427A90
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00427AA5 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 0_2_00427AA5
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00420D67 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00420D67
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0041EDB2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_0041EDB2

E-Banking Fraud:

barindex
Checks if browser processes are running
Source: C:\Users\user\Desktop\666.exe Code function: strlen,memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command 0_2_100027CF

System Summary:

barindex
Uses 32bit PE files
Source: 666.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10001FB1 ExitWindowsEx, 0_2_10001FB1
Detected potential crypto function
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0041B240 0_2_0041B240
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_004134B3 0_2_004134B3
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00416953 0_2_00416953
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00401AE0 0_2_00401AE0
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0041DF04 0_2_0041DF04
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\666.exe Code function: String function: 0040E9B8 appears 154 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10002EA2 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,memset,memset,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,LoadLibraryA,GetProcAddress,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,CloseHandle,FreeLibrary, 0_2_10002EA2
Sample file is different than original file name gathered from version info
Source: 666.exe, 00000000.00000002.497493265.000000000044E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameProgram.EXE: vs 666.exe
Source: 666.exe Binary or memory string: OriginalFilenameProgram.EXE: vs 666.exe
PE file contains strange resources
Source: 666.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\666.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Users\user\Desktop\666.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\666.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\666.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\666.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\666.exe Section loaded: msvfw32.dll Jump to behavior
Contains functionality to delete services
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10002178 OpenSCManagerA,OpenServiceA,DeleteService,GetVersionExA,exit, 0_2_10002178
Source: 666.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\666.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\666.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\666.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\sj[1].jpg Jump to behavior
Source: classification engine Classification label: mal64.bank.troj.evad.winEXE@1/2@0/2
Source: C:\Users\user\Desktop\666.exe Code function: GetModuleFileNameA,wsprintfA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,_mbscpy,_mbscat,RegOpenKeyA,lstrlenA,RegSetValueExA, 0_2_10004308
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00422F64 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA, 0_2_00422F64
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10003EC4 ??2@YAPAXI@Z,memcpy,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,memset,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,Sleep,Sleep,Sleep,StartServiceCtrlDispatcherA,StartServiceCtrlDispatcherA,Sleep,StartServiceCtrlDispatcherA,GetModuleFileNameA,CopyFileA,Sleep,ExitProcess,memset,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,Sleep, 0_2_10003EC4
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10003EC4 ??2@YAPAXI@Z,memcpy,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,memset,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,Sleep,Sleep,Sleep,StartServiceCtrlDispatcherA,StartServiceCtrlDispatcherA,Sleep,StartServiceCtrlDispatcherA,GetModuleFileNameA,CopyFileA,Sleep,ExitProcess,memset,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,Sleep, 0_2_10003EC4
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00404050 Sleep,Sleep,Sleep,Sleep,CreateToolhelp32Snapshot,Sleep,Sleep,Sleep,Sleep,Process32First,lstrcmpiA,lstrcmpiA,Process32Next,FindCloseChangeNotification,CloseHandle, 0_2_00404050
Source: C:\Users\user\Desktop\666.exe Mutant created: \Sessions\1\BaseNamedObjects\185.224.169.155:1688
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0041B240 GetSysColor,GetSystemMetrics,FindResourceA,SizeofResource,LoadResource,GlobalAlloc,GetDC,CreateDIBitmap,ReleaseDC,GlobalFree, 0_2_0041B240

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0040E310 push eax; ret 0_2_0040E33E
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0040E9B8 push eax; ret 0_2_0040E9D6
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10005BEC push eax; ret 0_2_10005C0A
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10005C20 push eax; ret 0_2_10005C4E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0041F585 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 0_2_0041F585
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10003EC4 ??2@YAPAXI@Z,memcpy,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetModuleFileNameA,GetModuleFileNameA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,memset,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,Sleep,Sleep,Sleep,StartServiceCtrlDispatcherA,StartServiceCtrlDispatcherA,Sleep,StartServiceCtrlDispatcherA,GetModuleFileNameA,CopyFileA,Sleep,ExitProcess,memset,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,Sleep, 0_2_10003EC4

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to clear windows event logs (to hide its activities)
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_1000201D OpenEventLogA,ClearEventLogA,CloseEventLog, 0_2_1000201D
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00406182 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00406182
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_004191A0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 0_2_004191A0
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_004189F0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 0_2_004189F0
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00427B48 IsWindowVisible,IsIconic, 0_2_00427B48
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00423BA4 GetParent,GetParent,GetParent,IsIconic, 0_2_00423BA4
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_10004D19 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA, 0_2_10004D19
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\666.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\666.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\666.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\666.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\666.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\666.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\666.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\666.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\666.exe TID: 6328 Thread sleep count: 185 > 30 Jump to behavior
Source: C:\Users\user\Desktop\666.exe TID: 6328 Thread sleep time: -92500s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\666.exe Evasive API call chain: GetLocalTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\666.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\666.exe Last function: Thread delayed
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\666.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\666.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00403FA0 GetSystemInfo,Sleep,Sleep,Sleep,Sleep,Sleep, 0_2_00403FA0
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_004221FD FindFirstFileA,FindClose, 0_2_004221FD
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00421E04 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 0_2_00421E04
Source: C:\Users\user\Desktop\666.exe API call chain: ExitProcess graph end node
Source: 666.exe, 00000000.00000003.232567350.0000000000801000.00000004.00000001.sdmp, 666.exe, 00000000.00000003.232629229.0000000000801000.00000004.00000001.sdmp, 666.exe, 00000000.00000002.497650244.00000000007AC000.00000004.00000020.sdmp, 666.exe, 00000000.00000002.497845242.0000000000801000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: 666.exe, 00000000.00000002.497671581.00000000007B4000.00000004.00000001.sdmp, 666.exe, 00000000.00000003.232507176.00000000007B3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWj

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0041F585 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary, 0_2_0041F585
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_1000474B VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,memcpy, 0_2_1000474B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00404100 mov eax, dword ptr fs:[00000030h] 0_2_00404100
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00411FCA SetUnhandledExceptionFilter, 0_2_00411FCA
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00411FDC SetUnhandledExceptionFilter, 0_2_00411FDC
Source: 666.exe, 00000000.00000002.497952428.0000000000DF0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: 666.exe, 00000000.00000002.497952428.0000000000DF0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: 666.exe, 00000000.00000002.497952428.0000000000DF0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: 666.exe, 00000000.00000002.497952428.0000000000DF0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: 666.exe, 00000000.00000002.497952428.0000000000DF0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00403FE0 GetLocalTime,GetLocalTime,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,GetLocalTime, 0_2_00403FE0
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00414C63 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_00414C63
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_004292E0 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 0_2_004292E0

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: avcenter.exe
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: kxetray.exe
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: 666.exe, 666.exe, 00000000.00000002.497269142.000000000019C000.00000004.00000001.sdmp Binary or memory string: AVP.EXE
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: rtvscan.exe
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: 360tray.exe
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: TMBMSRV.exe
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: ashDisp.exe
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: AYAgent.aye
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: QUHLPSVC.EXE
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: RavMonD.exe
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: Mcshield.exe
Source: 666.exe, 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, 666.exe, 00000000.00000002.498538770.0000000010008000.00000004.00000001.sdmp Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information:

barindex
Yara detected Young Lotus
Source: Yara match File source: 0.2.666.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.666.exe.43963c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.666.exe.43963c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.666.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Young Lotus
Source: Yara match File source: 0.2.666.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.666.exe.43963c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.666.exe.43963c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.666.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.497429817.0000000000439000.00000004.00020000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_0042B665 htonl,htons,bind,inet_addr,WSASetLastError, 0_2_0042B665
Source: C:\Users\user\Desktop\666.exe Code function: 0_2_00402920 listen,GetActiveWindow,MessageBoxA, 0_2_00402920
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 554441 Sample: 666.exe Startdate: 17/01/2022 Architecture: WINDOWS Score: 64 13 Antivirus / Scanner detection for submitted sample 2->13 15 Yara detected Young Lotus 2->15 5 666.exe 2 10 2->5         started        process3 dnsIp4 9 185.224.169.155, 1688, 49734, 49736 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL Netherlands 5->9 11 192.168.2.1 unknown unknown 5->11 17 Found evasive API chain (may stop execution after checking mutex) 5->17 19 Checks if browser processes are running 5->19 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.224.169.155
 unknown Netherlands
132721 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL false

Private
IP
192.168.2.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.224.169.155/sj.jpg false
  • Avira URL Cloud: safe
 unknown