ScreenShot
| Created | 2024.01.17 08:24 | Machine | s1_win7_x6403 |
| Filename | liva.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 45 detected (AIDetectMalware, RisePro, Windows, Threat, Malicious, score, TrojanAitInject, GenericRXAA, unsafe, Zusy, V7oa, Genus, Attribute, HighConfidence, ADVG, TrojanX, TrojanPSW, RiseProStealer, kgujrs, CLASSIC, Nekark, hegsr, Siggen23, R630829, ZexaF, Cv0@ayCdv2gk, GdSda, Gencirc, Static AI, Suspicious PE, susgen, confidence) | ||
| md5 | fb987f700ecaba1d1bced04a45c572e8 | ||
| sha256 | 0742fbe471be70d2879753f3e87a31201eb452cd8388d7140e3f68875491233c | ||
| ssdeep | 24576:nUalkVcJGB7FyCTEaYtT9SfVK5Y3IexDzSf3Z8MQQvTICTNisPUXl7TP8o1Cl8:nyWJG7yUVYtT8RSPKqvTVTLs9TP8o1Cm | ||
| imphash | 96fa9927288c4f8325d3528d85326fb2 | ||
| impfuzzy | 96:tjEtkzwbKPc+p7tGOWqLed6wVmGGFWkOx8lbxrXuAln:yuzWctGH/9IW18Cy | ||
Network IP location
Signature (42cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to create or modify system certificates |
| watch | Checks the CPU name from registry |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Network activity contains more than one unique useragent |
| watch | One or more non-whitelisted processes were created |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | An executable file was downloaded by the process liva.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (25cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | EnigmaProtector_IN | EnigmaProtector | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | zip_file_format | ZIP file format | binaries (download) |
Network (36cnts) ?
Suricata ids
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET MALWARE Suspected RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x52e050 GetVolumeInformationA
0x52e054 WaitForSingleObject
0x52e058 LocalAlloc
0x52e05c GetCurrentThreadId
0x52e060 GetModuleHandleA
0x52e064 GetLocaleInfoA
0x52e068 OpenProcess
0x52e06c CreateToolhelp32Snapshot
0x52e070 MultiByteToWideChar
0x52e074 Sleep
0x52e078 GetTempPathA
0x52e07c GetModuleHandleExA
0x52e080 GetTimeZoneInformation
0x52e084 GetTickCount64
0x52e088 CopyFileA
0x52e08c GetLastError
0x52e090 GetFileAttributesA
0x52e094 TzSpecificLocalTimeToSystemTime
0x52e098 CreateFileA
0x52e09c SetEvent
0x52e0a0 TerminateThread
0x52e0a4 LoadLibraryA
0x52e0a8 GetVersionExA
0x52e0ac DeleteFileA
0x52e0b0 Process32Next
0x52e0b4 CloseHandle
0x52e0b8 GetSystemInfo
0x52e0bc CreateThread
0x52e0c0 ResetEvent
0x52e0c4 GetWindowsDirectoryA
0x52e0c8 HeapAlloc
0x52e0cc SetFileAttributesA
0x52e0d0 GetLocalTime
0x52e0d4 GetProcAddress
