Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 26, 2024, 7:16 a.m.	March 26, 2024, 7:19 a.m.

Size	369.1KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`29447b51ed950d6b101a8ff1494814f1`
SHA256	`d44d746b20df4825c851c93cc6b7a29eb6e4029dbab4fb2c5584c172b822802a`
CRC32	`BC41E931`
ssdeep	`6144:/Is89E4qYj3shY4FHAg0P/MW2SpOFrbRGFIyaB9Vcb0YVPH5RlaHtkzk8hUMfebP:wsMrshz6LP/MW2S24bXxTaHtkg8ZebP`
PDB Path	Casis.pdb
Yara	Craxs_RAT - Craxs RAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

lumma21.exe "C:\Users\test22\AppData\Local\Temp\lumma21.exe"
660

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 26, 2024, 7:16 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 26, 2024, 7:16 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 26, 2024, 7:16 a.m.			0	0
IsDebuggerPresent March 26, 2024, 7:16 a.m.			0	0
IsDebuggerPresent March 26, 2024, 7:16 a.m.			0	0
IsDebuggerPresent March 26, 2024, 7:16 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA March 26, 2024, 7:16 a.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1	0
WriteConsoleA March 26, 2024, 7:16 a.m.	buffer: System.MissingMethodException: Method not found: '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)'. at jdlRoyq8m90uUQVLQE.CgZ31GnSs42c03Hjt2.vSRhO2oaZ() at jdlRoyq8m90uUQVLQE.CgZ31GnSs42c03Hjt2..ctor() at ByyXXwykf5iZLLWfpw.wEeQr9mwXPqeRmxwJA.DKQtE4wyP(String[] ) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

Casis.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 26, 2024, 7:16 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2024, 7:16 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00056c00', u'virtual_address': u'0x00002000', u'entropy': 7.851756592704515, u'name': u'.text', u'virtual_size': u'0x00056b24'}

entropy

7.8517565927

description

A section with a high entropy has been found

entropy

0.994269340974

description

Overall entropy of this PE file is high

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
McAfee	Artemis!29447B51ED95
Cylance	unsafe
VIPRE	Gen:Variant.Ser.Zusy.4951
Sangfor	Infostealer.Msil.Kryptik.V6vt
K7AntiVirus	Trojan ( 005b35d21 )
BitDefender	Gen:Variant.Ser.Zusy.4951
K7GW	Trojan ( 005b35d21 )
Arcabit	Trojan.Ser.Zusy.D1357
VirIT	Trojan.Win32.GenusT.DVOE
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ALFY
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	Trojan:MSIL/Kryptik.ae6eb28e
MicroWorld-eScan	Gen:Variant.Ser.Zusy.4951
Rising	Stealer.Agent!8.C2 (CLOUD)
Emsisoft	Gen:Variant.Ser.Zusy.4951 (B)
F-Secure	Trojan.TR/AD.Nekark.zipxy
FireEye	Generic.mg.29447b51ed950d6b
Sophos	Troj/MSIL-TCZ
Ikarus	Trojan.MSIL.Krypt
Google	Detected
Avira	TR/AD.Nekark.zipxy
MAX	malware (ai score=84)
Antiy-AVL	Trojan/MSIL.Kryptik
Kingsoft	MSIL.Trojan-Spy.Stealer.gen
Gridinsoft	Ransom.Win32.Sabsik.ca
Microsoft	Trojan:MSIL/LummaC.MBZS!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Gen:Variant.Ser.Zusy.4951
Varist	W32/MSIL_Agent.HUS.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5604379
BitDefenderTheta	Gen:NN.ZemsilF.36802.xm2@aW51jRm
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.MSIL.Generic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H07CO24
Tencent	Malware.Win32.Gencirc.10bfc561
SentinelOne	Static AI - Suspicious PE
Fortinet	MSIL/GenKryptik.GVHR!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)
alibabacloud	Trojan[spy]:MSIL/Stealer.gen

lumma21.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All