ScreenShot
| Created | 2023.09.11 17:59 | Machine | s1_win7_x6402 |
| Filename | Document.pdf.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 51 detected (AIDetectMalware, Injurer, malicious, high confidence, score, GenericKDZ, unsafe, Kryptik, Vi1w, confidence, 100%, GenusT, DQZL, Eldorado, Attribute, HighConfidence, GenKryptik, GNPB, jzopyb, Gencirc, Krypt, Nekark, azngh, Inject4, LUMMASTEALER, YXDIIZ, Sabsik, CCAK, IXOKYQ, Detected, Injection, R604264, ai score=89, MysticStealer, GdSda, Stealerc, NwBlA3L3cWV, Static AI, Suspicious PE, susgen, ZexaF, LyW@a8mWnFhi) | ||
| md5 | ef9728a0916c18e4f90b6b32798dd564 | ||
| sha256 | 053b71bdb52ee7aa00dd3a7e91c7bd134ebde2336b473cc729413b87f0a6b446 | ||
| ssdeep | 12288:EBLHkCA16BInLyl+GbRoBhV40o3u5jP4yJLcwqQfIpQO7yra7Q8QZ:EBICImUml+OyBz4Du54qLlqDQiyra7XE | ||
| imphash | 431b9eee3827e493b6144e5f38c219a4 | ||
| impfuzzy | 24:1tMS1+GhlJeDc+pl3eDoLoEOovbO3kPvRRZHu9oGMf:1tMS1+GOc+ppXc30n7 | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (5cnts) ?
Suricata ids
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x417000 UnhandledExceptionFilter
0x417004 SetUnhandledExceptionFilter
0x417008 GetCurrentProcess
0x41700c TerminateProcess
0x417010 IsProcessorFeaturePresent
0x417014 QueryPerformanceCounter
0x417018 GetCurrentProcessId
0x41701c GetCurrentThreadId
0x417020 GetSystemTimeAsFileTime
0x417024 InitializeSListHead
0x417028 IsDebuggerPresent
0x41702c GetStartupInfoW
0x417030 GetModuleHandleW
0x417034 WriteConsoleW
0x417038 RaiseException
0x41703c RtlUnwind
0x417040 GetLastError
0x417044 SetLastError
0x417048 EncodePointer
0x41704c EnterCriticalSection
0x417050 LeaveCriticalSection
0x417054 DeleteCriticalSection
0x417058 InitializeCriticalSectionAndSpinCount
0x41705c TlsAlloc
0x417060 TlsGetValue
0x417064 TlsSetValue
0x417068 TlsFree
0x41706c FreeLibrary
0x417070 GetProcAddress
0x417074 LoadLibraryExW
0x417078 GetStdHandle
0x41707c WriteFile
0x417080 GetModuleFileNameW
0x417084 ExitProcess
0x417088 GetModuleHandleExW
0x41708c GetCommandLineA
0x417090 GetCommandLineW
0x417094 HeapAlloc
0x417098 HeapFree
0x41709c CompareStringW
0x4170a0 LCMapStringW
0x4170a4 GetFileType
0x4170a8 FindClose
0x4170ac FindFirstFileExW
0x4170b0 FindNextFileW
0x4170b4 IsValidCodePage
0x4170b8 GetACP
0x4170bc GetOEMCP
0x4170c0 GetCPInfo
0x4170c4 MultiByteToWideChar
0x4170c8 WideCharToMultiByte
0x4170cc GetEnvironmentStringsW
0x4170d0 FreeEnvironmentStringsW
0x4170d4 SetEnvironmentVariableW
0x4170d8 SetStdHandle
0x4170dc GetStringTypeW
0x4170e0 GetProcessHeap
0x4170e4 FlushFileBuffers
0x4170e8 GetConsoleOutputCP
0x4170ec GetConsoleMode
0x4170f0 GetFileSizeEx
0x4170f4 SetFilePointerEx
0x4170f8 HeapSize
0x4170fc HeapReAlloc
0x417100 CloseHandle
0x417104 CreateFileW
0x417108 DecodePointer
EAT(Export Address Table) is none
KERNEL32.dll
0x417000 UnhandledExceptionFilter
0x417004 SetUnhandledExceptionFilter
0x417008 GetCurrentProcess
0x41700c TerminateProcess
0x417010 IsProcessorFeaturePresent
0x417014 QueryPerformanceCounter
0x417018 GetCurrentProcessId
0x41701c GetCurrentThreadId
0x417020 GetSystemTimeAsFileTime
0x417024 InitializeSListHead
0x417028 IsDebuggerPresent
0x41702c GetStartupInfoW
0x417030 GetModuleHandleW
0x417034 WriteConsoleW
0x417038 RaiseException
0x41703c RtlUnwind
0x417040 GetLastError
0x417044 SetLastError
0x417048 EncodePointer
0x41704c EnterCriticalSection
0x417050 LeaveCriticalSection
0x417054 DeleteCriticalSection
0x417058 InitializeCriticalSectionAndSpinCount
0x41705c TlsAlloc
0x417060 TlsGetValue
0x417064 TlsSetValue
0x417068 TlsFree
0x41706c FreeLibrary
0x417070 GetProcAddress
0x417074 LoadLibraryExW
0x417078 GetStdHandle
0x41707c WriteFile
0x417080 GetModuleFileNameW
0x417084 ExitProcess
0x417088 GetModuleHandleExW
0x41708c GetCommandLineA
0x417090 GetCommandLineW
0x417094 HeapAlloc
0x417098 HeapFree
0x41709c CompareStringW
0x4170a0 LCMapStringW
0x4170a4 GetFileType
0x4170a8 FindClose
0x4170ac FindFirstFileExW
0x4170b0 FindNextFileW
0x4170b4 IsValidCodePage
0x4170b8 GetACP
0x4170bc GetOEMCP
0x4170c0 GetCPInfo
0x4170c4 MultiByteToWideChar
0x4170c8 WideCharToMultiByte
0x4170cc GetEnvironmentStringsW
0x4170d0 FreeEnvironmentStringsW
0x4170d4 SetEnvironmentVariableW
0x4170d8 SetStdHandle
0x4170dc GetStringTypeW
0x4170e0 GetProcessHeap
0x4170e4 FlushFileBuffers
0x4170e8 GetConsoleOutputCP
0x4170ec GetConsoleMode
0x4170f0 GetFileSizeEx
0x4170f4 SetFilePointerEx
0x4170f8 HeapSize
0x4170fc HeapReAlloc
0x417100 CloseHandle
0x417104 CreateFileW
0x417108 DecodePointer
EAT(Export Address Table) is none