Report - datelog.dll

Backdoor Farfli UPX Malicious Library Malicious Packer Antivirus OS Processor Check DLL PE File PE32
ScreenShot
Created 2023.05.20 16:23 Machine s1_win7_x6403
Filename datelog.dll
Type PE32 executable (DLL) (console) Intel 80386, for MS Windows
AI Score
7
Behavior Score
4.0
ZERO API file : malware
VT API (file) 54 detected (AIDetectMalware, Farfli, LcPfoPk, Save, malicious, confidence, 100%, ZedlaF, hu4@aGIbXmdi, Eldorado, Attribute, HighConfidence, high confidence, score, Gh0stRAT, Zegost, mttqq, jowlpx, klzeimd, R002C0DEI23, Ransomware, Static AI, Malicious PE, Detected, Magania, R66525, GenericRXRX, ai score=88, Genetic, CLASSIC, susgen)
md5 71c46a859f0729eb66d3fe7a9ae4c4e4
sha256 999eafb11d2d8990f7a5b5b86f4052b8705a8fe0d21ea806d25bcffd54173e73
ssdeep 1536:STHyv5Zb8g9D720iWDrrZDvvyBnzD6nMVV4J1C2cffcWQVGsC/MY:dvj7biWDRvvKPyHyfcW2GsC/H
imphash e3caadd564a0f376a947bee28dccac67
impfuzzy 96:hBcXJyASKtbmMqdOXX1QzLXc+p7OMh6b4p9G:j6bmJdIFKZ6cu
  Network IP location

Signature (5cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
info Checks if process is being debugged by a debugger

Rules (9cnts)

Level Name Description Collection
danger Win_Backdoor_Farfli gives threat-actors several options of gaining access to the affected system. binaries (upload)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
216.83.59.17 US BGPNET Global ASN 216.83.59.17 malware

