ScreenShot
| Created | 2023.03.05 05:25 | Machine | s1_win7_x6402 |
| Filename | LEMON.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 6d5f74f263d5ab9b0e3315b495eb72d5 | ||
| sha256 | 91ae44bd5a35834354cc69c2e04f9260cbf7025d18ec59af558f4213b81d7403 | ||
| ssdeep | 3072:bwevYpKTDMDUKfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8mlu3wB4HzlrzPOefxoEBK7 | ||
| imphash | f214c5f744673db93dec4b219265fbc2 | ||
| impfuzzy | 24:d0VpkNmD6tVP4JNu2ffOovyNJKh4XDxvelEu7XZjtNVcxjMHArdAFyDzgbT4wx3x:UpUmD4NsW8yeeu7dt7c4ArGF/bT/3IE/ | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (36cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Network_Downloader | File Downloader | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40e03c GetLastError
0x40e040 CloseHandle
0x40e044 IsBadStringPtrA
0x40e048 IsBadCodePtr
0x40e04c GetModuleHandleA
0x40e050 GetQueuedCompletionStatus
0x40e054 FlushFileBuffers
0x40e058 HeapSize
0x40e05c WriteConsoleW
0x40e060 SetStdHandle
0x40e064 RtlUnwind
0x40e068 IsBadReadPtr
0x40e06c VirtualQuery
0x40e070 GetSystemInfo
0x40e074 CreateIoCompletionPort
0x40e078 HeapDestroy
0x40e07c GetProcessHeap
0x40e080 HeapCreate
0x40e084 ExitProcess
0x40e088 GetTickCount
0x40e08c lstrlenA
0x40e090 HeapReAlloc
0x40e094 HeapFree
0x40e098 HeapAlloc
0x40e09c InterlockedIncrement
0x40e0a0 LoadLibraryW
0x40e0a4 OutputDebugStringW
0x40e0a8 LoadLibraryExW
0x40e0ac LCMapStringEx
0x40e0b0 GetStringTypeW
0x40e0b4 GetCommandLineA
0x40e0b8 IsDebuggerPresent
0x40e0bc EncodePointer
0x40e0c0 DecodePointer
0x40e0c4 IsProcessorFeaturePresent
0x40e0c8 SetLastError
0x40e0cc InterlockedDecrement
0x40e0d0 GetCurrentThreadId
0x40e0d4 IsValidCodePage
0x40e0d8 GetACP
0x40e0dc GetOEMCP
0x40e0e0 GetCPInfo
0x40e0e4 MultiByteToWideChar
0x40e0e8 GetModuleHandleExW
0x40e0ec GetProcAddress
0x40e0f0 GetStdHandle
0x40e0f4 WriteFile
0x40e0f8 GetModuleFileNameW
0x40e0fc GetFileType
0x40e100 InitializeCriticalSectionAndSpinCount
0x40e104 DeleteCriticalSection
0x40e108 InitOnceExecuteOnce
0x40e10c GetStartupInfoW
0x40e110 GetModuleFileNameA
0x40e114 QueryPerformanceCounter
0x40e118 GetSystemTimeAsFileTime
0x40e11c GetTickCount64
0x40e120 GetEnvironmentStringsW
0x40e124 FreeEnvironmentStringsW
0x40e128 WideCharToMultiByte
0x40e12c UnhandledExceptionFilter
0x40e130 SetUnhandledExceptionFilter
0x40e134 FlsAlloc
0x40e138 FlsGetValue
0x40e13c FlsSetValue
0x40e140 FlsFree
0x40e144 GetCurrentProcess
0x40e148 TerminateProcess
0x40e14c GetModuleHandleW
0x40e150 EnterCriticalSection
0x40e154 LeaveCriticalSection
0x40e158 GetConsoleCP
0x40e15c GetConsoleMode
0x40e160 SetFilePointerEx
0x40e164 Sleep
0x40e168 CreateFileW
USER32.dll
0x40e18c DrawTextW
0x40e190 TranslateMessage
0x40e194 GetMessageW
0x40e198 DispatchMessageW
GDI32.dll
0x40e00c CreateCompatibleDC
0x40e010 SelectPalette
0x40e014 CreatePen
0x40e018 DeleteObject
0x40e01c SetROP2
0x40e020 BitBlt
0x40e024 CreateRectRgn
0x40e028 PathToRegion
0x40e02c CreateCompatibleBitmap
0x40e030 CreateBitmap
0x40e034 DeleteDC
ADVAPI32.dll
0x40e000 GetUserNameW
0x40e004 IsTextUnicode
SHELL32.dll
0x40e170 CommandLineToArgvW
0x40e174 SHGetFolderPathW
0x40e178 SHGetSpecialFolderPathW
ole32.dll
0x40e1ac CoUninitialize
0x40e1b0 CoInitialize
0x40e1b4 CoTaskMemFree
0x40e1b8 CoCreateInstance
SHLWAPI.dll
0x40e180 PathCompactPathExW
0x40e184 PathMakeSystemFolderW
WINMM.dll
0x40e1a0 PlaySoundW
0x40e1a4 waveOutGetNumDevs
EAT(Export Address Table) is none
KERNEL32.dll
0x40e03c GetLastError
0x40e040 CloseHandle
0x40e044 IsBadStringPtrA
0x40e048 IsBadCodePtr
0x40e04c GetModuleHandleA
0x40e050 GetQueuedCompletionStatus
0x40e054 FlushFileBuffers
0x40e058 HeapSize
0x40e05c WriteConsoleW
0x40e060 SetStdHandle
0x40e064 RtlUnwind
0x40e068 IsBadReadPtr
0x40e06c VirtualQuery
0x40e070 GetSystemInfo
0x40e074 CreateIoCompletionPort
0x40e078 HeapDestroy
0x40e07c GetProcessHeap
0x40e080 HeapCreate
0x40e084 ExitProcess
0x40e088 GetTickCount
0x40e08c lstrlenA
0x40e090 HeapReAlloc
0x40e094 HeapFree
0x40e098 HeapAlloc
0x40e09c InterlockedIncrement
0x40e0a0 LoadLibraryW
0x40e0a4 OutputDebugStringW
0x40e0a8 LoadLibraryExW
0x40e0ac LCMapStringEx
0x40e0b0 GetStringTypeW
0x40e0b4 GetCommandLineA
0x40e0b8 IsDebuggerPresent
0x40e0bc EncodePointer
0x40e0c0 DecodePointer
0x40e0c4 IsProcessorFeaturePresent
0x40e0c8 SetLastError
0x40e0cc InterlockedDecrement
0x40e0d0 GetCurrentThreadId
0x40e0d4 IsValidCodePage
0x40e0d8 GetACP
0x40e0dc GetOEMCP
0x40e0e0 GetCPInfo
0x40e0e4 MultiByteToWideChar
0x40e0e8 GetModuleHandleExW
0x40e0ec GetProcAddress
0x40e0f0 GetStdHandle
0x40e0f4 WriteFile
0x40e0f8 GetModuleFileNameW
0x40e0fc GetFileType
0x40e100 InitializeCriticalSectionAndSpinCount
0x40e104 DeleteCriticalSection
0x40e108 InitOnceExecuteOnce
0x40e10c GetStartupInfoW
0x40e110 GetModuleFileNameA
0x40e114 QueryPerformanceCounter
0x40e118 GetSystemTimeAsFileTime
0x40e11c GetTickCount64
0x40e120 GetEnvironmentStringsW
0x40e124 FreeEnvironmentStringsW
0x40e128 WideCharToMultiByte
0x40e12c UnhandledExceptionFilter
0x40e130 SetUnhandledExceptionFilter
0x40e134 FlsAlloc
0x40e138 FlsGetValue
0x40e13c FlsSetValue
0x40e140 FlsFree
0x40e144 GetCurrentProcess
0x40e148 TerminateProcess
0x40e14c GetModuleHandleW
0x40e150 EnterCriticalSection
0x40e154 LeaveCriticalSection
0x40e158 GetConsoleCP
0x40e15c GetConsoleMode
0x40e160 SetFilePointerEx
0x40e164 Sleep
0x40e168 CreateFileW
USER32.dll
0x40e18c DrawTextW
0x40e190 TranslateMessage
0x40e194 GetMessageW
0x40e198 DispatchMessageW
GDI32.dll
0x40e00c CreateCompatibleDC
0x40e010 SelectPalette
0x40e014 CreatePen
0x40e018 DeleteObject
0x40e01c SetROP2
0x40e020 BitBlt
0x40e024 CreateRectRgn
0x40e028 PathToRegion
0x40e02c CreateCompatibleBitmap
0x40e030 CreateBitmap
0x40e034 DeleteDC
ADVAPI32.dll
0x40e000 GetUserNameW
0x40e004 IsTextUnicode
SHELL32.dll
0x40e170 CommandLineToArgvW
0x40e174 SHGetFolderPathW
0x40e178 SHGetSpecialFolderPathW
ole32.dll
0x40e1ac CoUninitialize
0x40e1b0 CoInitialize
0x40e1b4 CoTaskMemFree
0x40e1b8 CoCreateInstance
SHLWAPI.dll
0x40e180 PathCompactPathExW
0x40e184 PathMakeSystemFolderW
WINMM.dll
0x40e1a0 PlaySoundW
0x40e1a4 waveOutGetNumDevs
EAT(Export Address Table) is none