Skip to main content

Trojan:W32/Lethic

Classification

Category:Malware
Type:Trojan
Platform:W32
Aliases:

Trojan.TR/Crypt.XPACK.[variant]

Summary

Lethic is a spambot that constantly connects to a remote server and may download additional malware into the system it infected. It utilizes process injection method to inject malicious code in explorer.exe and resume its malicious activities.

Removal

The F-Secure security product will automatically remove the file.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Infection Vector

Lethic gain access into a system via attachments in spam emails.

Behavior

Upon execution, Lethic will first check for the presence of virtual and debugging environment. If found, it will proceed to terminate itself as a way to evade detection and analysis.

If no virtual or debugging environment found, it will proceed to add a registry key to gain persistence and then start locating the explorer.exe module for it to inject malicious code into. It will also add a mutual exclusion object (mutex) into the injected process to ensure that only one instance of itself is running.

Afterwards, it tries to connect to a malicious command and control (C&C) server using Winsock API and then waits for further instructions.

Files created

  • C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196818750\backwindow32.exe

Registry Changes

Lethic adds the following registry keys to run during startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Name: backwindow32 Data: [dropped_path and filename].exe

Network activity

It connects to the following remote server:

  • hxxp://93.190[.]139.161:7700
  • It also connect to multiple IP addresses via TCP port 25.

Other Behavior

Lethic is capable of performing these tasks:

  • Check for virtual and debugging environment by checking the running process for:
    • Check if it is being debugged or sandboxed by checking if the following DLL file exist:
      • Check the username for these matches:
        • Check the filepath if it contains these items:
          • Check multiple registry keys for the following virtual environment:

            Analysis on file: 7a60ae98b7707de05764d78d508dc3bc946d3108

            More Support

            Community

            Ask questions in our Community.

            User guides

            Check the user guide for instructions.

            Contact Support

            Chat with with or call an agent.

            Submit a Sample

            Submit a file or URL for analysis.