0x52e0d8 VirtualAllocEx
0x52e0dc LocalFree
0x52e0e0 IsProcessorFeaturePresent
0x52e0e4 GetFileSize
0x52e0e8 RemoveDirectoryA
0x52e0ec ReadProcessMemory
0x52e0f0 GetCurrentProcessId
0x52e0f4 GetProcessHeap
0x52e0f8 GlobalMemoryStatusEx
0x52e0fc FreeLibrary
0x52e100 WideCharToMultiByte
0x52e104 CreateRemoteThread
0x52e108 CreateDirectoryA
0x52e10c GetSystemTime
0x52e110 CreateMutexA
0x52e114 CreateEventA
0x52e118 GetPrivateProfileStringA
0x52e11c IsWow64Process
0x52e120 IsDebuggerPresent
0x52e124 VirtualQueryEx
0x52e128 GetComputerNameA
0x52e12c SetUnhandledExceptionFilter
0x52e130 GetUserDefaultLocaleName
0x52e134 lstrcpynA
0x52e138 SetFilePointer
0x52e13c CreateFileW
0x52e140 AreFileApisANSI
0x52e144 EnterCriticalSection
0x52e148 GetFullPathNameW
0x52e14c GetDiskFreeSpaceW
0x52e150 LockFile
0x52e154 LeaveCriticalSection
0x52e158 InitializeCriticalSection
0x52e15c GetFullPathNameA
0x52e160 SetEndOfFile
0x52e164 GetTempPathW
0x52e168 GetFileAttributesW
0x52e16c FormatMessageW
0x52e170 GetDiskFreeSpaceA
0x52e174 DeleteFileW
0x52e178 UnlockFile
0x52e17c LockFileEx
0x52e180 DeleteCriticalSection
0x52e184 GetSystemTimeAsFileTime
0x52e188 FormatMessageA
0x52e18c QueryPerformanceCounter
0x52e190 GetTickCount
0x52e194 FlushFileBuffers
0x52e198 HeapSize
0x52e19c SetEnvironmentVariableW
0x52e1a0 FreeEnvironmentStringsW
0x52e1a4 GetEnvironmentStringsW
0x52e1a8 GetCommandLineW
0x52e1ac GetCommandLineA
0x52e1b0 GetOEMCP
0x52e1b4 GetACP
0x52e1b8 IsValidCodePage
0x52e1bc SetStdHandle
0x52e1c0 HeapReAlloc
0x52e1c4 FindClose
0x52e1c8 lstrlenA
0x52e1cc InitializeCriticalSectionEx
0x52e1d0 FindNextFileA
0x52e1d4 TerminateProcess
0x52e1d8 OutputDebugStringA
0x52e1dc WriteFile
0x52e1e0 GetCurrentProcess
0x52e1e4 HeapFree
0x52e1e8 FindFirstFileA
0x52e1ec WriteProcessMemory
0x52e1f0 Process32First
0x52e1f4 GetPrivateProfileSectionNamesA
0x52e1f8 GetModuleFileNameA
0x52e1fc WriteConsoleW
0x52e200 EnumSystemLocalesW
0x52e204 GetUserDefaultLCID
0x52e208 IsValidLocale
0x52e20c GetLocaleInfoW
0x52e210 LCMapStringW
0x52e214 CompareStringW
0x52e218 GetTimeFormatW
0x52e21c GetDateFormatW
0x52e220 GetFileSizeEx
0x52e224 GetConsoleOutputCP
0x52e228 ReadConsoleW
0x52e22c GetConsoleMode
0x52e230 GetStdHandle
0x52e234 GetModuleFileNameW
0x52e238 GetModuleHandleExW
0x52e23c ExitProcess
0x52e240 GetFileType
0x52e244 SetFilePointerEx
0x52e248 LoadLibraryExW
0x52e24c ReadFile
0x52e250 TlsFree
0x52e254 TlsSetValue
0x52e258 TlsGetValue
0x52e25c TlsAlloc
0x52e260 InitializeCriticalSectionAndSpinCount
0x52e264 SetLastError
0x52e268 RaiseException
0x52e26c RtlUnwind
0x52e270 InitializeSListHead
0x52e274 GetStartupInfoW
0x52e278 UnhandledExceptionFilter
0x52e27c GetStringTypeW
0x52e280 FindFirstFileW
0x52e284 FindFirstFileExW
0x52e288 FindNextFileW
0x52e28c GetFileAttributesExW
0x52e290 GetFinalPathNameByHandleW
0x52e294 GetModuleHandleW
0x52e298 GetFileInformationByHandleEx
0x52e29c GetLocaleInfoEx
0x52e2a0 InitializeSRWLock
0x52e2a4 ReleaseSRWLockExclusive
0x52e2a8 AcquireSRWLockExclusive
0x52e2ac TryAcquireSRWLockExclusive
0x52e2b0 LCMapStringEx
0x52e2b4 EncodePointer
0x52e2b8 DecodePointer
0x52e2bc CompareStringEx
0x52e2c0 GetCPInfo
USER32.dll
0x52e2f0 wsprintfA
0x52e2f4 GetSystemMetrics
0x52e2f8 GetDesktopWindow
0x52e2fc GetWindowRect
0x52e300 EnumDisplayDevicesA
0x52e304 ReleaseDC
0x52e308 GetDC
0x52e30c GetKeyboardLayoutList
0x52e310 GetCursorPos
0x52e314 CharNextA
GDI32.dll
0x52e038 CreateCompatibleBitmap
0x52e03c SelectObject
0x52e040 CreateCompatibleDC
0x52e044 DeleteObject
0x52e048 BitBlt
ADVAPI32.dll
0x52e000 CredEnumerateA
0x52e004 RegOpenKeyExA
0x52e008 RegEnumKeyA
0x52e00c RegCloseKey
0x52e010 GetCurrentHwProfileA
0x52e014 RegQueryValueExA
0x52e018 RegEnumKeyExA
0x52e01c RegCreateKeyExA
0x52e020 CredFree
0x52e024 GetUserNameA
0x52e028 RegSetValueExA
SHELL32.dll
0x52e2dc SHGetFolderPathA
0x52e2e0 ShellExecuteA
ole32.dll
0x52e378 CoInitializeEx
0x52e37c CoInitialize
0x52e380 CoUninitialize
0x52e384 CoCreateInstance
WS2_32.dll
0x52e31c shutdown
0x52e320 getaddrinfo
0x52e324 WSAStartup
0x52e328 send
0x52e32c socket
0x52e330 connect
0x52e334 recv
0x52e338 freeaddrinfo
0x52e33c setsockopt
0x52e340 WSAGetLastError
0x52e344 WSACleanup
0x52e348 closesocket
CRYPT32.dll
0x52e030 CryptUnprotectData
SHLWAPI.dll
0x52e2e8 PathFindExtensionA
gdiplus.dll
0x52e350 GdiplusStartup
0x52e354 GdiplusShutdown
0x52e358 GdipDisposeImage
0x52e35c GdipSaveImageToFile
0x52e360 GdipGetImageEncodersSize
0x52e364 GdipCreateBitmapFromHBITMAP
0x52e368 GdipGetImageEncoders
SETUPAPI.dll
0x52e2c8 SetupDiGetClassDevsA
0x52e2cc SetupDiEnumDeviceInfo
0x52e2d0 SetupDiGetDeviceInterfaceDetailA
0x52e2d4 SetupDiEnumDeviceInterfaces
ntdll.dll
0x52e370 RtlUnicodeStringToAnsiString
EAT(Export Address Table) is none
KERNEL32.dll
0x52e050 GetVolumeInformationA
0x52e054 WaitForSingleObject
0x52e058 LocalAlloc
0x52e05c GetCurrentThreadId
0x52e060 GetModuleHandleA
0x52e064 GetLocaleInfoA
0x52e068 OpenProcess
0x52e06c CreateToolhelp32Snapshot
0x52e070 MultiByteToWideChar
0x52e074 Sleep
0x52e078 GetTempPathA
0x52e07c GetModuleHandleExA
0x52e080 GetTimeZoneInformation
0x52e084 GetTickCount64
0x52e088 CopyFileA
0x52e08c GetLastError
0x52e090 GetFileAttributesA
0x52e094 TzSpecificLocalTimeToSystemTime
0x52e098 CreateFileA
0x52e09c SetEvent
0x52e0a0 TerminateThread
0x52e0a4 LoadLibraryA
0x52e0a8 GetVersionExA
0x52e0ac DeleteFileA
0x52e0b0 Process32Next
0x52e0b4 CloseHandle
0x52e0b8 GetSystemInfo
0x52e0bc CreateThread
0x52e0c0 ResetEvent
0x52e0c4 GetWindowsDirectoryA
0x52e0c8 HeapAlloc
0x52e0cc SetFileAttributesA
0x52e0d0 GetLocalTime
0x52e0d4 GetProcAddress
0x52e0d8 VirtualAllocEx
0x52e0dc LocalFree
0x52e0e0 IsProcessorFeaturePresent
0x52e0e4 GetFileSize
0x52e0e8 RemoveDirectoryA
0x52e0ec ReadProcessMemory
0x52e0f0 GetCurrentProcessId
0x52e0f4 GetProcessHeap
0x52e0f8 GlobalMemoryStatusEx
0x52e0fc FreeLibrary
0x52e100 WideCharToMultiByte
0x52e104 CreateRemoteThread
0x52e108 CreateDirectoryA
0x52e10c GetSystemTime
0x52e110 CreateMutexA
0x52e114 CreateEventA
0x52e118 GetPrivateProfileStringA
0x52e11c IsWow64Process
0x52e120 IsDebuggerPresent
0x52e124 VirtualQueryEx
0x52e128 GetComputerNameA
0x52e12c SetUnhandledExceptionFilter
0x52e130 GetUserDefaultLocaleName
0x52e134 lstrcpynA
0x52e138 SetFilePointer
0x52e13c CreateFileW
0x52e140 AreFileApisANSI
0x52e144 EnterCriticalSection
0x52e148 GetFullPathNameW
0x52e14c GetDiskFreeSpaceW
0x52e150 LockFile
0x52e154 LeaveCriticalSection
0x52e158 InitializeCriticalSection
0x52e15c GetFullPathNameA
0x52e160 SetEndOfFile
0x52e164 GetTempPathW
0x52e168 GetFileAttributesW
0x52e16c FormatMessageW
0x52e170 GetDiskFreeSpaceA
0x52e174 DeleteFileW
0x52e178 UnlockFile
0x52e17c LockFileEx
0x52e180 DeleteCriticalSection
0x52e184 GetSystemTimeAsFileTime
0x52e188 FormatMessageA
0x52e18c QueryPerformanceCounter
0x52e190 GetTickCount
0x52e194 FlushFileBuffers
0x52e198 HeapSize
0x52e19c SetEnvironmentVariableW
0x52e1a0 FreeEnvironmentStringsW
0x52e1a4 GetEnvironmentStringsW
0x52e1a8 GetCommandLineW
0x52e1ac GetCommandLineA
0x52e1b0 GetOEMCP
0x52e1b4 GetACP
0x52e1b8 IsValidCodePage
0x52e1bc SetStdHandle
0x52e1c0 HeapReAlloc
0x52e1c4 FindClose
0x52e1c8 lstrlenA
0x52e1cc InitializeCriticalSectionEx
0x52e1d0 FindNextFileA
0x52e1d4 TerminateProcess
0x52e1d8 OutputDebugStringA
0x52e1dc WriteFile
0x52e1e0 GetCurrentProcess
0x52e1e4 HeapFree
0x52e1e8 FindFirstFileA
0x52e1ec WriteProcessMemory
0x52e1f0 Process32First
0x52e1f4 GetPrivateProfileSectionNamesA
0x52e1f8 GetModuleFileNameA
0x52e1fc WriteConsoleW
0x52e200 EnumSystemLocalesW
0x52e204 GetUserDefaultLCID
0x52e208 IsValidLocale
0x52e20c GetLocaleInfoW
0x52e210 LCMapStringW
0x52e214 CompareStringW
0x52e218 GetTimeFormatW
0x52e21c GetDateFormatW
0x52e220 GetFileSizeEx
0x52e224 GetConsoleOutputCP
0x52e228 ReadConsoleW
0x52e22c GetConsoleMode
0x52e230 GetStdHandle
0x52e234 GetModuleFileNameW
0x52e238 GetModuleHandleExW
0x52e23c ExitProcess
0x52e240 GetFileType
0x52e244 SetFilePointerEx
0x52e248 LoadLibraryExW
0x52e24c ReadFile
0x52e250 TlsFree
0x52e254 TlsSetValue
0x52e258 TlsGetValue
0x52e25c TlsAlloc
0x52e260 InitializeCriticalSectionAndSpinCount
0x52e264 SetLastError
0x52e268 RaiseException
0x52e26c RtlUnwind
0x52e270 InitializeSListHead
0x52e274 GetStartupInfoW
0x52e278 UnhandledExceptionFilter
0x52e27c GetStringTypeW
0x52e280 FindFirstFileW
0x52e284 FindFirstFileExW
0x52e288 FindNextFileW
0x52e28c GetFileAttributesExW
0x52e290 GetFinalPathNameByHandleW
0x52e294 GetModuleHandleW
0x52e298 GetFileInformationByHandleEx
0x52e29c GetLocaleInfoEx
0x52e2a0 InitializeSRWLock
0x52e2a4 ReleaseSRWLockExclusive
0x52e2a8 AcquireSRWLockExclusive
0x52e2ac TryAcquireSRWLockExclusive
0x52e2b0 LCMapStringEx
0x52e2b4 EncodePointer
0x52e2b8 DecodePointer
0x52e2bc CompareStringEx
0x52e2c0 GetCPInfo
USER32.dll
0x52e2f0 wsprintfA
0x52e2f4 GetSystemMetrics
0x52e2f8 GetDesktopWindow
0x52e2fc GetWindowRect
0x52e300 EnumDisplayDevicesA
0x52e304 ReleaseDC
0x52e308 GetDC
0x52e30c GetKeyboardLayoutList
0x52e310 GetCursorPos
0x52e314 CharNextA
GDI32.dll
0x52e038 CreateCompatibleBitmap
0x52e03c SelectObject
0x52e040 CreateCompatibleDC
0x52e044 DeleteObject
0x52e048 BitBlt
ADVAPI32.dll
0x52e000 CredEnumerateA
0x52e004 RegOpenKeyExA
0x52e008 RegEnumKeyA
0x52e00c RegCloseKey
0x52e010 GetCurrentHwProfileA
0x52e014 RegQueryValueExA
0x52e018 RegEnumKeyExA
0x52e01c RegCreateKeyExA
0x52e020 CredFree
0x52e024 GetUserNameA
0x52e028 RegSetValueExA
SHELL32.dll
0x52e2dc SHGetFolderPathA
0x52e2e0 ShellExecuteA
ole32.dll
0x52e378 CoInitializeEx
0x52e37c CoInitialize
0x52e380 CoUninitialize
0x52e384 CoCreateInstance
WS2_32.dll
0x52e31c shutdown
0x52e320 getaddrinfo
0x52e324 WSAStartup
0x52e328 send
0x52e32c socket
0x52e330 connect
0x52e334 recv
0x52e338 freeaddrinfo
0x52e33c setsockopt
0x52e340 WSAGetLastError
0x52e344 WSACleanup
0x52e348 closesocket
CRYPT32.dll
0x52e030 CryptUnprotectData
SHLWAPI.dll
0x52e2e8 PathFindExtensionA
gdiplus.dll
0x52e350 GdiplusStartup
0x52e354 GdiplusShutdown
0x52e358 GdipDisposeImage
0x52e35c GdipSaveImageToFile
0x52e360 GdipGetImageEncodersSize
0x52e364 GdipCreateBitmapFromHBITMAP
0x52e368 GdipGetImageEncoders
SETUPAPI.dll
0x52e2c8 SetupDiGetClassDevsA
0x52e2cc SetupDiEnumDeviceInfo
0x52e2d0 SetupDiGetDeviceInterfaceDetailA
0x52e2d4 SetupDiEnumDeviceInterfaces
ntdll.dll
0x52e370 RtlUnicodeStringToAnsiString
EAT(Export Address Table) is none