ScreenShot
| Created | 2022.12.30 18:22 | Machine | s1_win7_x6401 |
| Filename | Leman.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (AutoMnunAAE, SpyBot, Doina, Unsafe, Amadey, Save, malicious, Genus, TIXB, Attribute, HighConfidence, high confidence, Deyma, Redcap, jtxxqn, BotX, Horst, score, Static AI, Malicious PE, Detected, Sabsik, Phonzy, Artemis, ai score=80, kxJFejq2FbQ, EGTS) | ||
| md5 | 5e445faf7b08cf2ffcac7b38c5d70d5d | ||
| sha256 | 4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4 | ||
| ssdeep | 6144:IkwjBO99g6779r0psUhmiIuVyD2NgCJgN:1TrOh2uVyCNnS | ||
| imphash | dd0e4efabc62274a7cfb37b4b7a2951d | ||
| impfuzzy | 48:6xGX/dJGGOscpe2toS1CM6ZccgTg3IWSqzNWI:tX/CGdcpe2toS1CM6ZctV+v | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process nbveek.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42e024 GetLastError
0x42e028 GetFileAttributesA
0x42e02c CreateFileA
0x42e030 CloseHandle
0x42e034 GetSystemInfo
0x42e038 CreateThread
0x42e03c HeapAlloc
0x42e040 GetThreadContext
0x42e044 GetProcAddress
0x42e048 VirtualAllocEx
0x42e04c CopyFileA
0x42e050 RemoveDirectoryA
0x42e054 ReadProcessMemory
0x42e058 GetProcessHeap
0x42e05c CreateProcessA
0x42e060 CreateDirectoryA
0x42e064 SetThreadContext
0x42e068 WriteConsoleW
0x42e06c ReadConsoleW
0x42e070 SetEndOfFile
0x42e074 HeapReAlloc
0x42e078 HeapSize
0x42e07c GetTempPathA
0x42e080 Sleep
0x42e084 SetCurrentDirectoryA
0x42e088 GetModuleHandleA
0x42e08c GetComputerNameExW
0x42e090 ResumeThread
0x42e094 GetVersionExW
0x42e098 CreateMutexW
0x42e09c VirtualAlloc
0x42e0a0 WriteFile
0x42e0a4 VirtualFree
0x42e0a8 HeapFree
0x42e0ac WriteProcessMemory
0x42e0b0 GetModuleFileNameA
0x42e0b4 LocalFree
0x42e0b8 ReadFile
0x42e0bc SetFilePointerEx
0x42e0c0 GetTimeZoneInformation
0x42e0c4 GetConsoleMode
0x42e0c8 GetConsoleCP
0x42e0cc FlushFileBuffers
0x42e0d0 GetStringTypeW
0x42e0d4 SetEnvironmentVariableW
0x42e0d8 FreeEnvironmentStringsW
0x42e0dc GetEnvironmentStringsW
0x42e0e0 WideCharToMultiByte
0x42e0e4 GetCPInfo
0x42e0e8 GetOEMCP
0x42e0ec GetACP
0x42e0f0 IsValidCodePage
0x42e0f4 FindNextFileW
0x42e0f8 FindFirstFileExW
0x42e0fc FindClose
0x42e100 SetStdHandle
0x42e104 GetFullPathNameW
0x42e108 GetCurrentDirectoryW
0x42e10c DeleteFileW
0x42e110 EnterCriticalSection
0x42e114 LeaveCriticalSection
0x42e118 InitializeCriticalSectionAndSpinCount
0x42e11c DeleteCriticalSection
0x42e120 SetEvent
0x42e124 ResetEvent
0x42e128 WaitForSingleObjectEx
0x42e12c CreateEventW
0x42e130 GetModuleHandleW
0x42e134 UnhandledExceptionFilter
0x42e138 SetUnhandledExceptionFilter
0x42e13c GetCurrentProcess
0x42e140 TerminateProcess
0x42e144 IsProcessorFeaturePresent
0x42e148 IsDebuggerPresent
0x42e14c GetStartupInfoW
0x42e150 QueryPerformanceCounter
0x42e154 GetCurrentProcessId
0x42e158 GetCurrentThreadId
0x42e15c GetSystemTimeAsFileTime
0x42e160 InitializeSListHead
0x42e164 RtlUnwind
0x42e168 RaiseException
0x42e16c SetLastError
0x42e170 EncodePointer
0x42e174 TlsAlloc
0x42e178 TlsGetValue
0x42e17c TlsSetValue
0x42e180 TlsFree
0x42e184 FreeLibrary
0x42e188 LoadLibraryExW
0x42e18c ExitProcess
0x42e190 GetModuleHandleExW
0x42e194 CreateFileW
0x42e198 GetDriveTypeW
0x42e19c GetFileInformationByHandle
0x42e1a0 GetFileType
0x42e1a4 PeekNamedPipe
0x42e1a8 SystemTimeToTzSpecificLocalTime
0x42e1ac FileTimeToSystemTime
0x42e1b0 GetModuleFileNameW
0x42e1b4 GetStdHandle
0x42e1b8 GetCommandLineA
0x42e1bc GetCommandLineW
0x42e1c0 MultiByteToWideChar
0x42e1c4 CompareStringW
0x42e1c8 LCMapStringW
0x42e1cc DecodePointer
ADVAPI32.dll
0x42e000 RegCloseKey
0x42e004 RegQueryValueExA
0x42e008 GetUserNameA
0x42e00c RegSetValueExA
0x42e010 RegOpenKeyExA
0x42e014 ConvertSidToStringSidW
0x42e018 GetUserNameW
0x42e01c LookupAccountNameW
SHELL32.dll
0x42e1d4 ShellExecuteA
0x42e1d8 None
0x42e1dc SHGetFolderPathA
WININET.dll
0x42e1e4 HttpOpenRequestA
0x42e1e8 InternetReadFile
0x42e1ec InternetConnectA
0x42e1f0 HttpSendRequestA
0x42e1f4 InternetCloseHandle
0x42e1f8 InternetOpenA
0x42e1fc InternetOpenW
0x42e200 InternetOpenUrlA
EAT(Export Address Table) is none
KERNEL32.dll
0x42e024 GetLastError
0x42e028 GetFileAttributesA
0x42e02c CreateFileA
0x42e030 CloseHandle
0x42e034 GetSystemInfo
0x42e038 CreateThread
0x42e03c HeapAlloc
0x42e040 GetThreadContext
0x42e044 GetProcAddress
0x42e048 VirtualAllocEx
0x42e04c CopyFileA
0x42e050 RemoveDirectoryA
0x42e054 ReadProcessMemory
0x42e058 GetProcessHeap
0x42e05c CreateProcessA
0x42e060 CreateDirectoryA
0x42e064 SetThreadContext
0x42e068 WriteConsoleW
0x42e06c ReadConsoleW
0x42e070 SetEndOfFile
0x42e074 HeapReAlloc
0x42e078 HeapSize
0x42e07c GetTempPathA
0x42e080 Sleep
0x42e084 SetCurrentDirectoryA
0x42e088 GetModuleHandleA
0x42e08c GetComputerNameExW
0x42e090 ResumeThread
0x42e094 GetVersionExW
0x42e098 CreateMutexW
0x42e09c VirtualAlloc
0x42e0a0 WriteFile
0x42e0a4 VirtualFree
0x42e0a8 HeapFree
0x42e0ac WriteProcessMemory
0x42e0b0 GetModuleFileNameA
0x42e0b4 LocalFree
0x42e0b8 ReadFile
0x42e0bc SetFilePointerEx
0x42e0c0 GetTimeZoneInformation
0x42e0c4 GetConsoleMode
0x42e0c8 GetConsoleCP
0x42e0cc FlushFileBuffers
0x42e0d0 GetStringTypeW
0x42e0d4 SetEnvironmentVariableW
0x42e0d8 FreeEnvironmentStringsW
0x42e0dc GetEnvironmentStringsW
0x42e0e0 WideCharToMultiByte
0x42e0e4 GetCPInfo
0x42e0e8 GetOEMCP
0x42e0ec GetACP
0x42e0f0 IsValidCodePage
0x42e0f4 FindNextFileW
0x42e0f8 FindFirstFileExW
0x42e0fc FindClose
0x42e100 SetStdHandle
0x42e104 GetFullPathNameW
0x42e108 GetCurrentDirectoryW
0x42e10c DeleteFileW
0x42e110 EnterCriticalSection
0x42e114 LeaveCriticalSection
0x42e118 InitializeCriticalSectionAndSpinCount
0x42e11c DeleteCriticalSection
0x42e120 SetEvent
0x42e124 ResetEvent
0x42e128 WaitForSingleObjectEx
0x42e12c CreateEventW
0x42e130 GetModuleHandleW
0x42e134 UnhandledExceptionFilter
0x42e138 SetUnhandledExceptionFilter
0x42e13c GetCurrentProcess
0x42e140 TerminateProcess
0x42e144 IsProcessorFeaturePresent
0x42e148 IsDebuggerPresent
0x42e14c GetStartupInfoW
0x42e150 QueryPerformanceCounter
0x42e154 GetCurrentProcessId
0x42e158 GetCurrentThreadId
0x42e15c GetSystemTimeAsFileTime
0x42e160 InitializeSListHead
0x42e164 RtlUnwind
0x42e168 RaiseException
0x42e16c SetLastError
0x42e170 EncodePointer
0x42e174 TlsAlloc
0x42e178 TlsGetValue
0x42e17c TlsSetValue
0x42e180 TlsFree
0x42e184 FreeLibrary
0x42e188 LoadLibraryExW
0x42e18c ExitProcess
0x42e190 GetModuleHandleExW
0x42e194 CreateFileW
0x42e198 GetDriveTypeW
0x42e19c GetFileInformationByHandle
0x42e1a0 GetFileType
0x42e1a4 PeekNamedPipe
0x42e1a8 SystemTimeToTzSpecificLocalTime
0x42e1ac FileTimeToSystemTime
0x42e1b0 GetModuleFileNameW
0x42e1b4 GetStdHandle
0x42e1b8 GetCommandLineA
0x42e1bc GetCommandLineW
0x42e1c0 MultiByteToWideChar
0x42e1c4 CompareStringW
0x42e1c8 LCMapStringW
0x42e1cc DecodePointer
ADVAPI32.dll
0x42e000 RegCloseKey
0x42e004 RegQueryValueExA
0x42e008 GetUserNameA
0x42e00c RegSetValueExA
0x42e010 RegOpenKeyExA
0x42e014 ConvertSidToStringSidW
0x42e018 GetUserNameW
0x42e01c LookupAccountNameW
SHELL32.dll
0x42e1d4 ShellExecuteA
0x42e1d8 None
0x42e1dc SHGetFolderPathA
WININET.dll
0x42e1e4 HttpOpenRequestA
0x42e1e8 InternetReadFile
0x42e1ec InternetConnectA
0x42e1f0 HttpSendRequestA
0x42e1f4 InternetCloseHandle
0x42e1f8 InternetOpenA
0x42e1fc InternetOpenW
0x42e200 InternetOpenUrlA
EAT(Export Address Table) is none