popup

Report - laser.exe

Generic Malware Malicious Library UPX PE File PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.02.07 11:44 Machine s1_win7_x6403
Filename laser.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
7.2
ZERO API
VT API (file) 54 detected (AIDetectMalware, Formbook, Malicious, score, VirRansom, Mikey, Unsafe, confidence, 100%, GenusT, EOQB, high confidence, MiscX, Noon, bkdq, CLASSIC, ZPACK, Fbng, Real Protect, moderate, Static AI, Malicious PE, Detected, Malware@#3izi5iof8n80f, 1A2RRFJ, Eldorado, R647393, Artemis, General, Psmw, susgen)
md5 da401fe564d861a209ff600633e4a845
sha256 e317fe7d8d54c2935cb43168e3a65954c180f2c82d97fee05ada76d87af0c52c
ssdeep 6144:ITjvc2H8VD5tUTHmvlvEVj/LUsuULqmV4vGCaW7lTXNFwpV:OBTHmNEVj/LDuULVV4NVaV
imphash
impfuzzy 3::
  Network IP location

Signature (13cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
watch Attempts to identify installed AV products by installation directory
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (8cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (25cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.kjuw.party/e0jv/?_skUVv5I=T5a+nPXa7vHYgORbmIzRnsYJn/5yKJpyja1Bw4L97U3J4ftOxLqNjjmK0MbXg0R7zOiA8ZTqxO8XWXqYcYfBl6po+rPbfzDYogoaVOnbbhZcGmBPmnt3DMj2ULUXFIgoaMg3MTM=&kV=_HhJ3VPSKQ7ESY
whois
SG BGPNET Global ASN 134.122.135.48
http://www.topitch.top/goj6/
whois
US NAMECHEAP-NET 162.0.231.203
http://www.tumbetgirislinki.fit/k566/?_skUVv5I=RARW43WNMKajmHobr0h+FYOVnPeo69WXvXreCHJ6fEp5jkldk9mcfHn6UnU82+9OdsowyVV8wlYPh4e4mYqP64YSjghMuBr0WoXV5avhz1caW9rj8asJcaLGlYzIq2qtHDCYWJw=&kV=_HhJ3VPSKQ7ESY
whois
US CLOUDFLARENET 104.21.112.1
http://www.lucynoel6465.shop/jgkl/?_skUVv5I=hI+cEEoDMRK5HtHm9IZKcVLqeO4rH3Lo+nuR9x41ri89hVkyLZ4bcwu1mex5brSMZV4GWavlrf0/NsblmXI4eKNzhD3LBC/4pVsqqx1rwhcrHMghz/r2elc8myKvxM7B12e/f+g=&kV=_HhJ3VPSKQ7ESY
whois
US CLOUDFLARENET 104.21.96.1
http://www.l63339.xyz/vhr7/?_skUVv5I=iaSfD1StI7hDT4qLO8uUiRMZCfzOjk7n7gYmLjmbAGxKTACTDmsojAseBTws2ae3nsJ7oX723eTW3ctEzpxpoAGWw5lYsZyjnFbtqE7RDBWvF3wnDTau3wgNIBcGnVL27k7EtEM=&kV=_HhJ3VPSKQ7ESY
whois
US ANT-CLOUD 162.218.30.235
http://www.topitch.top/goj6/?_skUVv5I=90Ns8gSHVfuKmwMvqoBDvov0x0TuRSc4CHvhiyRIaCFX9JzO3hXkGdLkIxbX7QQ8WI53tEhNGahKOUZIphRSegDcYcrC0WhrrPS45v/w4f2SjHeENV+PjA2DCpp4ca+uy9lGHYA=&kV=_HhJ3VPSKQ7ESY
whois
US NAMECHEAP-NET 162.0.231.203
http://www.lucynoel6465.shop/jgkl/
whois
US CLOUDFLARENET 104.21.32.1
http://www.tumbetgirislinki.fit/k566/
whois
US CLOUDFLARENET 104.21.16.1 clean
http://www.l63339.xyz/vhr7/
whois
US ANT-CLOUD 162.218.30.235 clean
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
whois
US Linode, LLC 45.33.6.223 clean
http://www.kjuw.party/e0jv/
whois
SG BGPNET Global ASN 134.122.135.48 clean
www.l63339.xyz
whois
US ANT-CLOUD 162.218.30.235 clean
www.topitch.top
whois
US NAMECHEAP-NET 162.0.231.203 clean
www.kjuw.party
whois
SG BGPNET Global ASN 134.122.133.80 clean
www.seasay.xyz
whois
NZ Voyager Internet Ltd. 103.106.67.112 clean
www.lucynoel6465.shop
whois
US CLOUDFLARENET 104.21.80.1 clean
www.partflix.net
whois
US COGECO-PEER1 64.29.17.194 clean
www.tumbetgirislinki.fit
whois
US CLOUDFLARENET 104.21.80.1 clean
162.218.30.235
whois
US ANT-CLOUD 162.218.30.235 clean
66.33.60.66
whois
US COGECO-PEER1 66.33.60.66 clean
134.122.135.48
whois
SG BGPNET Global ASN 134.122.135.48 clean
104.21.112.1
whois
US CLOUDFLARENET 104.21.112.1 mailcious
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean
162.0.231.203
whois
US NAMECHEAP-NET 162.0.231.203 clean
103.106.67.112
whois
NZ Voyager Internet Ltd. 103.106.67.112 clean

Suricata ids

ET INFO Observed DNS Query to .fit TLD
ET INFO HTTP Request to Suspicious *.fit Domain
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure