popup

Report - leafgrey.exe

UPX Malicious Library Antivirus PE32 PE File MSOffice File OS Processor Check DLL icon
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.10 09:50 Machine s1_win7_x6403
Filename leafgrey.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
18.4
ZERO API file : malware
VT API (file) 53 detected (AIDetectNet, Zusy, malicious, high confidence, Sabsik, unsafe, Danabot, Vct4, confidence, 100%, ABRisk, JQCG, score, Agentb, lbtu, ccmw, DropperX, Gmnw, eevhh, Siggen20, Artemis, high, Malware@#3an1r0ta0jfcc, Detected, Malpacked6, R545262, ai score=87, BScope, Wacatac, R002H0CD723, c0118Oyd3vO, susgen)
md5 16b67de79530a182c3e49ae82bb5f337
sha256 db086d3a605b003097b60b57556386d8e7044578dcbe734ed1bc188d4f95ff1e
ssdeep 24576:c5HAZujXKrsacTGwNG8mKYQoaZx1Plx96:c5HH7Krs3Tr1DZZx9
imphash 0621e8c019dc6be57d313b9281743d20
impfuzzy 3:sn07Oc0J1MO/Oyw3AJA+mwSKWRAqX+JSECOyLsS9KTXzhAXwWBJAGvbAJdX0JEBM:9OTZ/OIA+mb5XBGDYBJAGvYFmViJqB82
  Network IP location

Signature (39cnts)

Level Description
danger File has been identified by 53 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
warning Stops Windows services
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch Attempts to create or modify system certificates
watch Attempts to disable browser security warnings
watch Checks the CPU name from registry
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Installs itself for autorun at Windows startup
watch One or more of the buffers contains an embedded PE file
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a service
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Executes one or more WMI queries
notice Executes one or more WMI queries which can be used to identify virtual machines
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Starts servers listening
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (11cnts)

Level Name Description Collection
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info icon_file_format icon file format binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://176.113.115.25/bot/regex
whois
RU OOO Network of data-centers Selectel 176.113.115.25 clean
http://176.113.115.25/bot/online?guid=TEST22-PC\\test22&key=f91c75a2c5026af6018d7440b3cc6388f9e5424369f44512d073daee9d5318de
whois
RU OOO Network of data-centers Selectel 176.113.115.25 clean
https://176.113.115.21/V/sdkk5ywn1w/+iBH32vcXr87CL+YROcC3SO1z8sYve4b76amRKql5QDggj0I2AbinPxGpJbUpQllBVERtRx9KxUVyC8nK1a/109MZIB7ehXnhRA3u3fF/IMK5Pu2eHFKgJD6GNFhhJ8ea3akdd9FiO9eshpO8O7kUDRwSFsJBldB2jRI6xHsPmDHX7HIWLDBV7oSpPsNqfwQg==
whois
RU OOO Network of data-centers Selectel 176.113.115.21 clean
176.113.115.21
whois
RU OOO Network of data-centers Selectel 176.113.115.21 clean
176.113.115.25
whois
RU OOO Network of data-centers Selectel 176.113.115.25 clean
165.143.163.99
whois
ZA TIENET 165.143.163.99 clean
14.227.106.38
whois
VN VNPT Corp 14.227.106.38 clean

Suricata ids

ET MALWARE Laplas Clipper - SetOnline CnC Checkin

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x4c5000 DeleteFileW
 0x4c5004 ExitProcess
 0x4c5008 FreeLibrary
 0x4c500c GetLastError
 0x4c5010 GetLocalTime
 0x4c5014 GetProcAddress
 0x4c5018 LoadLibraryW
 0x4c501c Sleep
 0x4c5020 VirtualAlloc
 0x4c5024 VirtualFree
msvcrt.dll
 0x4c502c malloc
 0x4c5030 free
 0x4c5034 memcpy

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure