Lethic gain access into a system via attachments in spam emails.
Upon execution, Lethic will first check for the presence of virtual and debugging environment. If found, it will proceed to terminate itself as a way to evade detection and analysis.
If no virtual or debugging environment found, it will proceed to add a registry key to gain persistence and then start locating the explorer.exe module for it to inject malicious code into. It will also add a mutual exclusion object (mutex) into the injected process to ensure that only one instance of itself is running.
Afterwards, it tries to connect to a malicious command and control (C&C) server using Winsock API and then waits for further instructions.
Lethic adds the following registry keys to run during startup:
Data: [dropped_path and filename].exe
It connects to the following remote server:
- It also connect to multiple IP addresses via TCP port 25.
Lethic is capable of performing these tasks:
- Check for virtual and debugging environment by checking the running process for:
- Regmon.exe, filemon.exe, procdump.exe, procexp.exe, wireshark.exe, prcview.exe, sysinspector.exe, sniff_hit.exe, proc_watch.exe, apimonitor.exe, tcpview.exe, petools.exe, vmtoolsd.exe, autoruns.exe, vmusrvc.exe, vmsrvc.exe, xsvc_depriv.exe, xenservice.exe
- Check if it is being debugged or sandboxed by checking if the following DLL file exist:
- api_log.dll, log_api32.dll, dir_watch.dll, pstorec.dll, vmcheck.dll, wpespy.dll, snxhk.dll
- Check the username for these matches:
- MALTEST, TEQUILABOOMBOOM, SANDBOX, VIRUS, MALWARE
- Check the filepath if it contains these items:
- SAMPLE, MALWARE, SANDBOX, VIRUS
- Check multiple registry keys for the following virtual environment:
- QEMU, VMWARE, VBOX, BOCHS
Analysis on file: 7a60ae98b7707de05764d78d508dc3bc946d3108