popup

Report - lega.exe

Generic Malware UPX Malicious Library Malicious Packer Antivirus Downloader Admin Tool (Sysinternals etc ...) OS Processor Check PE32 PE File MZP Format PE64 .NET EXE DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.13 09:51 Machine s1_win7_x6403
Filename lega.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
 Behavior Score
11.4
ZERO API file : clean
VT API (file) 48 detected (Doina, Deyma, Save, malicious, confidence, 100%, Genus, Attribute, HighConfidence, high confidence, Amadey, score, jvdhne, Wmhl, Generic ML PUA, MulDrop21, R002C0DCB23, Outbreak, Detected, Artemis, ai score=89, unsafe, REDLINE, YXDCMZ, HlAGNWrdXqP, Static AI, Suspicious PE, susgen, EGTS, ZexaF, ouW@aaXKpqni, GdSda)
md5 5086db99de54fca268169a1c6cf26122
sha256 42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
ssdeep 6144:f36hrz456we4lz7zzZ5my2IuViMqJnyJQ:Pxpz7LmeuVi3nN
imphash ece97832960209c4f00f3aefed6c0555
impfuzzy 48:6xGXMd+GGOscpe2toS1CM6ZccgTg3IWSqzNWI:tXMHGdcpe2toS1CM6ZctV+v
  Network IP location

Signature (28cnts)

Level Description
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch Uses suspicious command line tools or Windows utilities
notice A process attempted to delay the analysis task.
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process legenda.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info This executable has a PDB path
info Uses Windows APIs to generate a cryptographic key

Rules (20cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch Network_Downloader File Downloader binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (18cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://62.204.41.88/lend/blueloader.exe
whois
Unknown 62.204.41.88 clean
http://62.204.41.87/joomla/index.php
whois
Unknown 62.204.41.87 clean
http://179.43.155.247/cc.exe
whois
CH Private Layer INC 179.43.155.247 malware
http://62.204.41.87/joomla/Plugins/cred64.dll
whois
Unknown 62.204.41.87 clean
http://62.204.41.87/joomla/Plugins/clip64.dll
whois
Unknown 62.204.41.87 malware
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 96.16.99.73 clean
http://downloads.buparts.store/views/download.php?shortURL=DgIz04
whois
RU Beget LLC 87.236.19.211 clean
http://62.204.41.88/lend/Installer.exe
whois
Unknown 62.204.41.88 malware
http://downloads.buparts.store/download.php?shortURL=DgIz04
whois
RU Beget LLC 87.236.19.211 clean
downloads.buparts.store
whois
RU Beget LLC 87.236.19.211 clean
buparts.store
whois
RU Beget LLC 45.130.41.59 clean
62.204.41.88
whois
Unknown 62.204.41.88 malware
62.204.41.87
whois
Unknown 62.204.41.87 malware
121.254.136.27
whois
KR LG DACOM Corporation 121.254.136.27 clean
179.43.155.247
whois
CH Private Layer INC 179.43.155.247 malware
103.114.163.134
whois
SG DEDIPATH-LLC 103.114.163.134 clean
45.130.41.59
whois
RU Beget LLC 45.130.41.59 clean
87.236.19.211
whois
RU Beget LLC 87.236.19.211 clean

Suricata ids

ET DROP Dshield Block Listed Source group 1
ET MALWARE Amadey CnC Check-In
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO EXE - Served Attached HTTP

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x42e024 GetLastError
 0x42e028 GetFileAttributesA
 0x42e02c CreateFileA
 0x42e030 CloseHandle
 0x42e034 GetSystemInfo
 0x42e038 CreateThread
 0x42e03c HeapAlloc
 0x42e040 GetThreadContext
 0x42e044 GetProcAddress
 0x42e048 VirtualAllocEx
 0x42e04c CopyFileA
 0x42e050 RemoveDirectoryA
 0x42e054 ReadProcessMemory
 0x42e058 GetProcessHeap
 0x42e05c CreateProcessA
 0x42e060 CreateDirectoryA
 0x42e064 SetThreadContext
 0x42e068 WriteConsoleW
 0x42e06c ReadConsoleW
 0x42e070 SetEndOfFile
 0x42e074 SetFilePointerEx
 0x42e078 GetTempPathA
 0x42e07c Sleep
 0x42e080 SetCurrentDirectoryA
 0x42e084 GetModuleHandleA
 0x42e088 GetComputerNameExW
 0x42e08c ResumeThread
 0x42e090 GetVersionExW
 0x42e094 CreateMutexW
 0x42e098 VirtualAlloc
 0x42e09c WriteFile
 0x42e0a0 VirtualFree
 0x42e0a4 HeapFree
 0x42e0a8 WriteProcessMemory
 0x42e0ac GetModuleFileNameA
 0x42e0b0 LocalFree
 0x42e0b4 ReadFile
 0x42e0b8 HeapReAlloc
 0x42e0bc HeapSize
 0x42e0c0 GetTimeZoneInformation
 0x42e0c4 GetConsoleMode
 0x42e0c8 GetConsoleCP
 0x42e0cc FlushFileBuffers
 0x42e0d0 GetStringTypeW
 0x42e0d4 SetEnvironmentVariableW
 0x42e0d8 FreeEnvironmentStringsW
 0x42e0dc GetEnvironmentStringsW
 0x42e0e0 WideCharToMultiByte
 0x42e0e4 GetCPInfo
 0x42e0e8 GetOEMCP
 0x42e0ec GetACP
 0x42e0f0 IsValidCodePage
 0x42e0f4 FindNextFileW
 0x42e0f8 FindFirstFileExW
 0x42e0fc FindClose
 0x42e100 SetStdHandle
 0x42e104 GetFullPathNameW
 0x42e108 GetCurrentDirectoryW
 0x42e10c DeleteFileW
 0x42e110 EnterCriticalSection
 0x42e114 LeaveCriticalSection
 0x42e118 InitializeCriticalSectionAndSpinCount
 0x42e11c DeleteCriticalSection
 0x42e120 SetEvent
 0x42e124 ResetEvent
 0x42e128 WaitForSingleObjectEx
 0x42e12c CreateEventW
 0x42e130 GetModuleHandleW
 0x42e134 UnhandledExceptionFilter
 0x42e138 SetUnhandledExceptionFilter
 0x42e13c GetCurrentProcess
 0x42e140 TerminateProcess
 0x42e144 IsProcessorFeaturePresent
 0x42e148 IsDebuggerPresent
 0x42e14c GetStartupInfoW
 0x42e150 QueryPerformanceCounter
 0x42e154 GetCurrentProcessId
 0x42e158 GetCurrentThreadId
 0x42e15c GetSystemTimeAsFileTime
 0x42e160 InitializeSListHead
 0x42e164 RtlUnwind
 0x42e168 RaiseException
 0x42e16c SetLastError
 0x42e170 EncodePointer
 0x42e174 TlsAlloc
 0x42e178 TlsGetValue
 0x42e17c TlsSetValue
 0x42e180 TlsFree
 0x42e184 FreeLibrary
 0x42e188 LoadLibraryExW
 0x42e18c ExitProcess
 0x42e190 GetModuleHandleExW
 0x42e194 CreateFileW
 0x42e198 GetDriveTypeW
 0x42e19c GetFileInformationByHandle
 0x42e1a0 GetFileType
 0x42e1a4 PeekNamedPipe
 0x42e1a8 SystemTimeToTzSpecificLocalTime
 0x42e1ac FileTimeToSystemTime
 0x42e1b0 GetModuleFileNameW
 0x42e1b4 GetStdHandle
 0x42e1b8 GetCommandLineA
 0x42e1bc GetCommandLineW
 0x42e1c0 MultiByteToWideChar
 0x42e1c4 CompareStringW
 0x42e1c8 LCMapStringW
 0x42e1cc DecodePointer
ADVAPI32.dll
 0x42e000 RegCloseKey
 0x42e004 RegQueryValueExA
 0x42e008 GetUserNameA
 0x42e00c RegSetValueExA
 0x42e010 RegOpenKeyExA
 0x42e014 ConvertSidToStringSidW
 0x42e018 GetUserNameW
 0x42e01c LookupAccountNameW
SHELL32.dll
 0x42e1d4 ShellExecuteA
 0x42e1d8 None
 0x42e1dc SHGetFolderPathA
WININET.dll
 0x42e1e4 HttpOpenRequestA
 0x42e1e8 InternetReadFile
 0x42e1ec InternetConnectA
 0x42e1f0 HttpSendRequestA
 0x42e1f4 InternetCloseHandle
 0x42e1f8 InternetOpenA
 0x42e1fc InternetOpenW
 0x42e200 InternetOpenUrlA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure