ScreenShot
| Created | 2023.05.30 15:15 | Machine | s1_win7_x6401 |
| Filename | kds7uq5kknv.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 50 detected (AIDetectMalware, GenericKD, Save, ZexaF, cEW@aiXeIDli, Genus, ABRisk, WFBI, Attribute, HighConfidence, malicious, high confidence, Kryptik, HSNW, score, Lazy, Gencirc, Nekark, naesy, AMADEY, YXDEXZ, high, Static AI, Malicious PE, Detected, TrojanPSW, Lumma, ai score=84, unsafe, Convagent, 3HahcDVvmbM, HTLQ, Chgt, confidence, 100%) | ||
| md5 | 433dbed8a7afbf15bfee967c63a50769 | ||
| sha256 | 6c5cff00451680070af8daca0a59ee6a6f467f6b3152f60de6cec6cdcb9cf601 | ||
| ssdeep | 12288:8+GMPjZBXBlm7PRfbjn9pmhpeXN9wqdOlt:VP7QPRz/mhpK4 | ||
| imphash | 1760ca228d5e3c2945fdc472a803bed4 | ||
| impfuzzy | 24:OFAcpVWZYtMS1IGhlJBlCDoLoEOovbO3kFZMvtGMA+EZHu9n:OFAcpVeYtMS1IGnVc30FZG9 | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Virtual Machines through their custom firmware |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
SURICATA HTTP unable to match response to request
SURICATA HTTP unable to match response to request
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x42313c None
0x423140 None
USER32.dll
0x423148 DdeQueryNextServer
KERNEL32.dll
0x423000 FreeLibrary
0x423004 CreateFileW
0x423008 HeapSize
0x42300c ReadConsoleW
0x423010 GetProcessHeap
0x423014 GetDateFormatEx
0x423018 GetModuleHandleA
0x42301c FreeConsole
0x423020 MultiByteToWideChar
0x423024 GetStringTypeW
0x423028 WideCharToMultiByte
0x42302c EnterCriticalSection
0x423030 LeaveCriticalSection
0x423034 InitializeCriticalSectionEx
0x423038 DeleteCriticalSection
0x42303c EncodePointer
0x423040 DecodePointer
0x423044 LCMapStringEx
0x423048 GetCPInfo
0x42304c UnhandledExceptionFilter
0x423050 SetUnhandledExceptionFilter
0x423054 GetCurrentProcess
0x423058 TerminateProcess
0x42305c IsProcessorFeaturePresent
0x423060 QueryPerformanceCounter
0x423064 GetCurrentProcessId
0x423068 GetCurrentThreadId
0x42306c GetSystemTimeAsFileTime
0x423070 InitializeSListHead
0x423074 IsDebuggerPresent
0x423078 GetStartupInfoW
0x42307c GetModuleHandleW
0x423080 SetStdHandle
0x423084 RaiseException
0x423088 RtlUnwind
0x42308c GetLastError
0x423090 SetLastError
0x423094 InitializeCriticalSectionAndSpinCount
0x423098 TlsAlloc
0x42309c TlsGetValue
0x4230a0 TlsSetValue
0x4230a4 TlsFree
0x4230a8 WriteConsoleW
0x4230ac GetProcAddress
0x4230b0 LoadLibraryExW
0x4230b4 GetStdHandle
0x4230b8 WriteFile
0x4230bc GetModuleFileNameW
0x4230c0 ExitProcess
0x4230c4 GetModuleHandleExW
0x4230c8 GetCommandLineA
0x4230cc GetCommandLineW
0x4230d0 HeapAlloc
0x4230d4 HeapFree
0x4230d8 CompareStringW
0x4230dc LCMapStringW
0x4230e0 GetLocaleInfoW
0x4230e4 IsValidLocale
0x4230e8 GetUserDefaultLCID
0x4230ec EnumSystemLocalesW
0x4230f0 GetFileType
0x4230f4 GetFileSizeEx
0x4230f8 SetFilePointerEx
0x4230fc CloseHandle
0x423100 FlushFileBuffers
0x423104 GetConsoleOutputCP
0x423108 GetConsoleMode
0x42310c ReadFile
0x423110 HeapReAlloc
0x423114 FindClose
0x423118 FindFirstFileExW
0x42311c FindNextFileW
0x423120 IsValidCodePage
0x423124 GetACP
0x423128 GetOEMCP
0x42312c GetEnvironmentStringsW
0x423130 FreeEnvironmentStringsW
0x423134 SetEnvironmentVariableW
EAT(Export Address Table) is none
SHELL32.dll
0x42313c None
0x423140 None
USER32.dll
0x423148 DdeQueryNextServer
KERNEL32.dll
0x423000 FreeLibrary
0x423004 CreateFileW
0x423008 HeapSize
0x42300c ReadConsoleW
0x423010 GetProcessHeap
0x423014 GetDateFormatEx
0x423018 GetModuleHandleA
0x42301c FreeConsole
0x423020 MultiByteToWideChar
0x423024 GetStringTypeW
0x423028 WideCharToMultiByte
0x42302c EnterCriticalSection
0x423030 LeaveCriticalSection
0x423034 InitializeCriticalSectionEx
0x423038 DeleteCriticalSection
0x42303c EncodePointer
0x423040 DecodePointer
0x423044 LCMapStringEx
0x423048 GetCPInfo
0x42304c UnhandledExceptionFilter
0x423050 SetUnhandledExceptionFilter
0x423054 GetCurrentProcess
0x423058 TerminateProcess
0x42305c IsProcessorFeaturePresent
0x423060 QueryPerformanceCounter
0x423064 GetCurrentProcessId
0x423068 GetCurrentThreadId
0x42306c GetSystemTimeAsFileTime
0x423070 InitializeSListHead
0x423074 IsDebuggerPresent
0x423078 GetStartupInfoW
0x42307c GetModuleHandleW
0x423080 SetStdHandle
0x423084 RaiseException
0x423088 RtlUnwind
0x42308c GetLastError
0x423090 SetLastError
0x423094 InitializeCriticalSectionAndSpinCount
0x423098 TlsAlloc
0x42309c TlsGetValue
0x4230a0 TlsSetValue
0x4230a4 TlsFree
0x4230a8 WriteConsoleW
0x4230ac GetProcAddress
0x4230b0 LoadLibraryExW
0x4230b4 GetStdHandle
0x4230b8 WriteFile
0x4230bc GetModuleFileNameW
0x4230c0 ExitProcess
0x4230c4 GetModuleHandleExW
0x4230c8 GetCommandLineA
0x4230cc GetCommandLineW
0x4230d0 HeapAlloc
0x4230d4 HeapFree
0x4230d8 CompareStringW
0x4230dc LCMapStringW
0x4230e0 GetLocaleInfoW
0x4230e4 IsValidLocale
0x4230e8 GetUserDefaultLCID
0x4230ec EnumSystemLocalesW
0x4230f0 GetFileType
0x4230f4 GetFileSizeEx
0x4230f8 SetFilePointerEx
0x4230fc CloseHandle
0x423100 FlushFileBuffers
0x423104 GetConsoleOutputCP
0x423108 GetConsoleMode
0x42310c ReadFile
0x423110 HeapReAlloc
0x423114 FindClose
0x423118 FindFirstFileExW
0x42311c FindNextFileW
0x423120 IsValidCodePage
0x423124 GetACP
0x423128 GetOEMCP
0x42312c GetEnvironmentStringsW
0x423130 FreeEnvironmentStringsW
0x423134 SetEnvironmentVariableW
EAT(Export Address Table) is none