popup

Report - fronttechnologicalprores.exe

Lumma Gen1 Emotet Malicious Library .NET framework(MSIL) UPX Http API ScreenShot Internet API AntiDebug AntiVM PE File PE64 CAB MSOffice File PNG Format .NET EXE JPEG Format PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.16 11:20 Machine s1_win7_x6403
Filename fronttechnologicalprores.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
5
 Behavior Score
22.2
ZERO API file : clean
VT API (file) 45 detected (AIDetectMalware, Blocker, GenericKD, unsafe, Attribute, HighConfidence, malicious, high confidence, score, Seraph, kcgjlv, DropperX, Ader, Ymhl, potgx, DownLoaderNET, R002C0DJE23, high, GenKD, Eldorado, nbtiy, Vigorf, Detected, Artemis, ai score=86, CLOUD, Static AI, Malicious SFX, PossibleThreat, confidence, 100%)
md5 5a0d618b0f8ed5b550a811e4b1afdf48
sha256 1dcbdb53d1b2096126c1515c1078614ca4c05e43674cc57ac6bea182c654afe5
ssdeep 6144:EeR7eammrMaBn+4JtrLN9YJR3Oxm+oZjXapLLPgxiBerXBxzwCYXmfZ3iIfd:EeRtBrMa9+4JdIJRRAP+XrzlYKfd
imphash 4cea7ae85c87ddc7295d39ff9cda31d1
impfuzzy 48:mPkNSpUOU4iLeyMuM9QBt3S1W8KEl4LTFGACupNXR6x9pg1go5E95dSva5pUrz+L:ikmUZ4iLfMuMqBt3S1WwfSbmaeGipT
  Network IP location

Signature (48cnts)

Level Description
danger File has been identified by 45 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch A process attempted to delay the analysis task.
watch Allocates execute permission to another process indicative of possible code injection
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Attempts to create or modify system certificates
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Deletes executed files from disk
watch Detects Virtual Machines through their custom firmware
watch Installs itself for autorun at Windows startup
watch Looks for the Windows Idle Time to determine the uptime
watch Manipulates memory of a non-child process indicative of process injection
watch Network activity contains more than one unique useragent
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (30cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice ScreenShot Take ScreenShot memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info CAB_file_format CAB archive file binaries (download)
info CAB_file_format CAB archive file binaries (upload)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE64 (no description) binaries (download)
info IsPE64 (no description) binaries (upload)
info JPEG_Format_Zero JPEG Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://manguvorpmi.pw/api
whois
US CLOUDFLARENET 104.21.95.127 37127 mailcious
http://172.86.98.101/xs12pro/Chogy.vdf
whois
CA QUICKPACKET 172.86.98.101 37111 mailcious
http://172.86.98.101/xs12pro/Qtpdugpzq.mp3
whois
CA QUICKPACKET 172.86.98.101 37111 mailcious
manguvorpmi.pw
whois
US CLOUDFLARENET 104.21.95.127 mailcious
iplogger.com
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
172.86.98.101
whois
CA QUICKPACKET 172.86.98.101 mailcious
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
104.21.95.127
whois
US CLOUDFLARENET 104.21.95.127 mailcious

Suricata ids

ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET INFO HTTP Request to a *.pw domain
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET DNS Query to a *.pw domain - Likely Hostile

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x140009150 GetTokenInformation
 0x140009158 RegDeleteValueA
 0x140009160 RegOpenKeyExA
 0x140009168 RegQueryInfoKeyA
 0x140009170 FreeSid
 0x140009178 OpenProcessToken
 0x140009180 RegSetValueExA
 0x140009188 RegCreateKeyExA
 0x140009190 LookupPrivilegeValueA
 0x140009198 AllocateAndInitializeSid
 0x1400091a0 RegQueryValueExA
 0x1400091a8 EqualSid
 0x1400091b0 RegCloseKey
 0x1400091b8 AdjustTokenPrivileges
KERNEL32.dll
 0x140009210 _lopen
 0x140009218 _llseek
 0x140009220 CompareStringA
 0x140009228 GetLastError
 0x140009230 GetFileAttributesA
 0x140009238 GetSystemDirectoryA
 0x140009240 LoadLibraryA
 0x140009248 DeleteFileA
 0x140009250 GlobalAlloc
 0x140009258 GlobalFree
 0x140009260 CloseHandle
 0x140009268 WritePrivateProfileStringA
 0x140009270 IsDBCSLeadByte
 0x140009278 GetWindowsDirectoryA
 0x140009280 SetFileAttributesA
 0x140009288 GetProcAddress
 0x140009290 GlobalLock
 0x140009298 LocalFree
 0x1400092a0 RemoveDirectoryA
 0x1400092a8 FreeLibrary
 0x1400092b0 _lclose
 0x1400092b8 CreateDirectoryA
 0x1400092c0 GetPrivateProfileIntA
 0x1400092c8 GetPrivateProfileStringA
 0x1400092d0 GlobalUnlock
 0x1400092d8 ReadFile
 0x1400092e0 SizeofResource
 0x1400092e8 WriteFile
 0x1400092f0 GetDriveTypeA
 0x1400092f8 LoadLibraryExA
 0x140009300 SetFileTime
 0x140009308 SetFilePointer
 0x140009310 FindResourceA
 0x140009318 CreateMutexA
 0x140009320 GetVolumeInformationA
 0x140009328 WaitForSingleObject
 0x140009330 GetCurrentDirectoryA
 0x140009338 FreeResource
 0x140009340 GetVersion
 0x140009348 SetCurrentDirectoryA
 0x140009350 GetTempPathA
 0x140009358 LocalFileTimeToFileTime
 0x140009360 CreateFileA
 0x140009368 SetEvent
 0x140009370 TerminateThread
 0x140009378 GetVersionExA
 0x140009380 LockResource
 0x140009388 GetSystemInfo
 0x140009390 CreateThread
 0x140009398 ResetEvent
 0x1400093a0 LoadResource
 0x1400093a8 ExitProcess
 0x1400093b0 GetModuleHandleW
 0x1400093b8 CreateProcessA
 0x1400093c0 FormatMessageA
 0x1400093c8 GetTempFileNameA
 0x1400093d0 DosDateTimeToFileTime
 0x1400093d8 CreateEventA
 0x1400093e0 GetExitCodeProcess
 0x1400093e8 ExpandEnvironmentStringsA
 0x1400093f0 LocalAlloc
 0x1400093f8 lstrcmpA
 0x140009400 FindNextFileA
 0x140009408 GetCurrentProcess
 0x140009410 FindFirstFileA
 0x140009418 GetModuleFileNameA
 0x140009420 GetShortPathNameA
 0x140009428 Sleep
 0x140009430 GetStartupInfoW
 0x140009438 RtlCaptureContext
 0x140009440 RtlLookupFunctionEntry
 0x140009448 RtlVirtualUnwind
 0x140009450 UnhandledExceptionFilter
 0x140009458 SetUnhandledExceptionFilter
 0x140009460 TerminateProcess
 0x140009468 QueryPerformanceCounter
 0x140009470 GetCurrentProcessId
 0x140009478 GetCurrentThreadId
 0x140009480 GetSystemTimeAsFileTime
 0x140009488 GetTickCount
 0x140009490 EnumResourceLanguagesA
 0x140009498 GetDiskFreeSpaceA
 0x1400094a0 MulDiv
 0x1400094a8 FindClose
GDI32.dll
 0x140009200 GetDeviceCaps
USER32.dll
 0x1400094b8 ShowWindow
 0x1400094c0 MsgWaitForMultipleObjects
 0x1400094c8 SetWindowPos
 0x1400094d0 GetDC
 0x1400094d8 GetWindowRect
 0x1400094e0 DispatchMessageA
 0x1400094e8 GetSystemMetrics
 0x1400094f0 CallWindowProcA
 0x1400094f8 SetWindowTextA
 0x140009500 MessageBoxA
 0x140009508 SendDlgItemMessageA
 0x140009510 SendMessageA
 0x140009518 GetDlgItem
 0x140009520 DialogBoxIndirectParamA
 0x140009528 GetWindowLongPtrA
 0x140009530 SetWindowLongPtrA
 0x140009538 SetForegroundWindow
 0x140009540 ReleaseDC
 0x140009548 EnableWindow
 0x140009550 CharNextA
 0x140009558 LoadStringA
 0x140009560 CharPrevA
 0x140009568 EndDialog
 0x140009570 MessageBeep
 0x140009578 ExitWindowsEx
 0x140009580 SetDlgItemTextA
 0x140009588 CharUpperA
 0x140009590 GetDesktopWindow
 0x140009598 PeekMessageA
 0x1400095a0 GetDlgItemTextA
msvcrt.dll
 0x1400095d0 ?terminate@@YAXXZ
 0x1400095d8 _commode
 0x1400095e0 _fmode
 0x1400095e8 _acmdln
 0x1400095f0 __C_specific_handler
 0x1400095f8 memset
 0x140009600 __setusermatherr
 0x140009608 _ismbblead
 0x140009610 _cexit
 0x140009618 _exit
 0x140009620 exit
 0x140009628 __set_app_type
 0x140009630 __getmainargs
 0x140009638 _amsg_exit
 0x140009640 _XcptFilter
 0x140009648 memcpy_s
 0x140009650 _vsnprintf
 0x140009658 _initterm
 0x140009660 memcpy
COMCTL32.dll
 0x1400091c8 None
Cabinet.dll
 0x1400091d8 None
 0x1400091e0 None
 0x1400091e8 None
 0x1400091f0 None
VERSION.dll
 0x1400095b0 VerQueryValueA
 0x1400095b8 GetFileVersionInfoSizeA
 0x1400095c0 GetFileVersionInfoA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure