ScreenShot
| Created | 2023.10.17 16:58 | Machine | s1_win7_x6403 |
| Filename | angel.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 25 detected (AIDetectMalware, malicious, high confidence, Artemis, Attribute, HighConfidence, score, XPACK, Gen5, AMADEY, YXDJQZ, Znyonm, unsafe, Chgt, Generic@AI, RDML, KcSBnkbtowlBEJEBLtZA, Static AI, Malicious PE, ZexaF, AH0@aaOZjJfi, confidence, 100%) | ||
| md5 | a6f75b1e5f8b4265869f7e5bdcaa3314 | ||
| sha256 | a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a | ||
| ssdeep | 24576:m1W8VSHsqxNkHROM62DbJByw9mgIkBKMAyisV5+n2n3dcCwSl/JRFIvx:W3SMAAlVD+w9RIk0MA1sEOcCbl/Jsx | ||
| imphash | 8012fe0c67d93ad97108363904afaf97 | ||
| impfuzzy | 24:ODoQEI+Z0HOov4a/Kw8Rnlyv95/J3JKeT4y3WxOaNTcKdba09ESKhkFdAR:xZ0uo/KPK97/cyGvKKd209XKCFGR | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Collects information about installed applications |
| watch | Detects Virtual Machines through their custom firmware |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42c21c VirtualProtect
0x42c220 GetProcAddress
0x42c224 LoadLibraryA
0x42c228 HeapAlloc
0x42c22c GetProcessHeap
0x42c230 GetSystemTimeAsFileTime
0x42c234 VirtualAlloc
0x42c238 LockResource
0x42c23c SizeofResource
0x42c240 LoadResource
0x42c244 FindResourceW
0x42c248 GetModuleHandleW
0x42c24c EnumSystemLocalesA
0x42c250 GetLocaleInfoA
0x42c254 GetUserDefaultLCID
0x42c258 HeapReAlloc
0x42c25c GetStringTypeW
0x42c260 MultiByteToWideChar
0x42c264 LCMapStringW
0x42c268 RtlUnwind
0x42c26c GetCommandLineA
0x42c270 HeapSetInformation
0x42c274 GetStartupInfoW
0x42c278 EncodePointer
0x42c27c IsProcessorFeaturePresent
0x42c280 DecodePointer
0x42c284 RaiseException
0x42c288 SetUnhandledExceptionFilter
0x42c28c ExitProcess
0x42c290 WriteFile
0x42c294 GetStdHandle
0x42c298 GetModuleFileNameW
0x42c29c GetModuleFileNameA
0x42c2a0 FreeEnvironmentStringsW
0x42c2a4 WideCharToMultiByte
0x42c2a8 GetEnvironmentStringsW
0x42c2ac SetHandleCount
0x42c2b0 InitializeCriticalSectionAndSpinCount
0x42c2b4 GetFileType
0x42c2b8 DeleteCriticalSection
0x42c2bc TlsAlloc
0x42c2c0 TlsGetValue
0x42c2c4 TlsSetValue
0x42c2c8 TlsFree
0x42c2cc InterlockedIncrement
0x42c2d0 SetLastError
0x42c2d4 GetCurrentThreadId
0x42c2d8 GetLastError
0x42c2dc InterlockedDecrement
0x42c2e0 GetCurrentThread
0x42c2e4 HeapCreate
0x42c2e8 HeapDestroy
0x42c2ec QueryPerformanceCounter
0x42c2f0 GetTickCount
0x42c2f4 GetCurrentProcessId
0x42c2f8 GetCPInfo
0x42c2fc GetACP
0x42c300 GetOEMCP
0x42c304 IsValidCodePage
0x42c308 UnhandledExceptionFilter
0x42c30c IsDebuggerPresent
0x42c310 TerminateProcess
0x42c314 GetCurrentProcess
0x42c318 HeapFree
0x42c31c Sleep
0x42c320 HeapSize
0x42c324 LeaveCriticalSection
0x42c328 FatalAppExitA
0x42c32c EnterCriticalSection
0x42c330 SetConsoleCtrlHandler
0x42c334 FreeLibrary
0x42c338 InterlockedExchange
0x42c33c LoadLibraryW
0x42c340 GetLocaleInfoW
0x42c344 IsValidLocale
USER32.dll
0x42c3b0 RegisterClassExW
0x42c3b4 CreateWindowExW
0x42c3b8 ShowWindow
0x42c3bc UpdateWindow
0x42c3c0 GetMessageW
0x42c3c4 TranslateMessage
0x42c3c8 DispatchMessageW
EAT(Export Address Table) is none
KERNEL32.dll
0x42c21c VirtualProtect
0x42c220 GetProcAddress
0x42c224 LoadLibraryA
0x42c228 HeapAlloc
0x42c22c GetProcessHeap
0x42c230 GetSystemTimeAsFileTime
0x42c234 VirtualAlloc
0x42c238 LockResource
0x42c23c SizeofResource
0x42c240 LoadResource
0x42c244 FindResourceW
0x42c248 GetModuleHandleW
0x42c24c EnumSystemLocalesA
0x42c250 GetLocaleInfoA
0x42c254 GetUserDefaultLCID
0x42c258 HeapReAlloc
0x42c25c GetStringTypeW
0x42c260 MultiByteToWideChar
0x42c264 LCMapStringW
0x42c268 RtlUnwind
0x42c26c GetCommandLineA
0x42c270 HeapSetInformation
0x42c274 GetStartupInfoW
0x42c278 EncodePointer
0x42c27c IsProcessorFeaturePresent
0x42c280 DecodePointer
0x42c284 RaiseException
0x42c288 SetUnhandledExceptionFilter
0x42c28c ExitProcess
0x42c290 WriteFile
0x42c294 GetStdHandle
0x42c298 GetModuleFileNameW
0x42c29c GetModuleFileNameA
0x42c2a0 FreeEnvironmentStringsW
0x42c2a4 WideCharToMultiByte
0x42c2a8 GetEnvironmentStringsW
0x42c2ac SetHandleCount
0x42c2b0 InitializeCriticalSectionAndSpinCount
0x42c2b4 GetFileType
0x42c2b8 DeleteCriticalSection
0x42c2bc TlsAlloc
0x42c2c0 TlsGetValue
0x42c2c4 TlsSetValue
0x42c2c8 TlsFree
0x42c2cc InterlockedIncrement
0x42c2d0 SetLastError
0x42c2d4 GetCurrentThreadId
0x42c2d8 GetLastError
0x42c2dc InterlockedDecrement
0x42c2e0 GetCurrentThread
0x42c2e4 HeapCreate
0x42c2e8 HeapDestroy
0x42c2ec QueryPerformanceCounter
0x42c2f0 GetTickCount
0x42c2f4 GetCurrentProcessId
0x42c2f8 GetCPInfo
0x42c2fc GetACP
0x42c300 GetOEMCP
0x42c304 IsValidCodePage
0x42c308 UnhandledExceptionFilter
0x42c30c IsDebuggerPresent
0x42c310 TerminateProcess
0x42c314 GetCurrentProcess
0x42c318 HeapFree
0x42c31c Sleep
0x42c320 HeapSize
0x42c324 LeaveCriticalSection
0x42c328 FatalAppExitA
0x42c32c EnterCriticalSection
0x42c330 SetConsoleCtrlHandler
0x42c334 FreeLibrary
0x42c338 InterlockedExchange
0x42c33c LoadLibraryW
0x42c340 GetLocaleInfoW
0x42c344 IsValidLocale
USER32.dll
0x42c3b0 RegisterClassExW
0x42c3b4 CreateWindowExW
0x42c3b8 ShowWindow
0x42c3bc UpdateWindow
0x42c3c0 GetMessageW
0x42c3c4 TranslateMessage
0x42c3c8 DispatchMessageW
EAT(Export Address Table) is none