popup

Report - newlege.exe

RedLine stealer[m] PWS Loki[b] Loki.m RAT .NET framework Malicious Library Malicious Packer UPX Admin Tool (Sysinternals etc ...) VMProtect Create Service Escalate priviledges AntiDebug AntiVM PE32 OS Processor Check PE File DLL .NET EXE PE64 JPEG Fo
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2022.12.07 15:51 Machine s1_win7_x6403
Filename newlege.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
 Behavior Score
19.4
ZERO API file : clean
VT API (file) 49 detected (Lazy, Unsafe, Save, Amadey, malicious, ZexaF, puW@a4I5Xbhi, Eldorado, Attribute, HighConfidence, high confidence, YXCLDZ, Deyma, score, BotX, Rsmw, MulDrop21, NetLoader, Static AI, Malicious PE, S + Mal, Horst, Redcap, rraiy, kcloud, Detected, GenericRXUP, ai score=80, CLsQ6OOtGZT, susgen, EGTS, GdSda)
md5 065ee41f9a4f66bd96f0448d68cc4178
sha256 be91543d87f31d5bab7129c8bc63646ccc7c6aacabfa527ef4642a386145334c
ssdeep 6144:QuipnySnYTepzkqldDIM4z9ujpdD5LGS:QbVlmM+ujpdDAS
imphash 8e8ff15d652fa4cfc3097ccc64aa2fa0
impfuzzy 48:4NGXVbLJGGOBtdS1CM2c+ppZccgTg3ISF57fwSqzNW/wPg:hXVMGAtdS1CM2c+ppZct+D+Okg
  Network IP location

Signature (41cnts)

Level Description
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Attempts to identify installed AV products by installation directory
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Disables proxy possibly for traffic interception
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Installs itself for autorun at Windows startup
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process gntuud.exe
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (32cnts)

Level Name Description Collection
danger RedLine_Stealer_m_Zero RedLine stealer memory
danger Win32_PWS_Loki_Zero Win32 PWS Loki binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (download)

Network (19cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.time4unow.com/wp-content/file.exe
whois
US Host Europe GmbH 160.153.129.228 clean
http://byh.ajn322bb.com/files/pe/pb1109.exe
whois
US CLOUDFLARENET 104.21.25.158 clean
http://62.204.41.6/p9cWxH/Plugins/cred64.dll
whois
Unknown 62.204.41.6 clean
http://31.41.244.188/lego/5jk29l2fg.exe
whois
RU LLC Aeroexpress 31.41.244.188 malware
http://62.204.41.6/p9cWxH/index.php
whois
Unknown 62.204.41.6 clean
http://31.41.244.188/miha/wish.exe
whois
RU LLC Aeroexpress 31.41.244.188 malware
http://62.204.41.6/p9cWxH/index.php?scr=1
whois
Unknown 62.204.41.6 clean
http://31.41.244.188/new/linda5.exe
whois
RU LLC Aeroexpress 31.41.244.188 24510 malware
http://31.41.244.188/ano/anon.exe
whois
RU LLC Aeroexpress 31.41.244.188 malware
byh.ajn322bb.com
whois
US CLOUDFLARENET 172.67.134.92 malware
www.time4unow.com
whois
US Host Europe GmbH 160.153.129.228 malware
jamesmillion.xyz
whois
US DATAWAGON 104.192.2.242 mailcious
185.106.92.214
whois
RU NTX Technologies s.r.o. 185.106.92.214 clean
104.192.2.242
whois
US DATAWAGON 104.192.2.242 mailcious
62.204.41.6
whois
Unknown 62.204.41.6 clean
160.153.129.228
whois
US Host Europe GmbH 160.153.129.228 malware
31.41.244.14
whois
RU LLC Aeroexpress 31.41.244.14 mailcious
31.41.244.188
whois
RU LLC Aeroexpress 31.41.244.188 malware
104.21.25.158
whois
US CLOUDFLARENET 104.21.25.158 clean

