popup

Report - linesloters.png

Malicious Library AntiDebug AntiVM PE File OS Processor Check PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.09 09:04 Machine s1_win7_x6401
Filename linesloters.png
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
10.4
ZERO API file : clean
VT API (file)
md5 ec330c275ef5bc70e187e7d167b03484
sha256 3aede78a6c1215c602afa1d2b7ae1ade55446aebc35f346e88694359bf275d78
ssdeep 6144:CC8ByNfLHaa7hrsFVgbtpGVeUQJIjuixao4JSNnSHC0GC:CC8sLzhOVgbtpCxuQJ6S6C0G
imphash f0a8eb41d24ad89438ac877cb3e4bfaf
impfuzzy 24:RIJ39Ob+rqOovvkEkJ3zD+tgjHRnlyv95T4zxOadRTcKdbUFu:RS9zNZ2tghK95czvkKdoFu
  Network IP location

Signature (22cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info This executable has a PDB path

Rules (12cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (17cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://icanhazip.com/
whois
US CLOUDFLARENET 104.18.6.156 clean
https://185.56.175.122/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/14/user/test22/0/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://185.56.175.122/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/5/file/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://185.56.175.122/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/3sJT83o5WJMcS5vFWYdczdMViZ/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://185.56.175.122/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/14/NAT%20status/client%20is%20behind%20NAT/0/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://179.189.229.254/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/tHiBidsluI48eG4clGcD6KL/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://179.189.229.254/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CAnyLiteGamesFXVN%5Clinesloters.exe/0/
whois
BR America-NET Ltda. 179.189.229.254 clean
https://182.253.210.130/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/5/pwgrabb64/
whois
ID BIZNET NETWORKS 182.253.210.130 3682 clean
https://185.56.175.122/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
https://185.56.175.122/rob129/TEST22-PC_W617601.99B3C97B5F99BD1F3B34A1F586177F69/10/62/XFNRLHZRPDJ/7/
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 clean
icanhazip.com
whois
US CLOUDFLARENET 104.18.7.156 clean
104.18.7.156
whois
US CLOUDFLARENET 104.18.7.156 clean
179.189.229.254
whois
BR America-NET Ltda. 179.189.229.254 mailcious
185.56.175.122
whois
PL Virtuaoperator Sp. z o.o. 185.56.175.122 mailcious
194.146.249.137
whois
PL Virtuaoperator Sp. z o.o. 194.146.249.137 mailcious
182.253.210.130
whois
ID BIZNET NETWORKS 182.253.210.130 mailcious
79.106.115.107
whois
AL Albtelecom Sh.a. 79.106.115.107 mailcious

Suricata ids

ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY curl User-Agent Outbound
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x408000 FindResourceA
 0x408004 lstrlenA
 0x408008 LoadResource
 0x40800c SetConsoleTextAttribute
 0x408010 FormatMessageA
 0x408014 Sleep
 0x408018 SizeofResource
 0x40801c GetStdHandle
 0x408020 GetLastError
 0x408024 VirtualAlloc
 0x408028 GetConsoleScreenBufferInfo
 0x40802c LocalAlloc
 0x408030 LockResource
 0x408034 LocalFree
 0x408038 HeapReAlloc
 0x40803c HeapAlloc
 0x408040 RtlUnwind
 0x408044 WideCharToMultiByte
 0x408048 GetCommandLineA
 0x40804c HeapSetInformation
 0x408050 GetStartupInfoW
 0x408054 GetCPInfo
 0x408058 InterlockedIncrement
 0x40805c InterlockedDecrement
 0x408060 GetACP
 0x408064 GetOEMCP
 0x408068 IsValidCodePage
 0x40806c EncodePointer
 0x408070 TlsAlloc
 0x408074 TlsGetValue
 0x408078 TlsSetValue
 0x40807c DecodePointer
 0x408080 TlsFree
 0x408084 GetModuleHandleW
 0x408088 SetLastError
 0x40808c GetCurrentThreadId
 0x408090 GetCurrentThread
 0x408094 GetProcAddress
 0x408098 UnhandledExceptionFilter
 0x40809c SetUnhandledExceptionFilter
 0x4080a0 IsDebuggerPresent
 0x4080a4 TerminateProcess
 0x4080a8 GetCurrentProcess
 0x4080ac ExitProcess
 0x4080b0 WriteFile
 0x4080b4 GetModuleFileNameW
 0x4080b8 GetModuleFileNameA
 0x4080bc FreeEnvironmentStringsW
 0x4080c0 GetEnvironmentStringsW
 0x4080c4 SetHandleCount
 0x4080c8 InitializeCriticalSectionAndSpinCount
 0x4080cc GetFileType
 0x4080d0 DeleteCriticalSection
 0x4080d4 HeapCreate
 0x4080d8 HeapDestroy
 0x4080dc QueryPerformanceCounter
 0x4080e0 GetTickCount
 0x4080e4 GetCurrentProcessId
 0x4080e8 GetSystemTimeAsFileTime
 0x4080ec LCMapStringW
 0x4080f0 MultiByteToWideChar
 0x4080f4 GetStringTypeW
 0x4080f8 LeaveCriticalSection
 0x4080fc FatalAppExitA
 0x408100 EnterCriticalSection
 0x408104 HeapFree
 0x408108 IsProcessorFeaturePresent
 0x40810c GetLocaleInfoW
 0x408110 SetConsoleCtrlHandler
 0x408114 FreeLibrary
 0x408118 InterlockedExchange
 0x40811c LoadLibraryW
 0x408120 HeapSize
USER32.dll
 0x408128 GetSystemMetrics
 0x40812c RedrawWindow

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure