Edit tour
Windows
Analysis Report
Hogwarts Legacy by EMPRESS.exe
Overview
General Information
| Sample Name: | Hogwarts Legacy by EMPRESS.exe |
| Analysis ID: | 813766 |
| MD5: | af7c25d48fa49392d5022b5c2025e89f |
| SHA1: | 8e2dbd10030fac74b3b3dcaee6fde990430176fe |
| SHA256: | 54b0b173e809878c805828b2ac04edde695521afc91c2e52e773bb50a61bc908 |
| Tags: | downloaderexestealertrojan |
| Infos: |  |
 | |
Detection
Laplas Clipper, Raccoon Stealer v2
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Yara detected Laplas Clipper
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Downloads executable code via HTTP
Entry point lies outside standard sections
Abnormal high CPU Usage
Is looking for software installed on the system
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Drops PE files
Checks if the current process is being debugged
PE file contains more sections than normal
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
Hogwarts Legacy by EMPRESS.exe (PID: 5160 cmdline: C:\Users\u ser\Deskto p\Hogwarts Legacy by EMPRESS.e xe MD5: AF7C25D48FA49392D5022B5C2025E89F) 
RFhezPI4.exe (PID: 5148 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\RFhezP I4.exe" MD5: FECCDA803ECE2E7A3B7E9798714AD47E) - ntlhost.exe (PID: 2596 cmdline:
C:\Users\u ser\AppDat a\Roaming\ NTSystem\n tlhost.exe MD5: 45EB35B41FBB23A4B17B5C5AA7457046)
- ntlhost.exe (PID: 5464 cmdline:
"C:\Users\ user\AppDa ta\Roaming \NTSystem\ ntlhost.ex e" MD5: 45EB35B41FBB23A4B17B5C5AA7457046)
- cleanup
{
"C2 url": [
"http://185.223.93.251/bot/online",
"http://185.223.93.251/bot/"
]
}{
"C2 url": [
"http://94.142.138.85/"
],
"Bot ID": "f566f62bc780e31e03848452561e1d60",
"RC4_key1": "f566f62bc780e31e03848452561e1d60"
}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| Click to see the 31 entries | ||||
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.394.142.138.8549699802044134 02/22/23-21:34:12.422036 |
| SID: | 2044134 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 94.142.138.85192.168.2.380496992036955 02/22/23-21:34:09.922016 |
| SID: | 2036955 |
| Source Port: | 80 |
| Destination Port: | 49699 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.394.142.138.8549699802044135 02/22/23-21:34:14.235342 |
| SID: | 2044135 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.394.142.138.8549699802036934 02/22/23-21:34:09.766275 |
| SID: | 2036934 |
| Source Port: | 49699 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3104.193.254.9749702802044134 02/22/23-21:34:48.455602 |
| SID: | 2044134 |
| Source Port: | 49702 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
- • AV Detection
- • Compliance
- • Spreading
- • Networking
- • Spam, unwanted Advertisements and Ransom Demands
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||