popup

Report - laryyyyy.exe

Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 OS Processor Check PE64 c
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.03.02 18:41 Machine s1_win7_x6401
Filename laryyyyy.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
6.0
ZERO API file : malware
VT API (file) 38 detected (Agentb, Malicious, score, NetLoader, Jaik, unsafe, Vdsj, Attribute, HighConfidence, Artemis, ffafq, AMADEY, YXEB3Z, Detected, ai score=87, Phonzy, Casdet, ZexaE, suW@aK5ZIjii, Chgt, PossibleThreat, confidence, 100%)
md5 83c6f7d8026e3b966329e8c39a2c9e73
sha256 d963392aa3f2cfe80e55734fdb2e7db55b99309935031e6c7a034cca62ffd3c9
ssdeep 3072:D3Q9NpCJxUNtjipXFi+PlZlKG6ZEhGFUx+3Ynlhs34jljeLnCQS:DmNMUNdiyoKcwxIwASA
imphash fd3e67a72fcdc11dae1668a9ef71cd6e
impfuzzy 48:WzJOCZ0ctcm6cMYPtRkRI08lJ/KAXjSY09sGS5/zFnB+wg:WzJNrcm6cXPtRkR5+cQ4
  Network IP location

Signature (15cnts)

Level Description
danger File has been identified by 38 AntiVirus engines on VirusTotal as malicious
watch Connects to an IRC server
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info This executable has a PDB path

Rules (45cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice Persistence Install itself for autorun at Windows startup memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info curl_command curl command binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info ftp_command ftp command binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
jelepenorocks.com
whois
CA OVH SAS 54.39.152.114 clean
54.39.152.114
whois
CA OVH SAS 54.39.152.114 malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x426000 Sleep
 0x426004 WaitForSingleObject
 0x426008 TerminateThread
 0x42600c CreateDirectoryA
 0x426010 CloseHandle
 0x426014 CreateThread
 0x426018 CreateFileA
 0x42601c GetCurrentProcess
 0x426020 WriteFile
 0x426024 OpenProcess
 0x426028 GetFileAttributesA
 0x42602c CreateProcessA
 0x426030 TerminateProcess
 0x426034 MultiByteToWideChar
 0x426038 SetCurrentDirectoryA
 0x42603c GetLastError
 0x426040 Process32FirstW
 0x426044 IsWow64Process
 0x426048 Process32NextW
 0x42604c CreateMutexA
 0x426050 CreateToolhelp32Snapshot
 0x426054 DeleteFileA
 0x426058 SetEndOfFile
 0x42605c CreateFileW
 0x426060 ReadConsoleW
 0x426064 ReadFile
 0x426068 WriteConsoleW
 0x42606c FlushFileBuffers
 0x426070 SetStdHandle
 0x426074 SetEnvironmentVariableA
 0x426078 EnumSystemLocalesW
 0x42607c GetUserDefaultLCID
 0x426080 IsValidLocale
 0x426084 GetLocaleInfoW
 0x426088 LCMapStringW
 0x42608c CompareStringW
 0x426090 OutputDebugStringW
 0x426094 LoadLibraryExW
 0x426098 SetFilePointerEx
 0x42609c GetConsoleMode
 0x4260a0 GetConsoleCP
 0x4260a4 GetStringTypeW
 0x4260a8 FreeEnvironmentStringsW
 0x4260ac GetEnvironmentStringsW
 0x4260b0 GetSystemTimeAsFileTime
 0x4260b4 HeapFree
 0x4260b8 HeapAlloc
 0x4260bc IsDebuggerPresent
 0x4260c0 IsProcessorFeaturePresent
 0x4260c4 HeapReAlloc
 0x4260c8 EncodePointer
 0x4260cc DecodePointer
 0x4260d0 GetCommandLineW
 0x4260d4 GetProcessHeap
 0x4260d8 EnterCriticalSection
 0x4260dc LeaveCriticalSection
 0x4260e0 RaiseException
 0x4260e4 IsValidCodePage
 0x4260e8 GetACP
 0x4260ec GetOEMCP
 0x4260f0 GetCPInfo
 0x4260f4 SetLastError
 0x4260f8 GetCurrentThreadId
 0x4260fc ExitProcess
 0x426100 GetModuleHandleExW
 0x426104 GetProcAddress
 0x426108 AreFileApisANSI
 0x42610c WideCharToMultiByte
 0x426110 GetStdHandle
 0x426114 GetModuleFileNameW
 0x426118 UnhandledExceptionFilter
 0x42611c SetUnhandledExceptionFilter
 0x426120 InitializeCriticalSectionAndSpinCount
 0x426124 TlsAlloc
 0x426128 TlsGetValue
 0x42612c TlsSetValue
 0x426130 TlsFree
 0x426134 GetStartupInfoW
 0x426138 GetModuleHandleW
 0x42613c DeleteCriticalSection
 0x426140 HeapSize
 0x426144 RtlUnwind
 0x426148 GetFileType
 0x42614c QueryPerformanceCounter
 0x426150 GetCurrentProcessId
USER32.dll
 0x426158 SendMessageW
 0x42615c DispatchMessageW
 0x426160 DefWindowProcW
 0x426164 CreateWindowExW
 0x426168 LoadStringW
 0x42616c LoadIconW
 0x426170 RegisterClassExW
 0x426174 LoadAcceleratorsW
 0x426178 TranslateMessage
 0x42617c EndPaint
 0x426180 DestroyWindow
 0x426184 TranslateAcceleratorW
 0x426188 GetMessageW
 0x42618c PostQuitMessage
 0x426190 LoadCursorW
 0x426194 BeginPaint
WS2_32.dll
 0x42619c gethostbyname
 0x4261a0 closesocket
 0x4261a4 socket
 0x4261a8 recv
 0x4261ac WSACleanup
 0x4261b0 htons
 0x4261b4 WSAStartup
 0x4261b8 connect
 0x4261bc send

EAT(Export Address Table) Library

0x403950 _cJSON_AddArrayToObject@8
0x4035f0 _cJSON_AddBoolToObject@12
0x403540 _cJSON_AddFalseToObject@8
0x4032f0 _cJSON_AddItemReferenceToArray@8
0x403350 _cJSON_AddItemReferenceToObject@12
0x4031c0 _cJSON_AddItemToArray@8
0x403210 _cJSON_AddItemToObject@12
0x403280 _cJSON_AddItemToObjectCS@12
0x4033e0 _cJSON_AddNullToObject@8
0x4036a0 _cJSON_AddNumberToObject@16
0x4038a0 _cJSON_AddObjectToObject@8
0x403810 _cJSON_AddRawToObject@12
0x403780 _cJSON_AddStringToObject@12
0x403490 _cJSON_AddTrueToObject@8
0x4049d0 _cJSON_Compare@12
0x404130 _cJSON_CreateArray@0
0x404060 _cJSON_CreateArrayReference@4
0x403e90 _cJSON_CreateBool@4
0x4043f0 _cJSON_CreateDoubleArray@8
0x403e60 _cJSON_CreateFalse@0
0x4042c0 _cJSON_CreateFloatArray@8
0x404190 _cJSON_CreateIntArray@8
0x403e00 _cJSON_CreateNull@0
0x403ed0 _cJSON_CreateNumber@8
0x404160 _cJSON_CreateObject@0
0x404020 _cJSON_CreateObjectReference@4
0x4040a0 _cJSON_CreateRaw@4
0x403f50 _cJSON_CreateString@4
0x404520 _cJSON_CreateStringArray@8
0x403fe0 _cJSON_CreateStringReference@4
0x403e30 _cJSON_CreateTrue@0
0x401550 _cJSON_Delete@4
0x403ac0 _cJSON_DeleteItemFromArray@8
0x403b60 _cJSON_DeleteItemFromObject@8
0x403b90 _cJSON_DeleteItemFromObjectCaseSensitive@8
0x403a70 _cJSON_DetachItemFromArray@8
0x403b20 _cJSON_DetachItemFromObject@8
0x403b40 _cJSON_DetachItemFromObjectCaseSensitive@8
0x403a00 _cJSON_DetachItemViaPointer@8
0x4045d0 _cJSON_Duplicate@8
0x402f50 _cJSON_GetArrayItem@8
0x402f20 _cJSON_GetArraySize@4
0x4013b0 _cJSON_GetErrorPtr@0
0x4013f0 _cJSON_GetNumberValue@4
0x4030b0 _cJSON_GetObjectItem@8
0x4030d0 _cJSON_GetObjectItemCaseSensitive@8
0x4013c0 _cJSON_GetStringValue@4
0x4030f0 _cJSON_HasObjectItem@8
0x4014c0 _cJSON_InitHooks@4
0x403bc0 _cJSON_InsertItemInArray@12
0x404970 _cJSON_IsArray@4
0x4048f0 _cJSON_IsBool@4
0x4048b0 _cJSON_IsFalse@4
0x404890 _cJSON_IsInvalid@4
0x404910 _cJSON_IsNull@4
0x404930 _cJSON_IsNumber@4
0x404990 _cJSON_IsObject@4
0x4049b0 _cJSON_IsRaw@4
0x404950 _cJSON_IsString@4
0x4048d0 _cJSON_IsTrue@4
0x404740 _cJSON_Minify@4
0x4022e0 _cJSON_Parse@4
0x402310 _cJSON_ParseWithLength@8
0x402160 _cJSON_ParseWithLengthOpts@16
0x402120 _cJSON_ParseWithOpts@12
0x402450 _cJSON_Print@4
0x402490 _cJSON_PrintBuffered@12
0x402570 _cJSON_PrintPreallocated@16
0x402470 _cJSON_PrintUnformatted@4
0x403cd0 _cJSON_ReplaceItemInArray@12
0x403dc0 _cJSON_ReplaceItemInObject@12
0x403de0 _cJSON_ReplaceItemInObjectCaseSensitive@12
0x403c40 _cJSON_ReplaceItemViaPointer@12
0x401740 _cJSON_SetNumberHelper@12
0x4017a0 _cJSON_SetValuestring@8
0x401420 _cJSON_Version@0
0x404cd0 _cJSON_free@4
0x404cb0 _cJSON_malloc@4

Similarity measure (PE file only) - Checking for service failure