Suricata ids

PE API

IAT(Import Address Table) Library

WS2_32.dll
 0x100152e8 getsockname
 0x100152ec gethostname
 0x100152f0 socket
 0x100152f4 gethostbyname
 0x100152f8 htons
 0x100152fc connect
 0x10015300 WSAIoctl
 0x10015304 select
 0x10015308 recv
 0x1001530c WSACleanup
 0x10015310 send
 0x10015314 setsockopt
 0x10015318 closesocket
 0x1001531c WSAStartup
SHELL32.dll
 0x10015278 SHChangeNotify
 0x1001527c ShellExecuteExA
 0x10015280 ShellExecuteA
 0x10015284 SHGetSpecialFolderPathA
ADVAPI32.dll
 0x10015000 OpenSCManagerA
 0x10015004 RegSetValueExA
 0x10015008 DeleteService
 0x1001500c OpenEventLogA
 0x10015010 ClearEventLogA
 0x10015014 CloseEventLog
 0x10015018 StartServiceCtrlDispatcherA
 0x1001501c RegisterServiceCtrlHandlerA
 0x10015020 DuplicateTokenEx
 0x10015024 SetTokenInformation
 0x10015028 CreateProcessAsUserA
 0x1001502c SetServiceStatus
 0x10015030 RegOpenKeyExA
 0x10015034 StartServiceA
 0x10015038 CreateServiceA
 0x1001503c LockServiceDatabase
 0x10015040 ChangeServiceConfig2A
 0x10015044 UnlockServiceDatabase
 0x10015048 OpenServiceA
 0x1001504c AdjustTokenPrivileges
 0x10015050 LookupPrivilegeValueA
 0x10015054 OpenProcessToken
 0x10015058 RegCloseKey
 0x1001505c RegQueryValueExA
 0x10015060 RegOpenKeyA
 0x10015064 CloseServiceHandle
KERNEL32.dll
 0x10015074 GetFileType
 0x10015078 GetStartupInfoW
 0x1001507c FreeEnvironmentStringsW
 0x10015080 GetEnvironmentStringsW
 0x10015084 QueryPerformanceCounter
 0x10015088 GetCurrentProcessId
 0x1001508c GetSystemTimeAsFileTime
 0x10015090 HeapSize
 0x10015094 GetStringTypeW
 0x10015098 GetConsoleCP
 0x1001509c GetConsoleMode
 0x100150a0 SetStdHandle
 0x100150a4 FlushFileBuffers
 0x100150a8 WriteConsoleW
 0x100150ac VirtualFree
 0x100150b0 VirtualAlloc
 0x100150b4 CreateEventA
 0x100150b8 WaitForSingleObject
 0x100150bc SetEvent
 0x100150c0 InterlockedExchange
 0x100150c4 CancelIo
 0x100150c8 Sleep
 0x100150cc CloseHandle
 0x100150d0 ResetEvent
 0x100150d4 GlobalUnlock
 0x100150d8 GlobalLock
 0x100150dc FindNextFileA
 0x100150e0 FindFirstFileA
 0x100150e4 GetCurrentProcess
 0x100150e8 GetVersion
 0x100150ec WriteFile
 0x100150f0 DeviceIoControl
 0x100150f4 CreateFileA
 0x100150f8 SetLastError
 0x100150fc LocalFree
 0x10015100 GetLastError
 0x10015104 GlobalAlloc
 0x10015108 LocalAlloc
 0x1001510c ReadFile
 0x10015110 GetFileSize
 0x10015114 GetSystemDirectoryA
 0x10015118 DeleteFileA
 0x1001511c FreeLibrary
 0x10015120 LoadLibraryA
 0x10015124 GetSystemInfo
 0x10015128 lstrlenA
 0x1001512c lstrcpyA
 0x10015130 lstrcatA
 0x10015134 lstrcmpiA
 0x10015138 LoadLibraryW
 0x1001513c GetTickCount
 0x10015140 GetDiskFreeSpaceExA
 0x10015144 GetDriveTypeA
 0x10015148 GlobalMemoryStatusEx
 0x1001514c GetVersionExA
 0x10015150 GetLocalTime
 0x10015154 CreateDirectoryA
 0x10015158 ReleaseMutex
 0x1001515c CreateMutexA
 0x10015160 MoveFileExA
 0x10015164 MoveFileA
 0x10015168 GetModuleFileNameA
 0x1001516c SetFileAttributesA
 0x10015170 CopyFileA
 0x10015174 ExpandEnvironmentStringsA
 0x10015178 SetThreadPriority
 0x1001517c GetCurrentThread
 0x10015180 SetPriorityClass
 0x10015184 GetEnvironmentVariableA
 0x10015188 GetShortPathNameA
 0x1001518c DefineDosDeviceA
 0x10015190 GetFileAttributesA
 0x10015194 CreateFileW
 0x10015198 GetCurrentThreadId
 0x1001519c SetFilePointer
 0x100151a0 CreateProcessA
 0x100151a4 TerminateThread
 0x100151a8 ResumeThread
 0x100151ac VirtualProtect
 0x100151b0 HeapFree
 0x100151b4 GetProcessHeap
 0x100151b8 HeapAlloc
 0x100151bc SetHandleCount
 0x100151c0 VirtualQuery
 0x100151c4 MultiByteToWideChar
 0x100151c8 LCMapStringW
 0x100151cc WideCharToMultiByte
 0x100151d0 IsValidCodePage
 0x100151d4 GetOEMCP
 0x100151d8 GetACP
 0x100151dc GetCPInfo
 0x100151e0 HeapDestroy
 0x100151e4 HeapCreate
 0x100151e8 GetModuleFileNameW
 0x100151ec GetStdHandle
 0x100151f0 TerminateProcess
 0x100151f4 IsDebuggerPresent
 0x100151f8 SetUnhandledExceptionFilter
 0x100151fc UnhandledExceptionFilter
 0x10015200 EnterCriticalSection
 0x10015204 LeaveCriticalSection
 0x10015208 DeleteCriticalSection
 0x1001520c InitializeCriticalSectionAndSpinCount
 0x10015210 InterlockedDecrement
 0x10015214 InterlockedIncrement
 0x10015218 TlsFree
 0x1001521c TlsSetValue
 0x10015220 TlsGetValue
 0x10015224 TlsAlloc
 0x10015228 GetProcAddress
 0x1001522c ExitProcess
 0x10015230 RtlUnwind
 0x10015234 RaiseException
 0x10015238 GetModuleHandleW
 0x1001523c DecodePointer
 0x10015240 HeapReAlloc
 0x10015244 ExitThread
 0x10015248 CreateThread
 0x1001524c GetCommandLineA
 0x10015250 EncodePointer
 0x10015254 IsProcessorFeaturePresent
USER32.dll
 0x1001528c FindWindowA
 0x10015290 GetClassNameA
 0x10015294 GetWindow
 0x10015298 GetKeyState
 0x1001529c GetAsyncKeyState
 0x100152a0 MessageBoxA
 0x100152a4 GetWindowTextA
 0x100152a8 GetInputState
 0x100152ac PostThreadMessageA
 0x100152b0 GetMessageA
 0x100152b4 GetLastInputInfo
 0x100152b8 wsprintfA
 0x100152bc EmptyClipboard
 0x100152c0 SetClipboardData
 0x100152c4 ExitWindowsEx
 0x100152c8 OpenClipboard
 0x100152cc GetClipboardData
 0x100152d0 CloseClipboard
 0x100152d4 SendMessageA
 0x100152d8 IsWindowVisible
 0x100152dc EnumWindows
 0x100152e0 GetForegroundWindow
SETUPAPI.dll
 0x1001525c SetupDiGetClassDevsA
 0x10015260 SetupDiEnumDeviceInfo
 0x10015264 SetupDiGetDeviceRegistryPropertyA
 0x10015268 SetupDiSetClassInstallParamsA
 0x1001526c SetupDiCallClassInstaller
 0x10015270 SetupDiDestroyDeviceInfoList
IPHLPAPI.DLL
 0x1001506c GetIfTable

EAT(Export Address Table) Library

0x10004470 fuckyou


Similarity measure (PE file only) - Checking for service failure