Suricata ids

ET DROP Dshield Block Listed Source group 1
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x42f040 CopyFileA
 0x42f044 GetLastError
 0x42f048 GetFileAttributesA
 0x42f04c CreateFileA
 0x42f050 CloseHandle
 0x42f054 GetSystemInfo
 0x42f058 CreateThread
 0x42f05c HeapAlloc
 0x42f060 GetThreadContext
 0x42f064 GetProcAddress
 0x42f068 VirtualAllocEx
 0x42f06c GetTempPathA
 0x42f070 RemoveDirectoryA
 0x42f074 ReadProcessMemory
 0x42f078 GetProcessHeap
 0x42f07c CreateProcessA
 0x42f080 CreateDirectoryA
 0x42f084 SetThreadContext
 0x42f088 WriteConsoleW
 0x42f08c ReadConsoleW
 0x42f090 SetEndOfFile
 0x42f094 HeapReAlloc
 0x42f098 HeapSize
 0x42f09c Sleep
 0x42f0a0 SetCurrentDirectoryA
 0x42f0a4 GetModuleHandleA
 0x42f0a8 ResumeThread
 0x42f0ac SuspendThread
 0x42f0b0 GetComputerNameExW
 0x42f0b4 GetVersionExW
 0x42f0b8 CreateMutexW
 0x42f0bc VirtualAlloc
 0x42f0c0 WriteFile
 0x42f0c4 VirtualFree
 0x42f0c8 HeapFree
 0x42f0cc WriteProcessMemory
 0x42f0d0 GetModuleFileNameA
 0x42f0d4 LocalFree
 0x42f0d8 ReadFile
 0x42f0dc SetFilePointerEx
 0x42f0e0 GetTimeZoneInformation
 0x42f0e4 GetConsoleMode
 0x42f0e8 GetConsoleCP
 0x42f0ec FlushFileBuffers
 0x42f0f0 GetStringTypeW
 0x42f0f4 SetEnvironmentVariableW
 0x42f0f8 FreeEnvironmentStringsW
 0x42f0fc GetEnvironmentStringsW
 0x42f100 WideCharToMultiByte
 0x42f104 GetCPInfo
 0x42f108 GetOEMCP
 0x42f10c GetACP
 0x42f110 IsValidCodePage
 0x42f114 FindNextFileW
 0x42f118 FindFirstFileExW
 0x42f11c FindClose
 0x42f120 SetStdHandle
 0x42f124 GetFullPathNameW
 0x42f128 GetCurrentDirectoryW
 0x42f12c DeleteFileW
 0x42f130 DecodePointer
 0x42f134 UnhandledExceptionFilter
 0x42f138 SetUnhandledExceptionFilter
 0x42f13c GetCurrentProcess
 0x42f140 TerminateProcess
 0x42f144 IsProcessorFeaturePresent
 0x42f148 IsDebuggerPresent
 0x42f14c GetStartupInfoW
 0x42f150 GetModuleHandleW
 0x42f154 QueryPerformanceCounter
 0x42f158 GetCurrentProcessId
 0x42f15c GetCurrentThreadId
 0x42f160 GetSystemTimeAsFileTime
 0x42f164 InitializeSListHead
 0x42f168 RtlUnwind
 0x42f16c RaiseException
 0x42f170 SetLastError
 0x42f174 EncodePointer
 0x42f178 EnterCriticalSection
 0x42f17c LeaveCriticalSection
 0x42f180 DeleteCriticalSection
 0x42f184 InitializeCriticalSectionAndSpinCount
 0x42f188 TlsAlloc
 0x42f18c TlsGetValue
 0x42f190 TlsSetValue
 0x42f194 TlsFree
 0x42f198 FreeLibrary
 0x42f19c LoadLibraryExW
 0x42f1a0 ExitProcess
 0x42f1a4 GetModuleHandleExW
 0x42f1a8 CreateFileW
 0x42f1ac GetDriveTypeW
 0x42f1b0 GetFileInformationByHandle
 0x42f1b4 GetFileType
 0x42f1b8 PeekNamedPipe
 0x42f1bc SystemTimeToTzSpecificLocalTime
 0x42f1c0 FileTimeToSystemTime
 0x42f1c4 GetModuleFileNameW
 0x42f1c8 GetStdHandle
 0x42f1cc GetCommandLineA
 0x42f1d0 GetCommandLineW
 0x42f1d4 MultiByteToWideChar
 0x42f1d8 CompareStringW
 0x42f1dc LCMapStringW
USER32.dll
 0x42f1f4 GetSystemMetrics
 0x42f1f8 ReleaseDC
 0x42f1fc GetDC
GDI32.dll
 0x42f028 CreateCompatibleBitmap
 0x42f02c SelectObject
 0x42f030 CreateCompatibleDC
 0x42f034 DeleteObject
 0x42f038 BitBlt
ADVAPI32.dll
 0x42f000 RegCloseKey
 0x42f004 RegGetValueA
 0x42f008 RegQueryValueExA
 0x42f00c GetUserNameA
 0x42f010 RegSetValueExA
 0x42f014 RegOpenKeyExA
 0x42f018 ConvertSidToStringSidW
 0x42f01c GetUserNameW
 0x42f020 LookupAccountNameW
SHELL32.dll
 0x42f1e4 ShellExecuteA
 0x42f1e8 None
 0x42f1ec SHGetFolderPathA
WININET.dll
 0x42f204 HttpOpenRequestA
 0x42f208 InternetOpenUrlW
 0x42f20c InternetReadFile
 0x42f210 InternetConnectA
 0x42f214 HttpSendRequestA
 0x42f218 InternetCloseHandle
 0x42f21c InternetOpenA
 0x42f220 HttpAddRequestHeadersA
 0x42f224 HttpSendRequestExW
 0x42f228 HttpEndRequestW
 0x42f22c InternetOpenW
 0x42f230 InternetOpenUrlA
 0x42f234 InternetWriteFile
gdiplus.dll
 0x42f23c GdipSaveImageToFile
 0x42f240 GdipGetImageEncodersSize
 0x42f244 GdipDisposeImage
 0x42f248 GdipCreateBitmapFromHBITMAP
 0x42f24c GdipGetImageEncoders
 0x42f250 GdiplusShutdown
 0x42f254 GdiplusStartup

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure