ScreenShot
Created | 2024.03.02 18:41 | Machine | s1_win7_x6401 |
Filename | laryyyyy.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 38 detected (Agentb, Malicious, score, NetLoader, Jaik, unsafe, Vdsj, Attribute, HighConfidence, Artemis, ffafq, AMADEY, YXEB3Z, Detected, ai score=87, Phonzy, Casdet, ZexaE, suW@aK5ZIjii, Chgt, PossibleThreat, confidence, 100%) | ||
md5 | 83c6f7d8026e3b966329e8c39a2c9e73 | ||
sha256 | d963392aa3f2cfe80e55734fdb2e7db55b99309935031e6c7a034cca62ffd3c9 | ||
ssdeep | 3072:D3Q9NpCJxUNtjipXFi+PlZlKG6ZEhGFUx+3Ynlhs34jljeLnCQS:DmNMUNdiyoKcwxIwASA | ||
imphash | fd3e67a72fcdc11dae1668a9ef71cd6e | ||
impfuzzy | 48:WzJOCZ0ctcm6cMYPtRkRI08lJ/KAXjSY09sGS5/zFnB+wg:WzJNrcm6cXPtRkR5+cQ4 |
Network IP location
Signature (15cnts)
Level | Description |
---|---|
danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
watch | Connects to an IRC server |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | One or more potentially interesting buffers were extracted |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Command line console output was observed |
info | Queries for the computername |
info | This executable has a PDB path |
Rules (45cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Network_Downloader | File Downloader | memory |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Create_Service | Create a windows service | memory |
notice | Escalate_priviledges | Escalate priviledges | memory |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | KeyLogger | Run a KeyLogger | memory |
notice | local_credential_Steal | Steal credential | memory |
notice | Network_DGA | Communication using DGA | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_FTP | Communications over FTP | memory |
notice | Network_HTTP | Communications over HTTP | memory |
notice | Network_P2P_Win | Communications over P2P network | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | Persistence | Install itself for autorun at Windows startup | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Sniff_Audio | Record Audio | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | curl_command | curl command | binaries (download) |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | ftp_command | ftp command | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x426000 Sleep
0x426004 WaitForSingleObject
0x426008 TerminateThread
0x42600c CreateDirectoryA
0x426010 CloseHandle
0x426014 CreateThread
0x426018 CreateFileA
0x42601c GetCurrentProcess
0x426020 WriteFile
0x426024 OpenProcess
0x426028 GetFileAttributesA
0x42602c CreateProcessA
0x426030 TerminateProcess
0x426034 MultiByteToWideChar
0x426038 SetCurrentDirectoryA
0x42603c GetLastError
0x426040 Process32FirstW
0x426044 IsWow64Process
0x426048 Process32NextW
0x42604c CreateMutexA
0x426050 CreateToolhelp32Snapshot
0x426054 DeleteFileA
0x426058 SetEndOfFile
0x42605c CreateFileW
0x426060 ReadConsoleW
0x426064 ReadFile
0x426068 WriteConsoleW
0x42606c FlushFileBuffers
0x426070 SetStdHandle
0x426074 SetEnvironmentVariableA
0x426078 EnumSystemLocalesW
0x42607c GetUserDefaultLCID
0x426080 IsValidLocale
0x426084 GetLocaleInfoW
0x426088 LCMapStringW
0x42608c CompareStringW
0x426090 OutputDebugStringW
0x426094 LoadLibraryExW
0x426098 SetFilePointerEx
0x42609c GetConsoleMode
0x4260a0 GetConsoleCP
0x4260a4 GetStringTypeW
0x4260a8 FreeEnvironmentStringsW
0x4260ac GetEnvironmentStringsW
0x4260b0 GetSystemTimeAsFileTime
0x4260b4 HeapFree
0x4260b8 HeapAlloc
0x4260bc IsDebuggerPresent
0x4260c0 IsProcessorFeaturePresent
0x4260c4 HeapReAlloc
0x4260c8 EncodePointer
0x4260cc DecodePointer
0x4260d0 GetCommandLineW
0x4260d4 GetProcessHeap
0x4260d8 EnterCriticalSection
0x4260dc LeaveCriticalSection
0x4260e0 RaiseException
0x4260e4 IsValidCodePage
0x4260e8 GetACP
0x4260ec GetOEMCP
0x4260f0 GetCPInfo
0x4260f4 SetLastError
0x4260f8 GetCurrentThreadId
0x4260fc ExitProcess
0x426100 GetModuleHandleExW
0x426104 GetProcAddress
0x426108 AreFileApisANSI
0x42610c WideCharToMultiByte
0x426110 GetStdHandle
0x426114 GetModuleFileNameW
0x426118 UnhandledExceptionFilter
0x42611c SetUnhandledExceptionFilter
0x426120 InitializeCriticalSectionAndSpinCount
0x426124 TlsAlloc
0x426128 TlsGetValue
0x42612c TlsSetValue
0x426130 TlsFree
0x426134 GetStartupInfoW
0x426138 GetModuleHandleW
0x42613c DeleteCriticalSection
0x426140 HeapSize
0x426144 RtlUnwind
0x426148 GetFileType
0x42614c QueryPerformanceCounter
0x426150 GetCurrentProcessId
USER32.dll
0x426158 SendMessageW
0x42615c DispatchMessageW
0x426160 DefWindowProcW
0x426164 CreateWindowExW
0x426168 LoadStringW
0x42616c LoadIconW
0x426170 RegisterClassExW
0x426174 LoadAcceleratorsW
0x426178 TranslateMessage
0x42617c EndPaint
0x426180 DestroyWindow
0x426184 TranslateAcceleratorW
0x426188 GetMessageW
0x42618c PostQuitMessage
0x426190 LoadCursorW
0x426194 BeginPaint
WS2_32.dll
0x42619c gethostbyname
0x4261a0 closesocket
0x4261a4 socket
0x4261a8 recv
0x4261ac WSACleanup
0x4261b0 htons
0x4261b4 WSAStartup
0x4261b8 connect
0x4261bc send
EAT(Export Address Table) Library
0x403950 _cJSON_AddArrayToObject@8
0x4035f0 _cJSON_AddBoolToObject@12
0x403540 _cJSON_AddFalseToObject@8
0x4032f0 _cJSON_AddItemReferenceToArray@8
0x403350 _cJSON_AddItemReferenceToObject@12
0x4031c0 _cJSON_AddItemToArray@8
0x403210 _cJSON_AddItemToObject@12
0x403280 _cJSON_AddItemToObjectCS@12
0x4033e0 _cJSON_AddNullToObject@8
0x4036a0 _cJSON_AddNumberToObject@16
0x4038a0 _cJSON_AddObjectToObject@8
0x403810 _cJSON_AddRawToObject@12
0x403780 _cJSON_AddStringToObject@12
0x403490 _cJSON_AddTrueToObject@8
0x4049d0 _cJSON_Compare@12
0x404130 _cJSON_CreateArray@0
0x404060 _cJSON_CreateArrayReference@4
0x403e90 _cJSON_CreateBool@4
0x4043f0 _cJSON_CreateDoubleArray@8
0x403e60 _cJSON_CreateFalse@0
0x4042c0 _cJSON_CreateFloatArray@8
0x404190 _cJSON_CreateIntArray@8
0x403e00 _cJSON_CreateNull@0
0x403ed0 _cJSON_CreateNumber@8
0x404160 _cJSON_CreateObject@0
0x404020 _cJSON_CreateObjectReference@4
0x4040a0 _cJSON_CreateRaw@4
0x403f50 _cJSON_CreateString@4
0x404520 _cJSON_CreateStringArray@8
0x403fe0 _cJSON_CreateStringReference@4
0x403e30 _cJSON_CreateTrue@0
0x401550 _cJSON_Delete@4
0x403ac0 _cJSON_DeleteItemFromArray@8
0x403b60 _cJSON_DeleteItemFromObject@8
0x403b90 _cJSON_DeleteItemFromObjectCaseSensitive@8
0x403a70 _cJSON_DetachItemFromArray@8
0x403b20 _cJSON_DetachItemFromObject@8
0x403b40 _cJSON_DetachItemFromObjectCaseSensitive@8
0x403a00 _cJSON_DetachItemViaPointer@8
0x4045d0 _cJSON_Duplicate@8
0x402f50 _cJSON_GetArrayItem@8
0x402f20 _cJSON_GetArraySize@4
0x4013b0 _cJSON_GetErrorPtr@0
0x4013f0 _cJSON_GetNumberValue@4
0x4030b0 _cJSON_GetObjectItem@8
0x4030d0 _cJSON_GetObjectItemCaseSensitive@8
0x4013c0 _cJSON_GetStringValue@4
0x4030f0 _cJSON_HasObjectItem@8
0x4014c0 _cJSON_InitHooks@4
0x403bc0 _cJSON_InsertItemInArray@12
0x404970 _cJSON_IsArray@4
0x4048f0 _cJSON_IsBool@4
0x4048b0 _cJSON_IsFalse@4
0x404890 _cJSON_IsInvalid@4
0x404910 _cJSON_IsNull@4
0x404930 _cJSON_IsNumber@4
0x404990 _cJSON_IsObject@4
0x4049b0 _cJSON_IsRaw@4
0x404950 _cJSON_IsString@4
0x4048d0 _cJSON_IsTrue@4
0x404740 _cJSON_Minify@4
0x4022e0 _cJSON_Parse@4
0x402310 _cJSON_ParseWithLength@8
0x402160 _cJSON_ParseWithLengthOpts@16
0x402120 _cJSON_ParseWithOpts@12
0x402450 _cJSON_Print@4
0x402490 _cJSON_PrintBuffered@12
0x402570 _cJSON_PrintPreallocated@16
0x402470 _cJSON_PrintUnformatted@4
0x403cd0 _cJSON_ReplaceItemInArray@12
0x403dc0 _cJSON_ReplaceItemInObject@12
0x403de0 _cJSON_ReplaceItemInObjectCaseSensitive@12
0x403c40 _cJSON_ReplaceItemViaPointer@12
0x401740 _cJSON_SetNumberHelper@12
0x4017a0 _cJSON_SetValuestring@8
0x401420 _cJSON_Version@0
0x404cd0 _cJSON_free@4
0x404cb0 _cJSON_malloc@4
KERNEL32.dll
0x426000 Sleep
0x426004 WaitForSingleObject
0x426008 TerminateThread
0x42600c CreateDirectoryA
0x426010 CloseHandle
0x426014 CreateThread
0x426018 CreateFileA
0x42601c GetCurrentProcess
0x426020 WriteFile
0x426024 OpenProcess
0x426028 GetFileAttributesA
0x42602c CreateProcessA
0x426030 TerminateProcess
0x426034 MultiByteToWideChar
0x426038 SetCurrentDirectoryA
0x42603c GetLastError
0x426040 Process32FirstW
0x426044 IsWow64Process
0x426048 Process32NextW
0x42604c CreateMutexA
0x426050 CreateToolhelp32Snapshot
0x426054 DeleteFileA
0x426058 SetEndOfFile
0x42605c CreateFileW
0x426060 ReadConsoleW
0x426064 ReadFile
0x426068 WriteConsoleW
0x42606c FlushFileBuffers
0x426070 SetStdHandle
0x426074 SetEnvironmentVariableA
0x426078 EnumSystemLocalesW
0x42607c GetUserDefaultLCID
0x426080 IsValidLocale
0x426084 GetLocaleInfoW
0x426088 LCMapStringW
0x42608c CompareStringW
0x426090 OutputDebugStringW
0x426094 LoadLibraryExW
0x426098 SetFilePointerEx
0x42609c GetConsoleMode
0x4260a0 GetConsoleCP
0x4260a4 GetStringTypeW
0x4260a8 FreeEnvironmentStringsW
0x4260ac GetEnvironmentStringsW
0x4260b0 GetSystemTimeAsFileTime
0x4260b4 HeapFree
0x4260b8 HeapAlloc
0x4260bc IsDebuggerPresent
0x4260c0 IsProcessorFeaturePresent
0x4260c4 HeapReAlloc
0x4260c8 EncodePointer
0x4260cc DecodePointer
0x4260d0 GetCommandLineW
0x4260d4 GetProcessHeap
0x4260d8 EnterCriticalSection
0x4260dc LeaveCriticalSection
0x4260e0 RaiseException
0x4260e4 IsValidCodePage
0x4260e8 GetACP
0x4260ec GetOEMCP
0x4260f0 GetCPInfo
0x4260f4 SetLastError
0x4260f8 GetCurrentThreadId
0x4260fc ExitProcess
0x426100 GetModuleHandleExW
0x426104 GetProcAddress
0x426108 AreFileApisANSI
0x42610c WideCharToMultiByte
0x426110 GetStdHandle
0x426114 GetModuleFileNameW
0x426118 UnhandledExceptionFilter
0x42611c SetUnhandledExceptionFilter
0x426120 InitializeCriticalSectionAndSpinCount
0x426124 TlsAlloc
0x426128 TlsGetValue
0x42612c TlsSetValue
0x426130 TlsFree
0x426134 GetStartupInfoW
0x426138 GetModuleHandleW
0x42613c DeleteCriticalSection
0x426140 HeapSize
0x426144 RtlUnwind
0x426148 GetFileType
0x42614c QueryPerformanceCounter
0x426150 GetCurrentProcessId
USER32.dll
0x426158 SendMessageW
0x42615c DispatchMessageW
0x426160 DefWindowProcW
0x426164 CreateWindowExW
0x426168 LoadStringW
0x42616c LoadIconW
0x426170 RegisterClassExW
0x426174 LoadAcceleratorsW
0x426178 TranslateMessage
0x42617c EndPaint
0x426180 DestroyWindow
0x426184 TranslateAcceleratorW
0x426188 GetMessageW
0x42618c PostQuitMessage
0x426190 LoadCursorW
0x426194 BeginPaint
WS2_32.dll
0x42619c gethostbyname
0x4261a0 closesocket
0x4261a4 socket
0x4261a8 recv
0x4261ac WSACleanup
0x4261b0 htons
0x4261b4 WSAStartup
0x4261b8 connect
0x4261bc send
EAT(Export Address Table) Library
0x403950 _cJSON_AddArrayToObject@8
0x4035f0 _cJSON_AddBoolToObject@12
0x403540 _cJSON_AddFalseToObject@8
0x4032f0 _cJSON_AddItemReferenceToArray@8
0x403350 _cJSON_AddItemReferenceToObject@12
0x4031c0 _cJSON_AddItemToArray@8
0x403210 _cJSON_AddItemToObject@12
0x403280 _cJSON_AddItemToObjectCS@12
0x4033e0 _cJSON_AddNullToObject@8
0x4036a0 _cJSON_AddNumberToObject@16
0x4038a0 _cJSON_AddObjectToObject@8
0x403810 _cJSON_AddRawToObject@12
0x403780 _cJSON_AddStringToObject@12
0x403490 _cJSON_AddTrueToObject@8
0x4049d0 _cJSON_Compare@12
0x404130 _cJSON_CreateArray@0
0x404060 _cJSON_CreateArrayReference@4
0x403e90 _cJSON_CreateBool@4
0x4043f0 _cJSON_CreateDoubleArray@8
0x403e60 _cJSON_CreateFalse@0
0x4042c0 _cJSON_CreateFloatArray@8
0x404190 _cJSON_CreateIntArray@8
0x403e00 _cJSON_CreateNull@0
0x403ed0 _cJSON_CreateNumber@8
0x404160 _cJSON_CreateObject@0
0x404020 _cJSON_CreateObjectReference@4
0x4040a0 _cJSON_CreateRaw@4
0x403f50 _cJSON_CreateString@4
0x404520 _cJSON_CreateStringArray@8
0x403fe0 _cJSON_CreateStringReference@4
0x403e30 _cJSON_CreateTrue@0
0x401550 _cJSON_Delete@4
0x403ac0 _cJSON_DeleteItemFromArray@8
0x403b60 _cJSON_DeleteItemFromObject@8
0x403b90 _cJSON_DeleteItemFromObjectCaseSensitive@8
0x403a70 _cJSON_DetachItemFromArray@8
0x403b20 _cJSON_DetachItemFromObject@8
0x403b40 _cJSON_DetachItemFromObjectCaseSensitive@8
0x403a00 _cJSON_DetachItemViaPointer@8
0x4045d0 _cJSON_Duplicate@8
0x402f50 _cJSON_GetArrayItem@8
0x402f20 _cJSON_GetArraySize@4
0x4013b0 _cJSON_GetErrorPtr@0
0x4013f0 _cJSON_GetNumberValue@4
0x4030b0 _cJSON_GetObjectItem@8
0x4030d0 _cJSON_GetObjectItemCaseSensitive@8
0x4013c0 _cJSON_GetStringValue@4
0x4030f0 _cJSON_HasObjectItem@8
0x4014c0 _cJSON_InitHooks@4
0x403bc0 _cJSON_InsertItemInArray@12
0x404970 _cJSON_IsArray@4
0x4048f0 _cJSON_IsBool@4
0x4048b0 _cJSON_IsFalse@4
0x404890 _cJSON_IsInvalid@4
0x404910 _cJSON_IsNull@4
0x404930 _cJSON_IsNumber@4
0x404990 _cJSON_IsObject@4
0x4049b0 _cJSON_IsRaw@4
0x404950 _cJSON_IsString@4
0x4048d0 _cJSON_IsTrue@4
0x404740 _cJSON_Minify@4
0x4022e0 _cJSON_Parse@4
0x402310 _cJSON_ParseWithLength@8
0x402160 _cJSON_ParseWithLengthOpts@16
0x402120 _cJSON_ParseWithOpts@12
0x402450 _cJSON_Print@4
0x402490 _cJSON_PrintBuffered@12
0x402570 _cJSON_PrintPreallocated@16
0x402470 _cJSON_PrintUnformatted@4
0x403cd0 _cJSON_ReplaceItemInArray@12
0x403dc0 _cJSON_ReplaceItemInObject@12
0x403de0 _cJSON_ReplaceItemInObjectCaseSensitive@12
0x403c40 _cJSON_ReplaceItemViaPointer@12
0x401740 _cJSON_SetNumberHelper@12
0x4017a0 _cJSON_SetValuestring@8
0x401420 _cJSON_Version@0
0x404cd0 _cJSON_free@4
0x404cb0 _cJSON_malloc@4