popup

Report - rlmp32wlve.dll

UPX DLL PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.10 11:02 Machine s1_win7_x6403
Filename rlmp32wlve.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
4.4
ZERO API file : malware
VT API (file) 20 detected (malicious, high confidence, Artemis, Vfwd, Attribute, HighConfidence, ClipBanker, score, ccnc, Generic ML PUA, Virut, unsafe, R002H0DC923, Generic@AI, RDML, QM48sMW3otw3VtgOjjqoyg, PossibleThreat, PALLASNET)
md5 543f45c69c8be4abd29e2b578bf26613
sha256 340e98f83d47ba0a82f5894a0c4c4b8f689f37b0ee576b23c98f4099add95814
ssdeep 24576:aFNlSvUP/vMi2iERd853k2MImAtcp3vsnNIJLsAc+u5h7g3vIpU9dHhXZREOSg8u:aFlXkXii2j2JLtu5tg3uy8f2
imphash a2833106949ae6e20c40ed0128f9df4b
impfuzzy 3:sU9KTXzhAXwWBJAEPwEBJJ67EGVn:HGDYBJAEtmVn
  Network IP location

Signature (11cnts)

Level Description
warning File has been identified by 20 AntiVirus engines on VirusTotal as malicious
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Checks for the presence of known devices from debuggers and forensic tools
notice Allocates read-write-execute memory (usually to unpack itself)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://nerf-0148-unknown.guru/bot/regex
whois
RU Psk-set LLC 79.137.195.205 27575 mailcious
http://nerf-0148-unknown.guru/bot/online?guid=TEST22-PC\\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
whois
RU Psk-set LLC 79.137.195.205 27576 mailcious
nerf-0148-unknown.guru
whois
RU Psk-set LLC 79.137.195.205 mailcious
79.137.195.205
whois
RU Psk-set LLC 79.137.195.205 mailcious

Suricata ids

ET MALWARE Laplas Clipper - SetOnline CnC Checkin

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x10034028 GetProcAddress
 0x1003402c LoadLibraryA
 0x10034030 VirtualAlloc
 0x10034034 VirtualFree

EAT(Export Address Table) Library

0x100026d0 Entry

Similarity measure (PE file only) - Checking for service failure