ScreenShot
| Created | 2023.10.24 07:51 | Machine | s1_win7_x6403 |
| Filename | angi.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 37 detected (AIDetectMalware, Injuke, malicious, moderate confidence, GenericKD, a variant of Generik, EOSWKLX, iqoo, DropperX, Ltgl, LUMMASTEALER, YXDJVZ, GenKD, Detected, ai score=87, Phonzy, Casdet, ABRisk, DYXR, Artemis, unsafe, Chgt, Undefined, CLOUD, PossibleThreat) | ||
| md5 | f281b31a99932f0d6c1fa3dd0649a36a | ||
| sha256 | 29d9f955b553825fb23351f9daa7d4d0647153073e0d1465f24e674d6378ba06 | ||
| ssdeep | 24576:t2dY5PVbHkHp3o6IoiEb7orLa9aCAQgaHEddMVmzut7BTF77l//ugU:dPVIo6iE/8LaoCAQgaHUMVmzutdRHNW | ||
| imphash | e59505c79d4688c593036694a0abccfd | ||
| impfuzzy | 24:C+fcW1luuqtqO0J3XvtuyIlyv/DkFHOT4TZArjMZak:C+fchu8NsftyKQ4cTZj | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140146000 CreateProcessA
0x140146008 WideCharToMultiByte
0x140146010 MultiByteToWideChar
0x140146018 Sleep
0x140146020 InitializeCriticalSection
0x140146028 DeleteCriticalSection
0x140146030 EnterCriticalSection
0x140146038 LeaveCriticalSection
0x140146040 EncodePointer
0x140146048 DecodePointer
0x140146050 GetSystemTimeAsFileTime
0x140146058 GetLastError
0x140146060 HeapFree
0x140146068 RaiseException
0x140146070 RtlPcToFileHeader
0x140146078 RtlLookupFunctionEntry
0x140146080 RtlUnwindEx
0x140146088 GetCommandLineW
0x140146090 GetStartupInfoW
0x140146098 GetCPInfo
0x1401460a0 HeapAlloc
0x1401460a8 LCMapStringW
0x1401460b0 HeapSetInformation
0x1401460b8 GetVersion
0x1401460c0 HeapCreate
0x1401460c8 FlsGetValue
0x1401460d0 FlsSetValue
0x1401460d8 FlsFree
0x1401460e0 SetLastError
0x1401460e8 GetCurrentThreadId
0x1401460f0 FlsAlloc
0x1401460f8 TerminateProcess
0x140146100 GetCurrentProcess
0x140146108 UnhandledExceptionFilter
0x140146110 SetUnhandledExceptionFilter
0x140146118 IsDebuggerPresent
0x140146120 RtlVirtualUnwind
0x140146128 RtlCaptureContext
0x140146130 CloseHandle
0x140146138 SetHandleCount
0x140146140 GetStdHandle
0x140146148 InitializeCriticalSectionAndSpinCount
0x140146150 GetFileType
0x140146158 GetProcAddress
0x140146160 GetModuleHandleW
0x140146168 ExitProcess
0x140146170 WriteFile
0x140146178 GetModuleFileNameW
0x140146180 FreeEnvironmentStringsW
0x140146188 GetEnvironmentStringsW
0x140146190 QueryPerformanceCounter
0x140146198 GetTickCount
0x1401461a0 GetCurrentProcessId
0x1401461a8 GetStringTypeW
0x1401461b0 GetLocaleInfoW
0x1401461b8 HeapSize
0x1401461c0 GetACP
0x1401461c8 GetOEMCP
0x1401461d0 IsValidCodePage
0x1401461d8 GetUserDefaultLCID
0x1401461e0 GetLocaleInfoA
0x1401461e8 EnumSystemLocalesA
0x1401461f0 IsValidLocale
0x1401461f8 GetConsoleCP
0x140146200 GetConsoleMode
0x140146208 FlushFileBuffers
0x140146210 ReadFile
0x140146218 SetFilePointer
0x140146220 HeapReAlloc
0x140146228 SetStdHandle
0x140146230 CreateFileA
0x140146238 LoadLibraryW
0x140146240 WriteConsoleW
0x140146248 SetEndOfFile
0x140146250 GetProcessHeap
0x140146258 CreateFileW
EAT(Export Address Table) is none
KERNEL32.dll
0x140146000 CreateProcessA
0x140146008 WideCharToMultiByte
0x140146010 MultiByteToWideChar
0x140146018 Sleep
0x140146020 InitializeCriticalSection
0x140146028 DeleteCriticalSection
0x140146030 EnterCriticalSection
0x140146038 LeaveCriticalSection
0x140146040 EncodePointer
0x140146048 DecodePointer
0x140146050 GetSystemTimeAsFileTime
0x140146058 GetLastError
0x140146060 HeapFree
0x140146068 RaiseException
0x140146070 RtlPcToFileHeader
0x140146078 RtlLookupFunctionEntry
0x140146080 RtlUnwindEx
0x140146088 GetCommandLineW
0x140146090 GetStartupInfoW
0x140146098 GetCPInfo
0x1401460a0 HeapAlloc
0x1401460a8 LCMapStringW
0x1401460b0 HeapSetInformation
0x1401460b8 GetVersion
0x1401460c0 HeapCreate
0x1401460c8 FlsGetValue
0x1401460d0 FlsSetValue
0x1401460d8 FlsFree
0x1401460e0 SetLastError
0x1401460e8 GetCurrentThreadId
0x1401460f0 FlsAlloc
0x1401460f8 TerminateProcess
0x140146100 GetCurrentProcess
0x140146108 UnhandledExceptionFilter
0x140146110 SetUnhandledExceptionFilter
0x140146118 IsDebuggerPresent
0x140146120 RtlVirtualUnwind
0x140146128 RtlCaptureContext
0x140146130 CloseHandle
0x140146138 SetHandleCount
0x140146140 GetStdHandle
0x140146148 InitializeCriticalSectionAndSpinCount
0x140146150 GetFileType
0x140146158 GetProcAddress
0x140146160 GetModuleHandleW
0x140146168 ExitProcess
0x140146170 WriteFile
0x140146178 GetModuleFileNameW
0x140146180 FreeEnvironmentStringsW
0x140146188 GetEnvironmentStringsW
0x140146190 QueryPerformanceCounter
0x140146198 GetTickCount
0x1401461a0 GetCurrentProcessId
0x1401461a8 GetStringTypeW
0x1401461b0 GetLocaleInfoW
0x1401461b8 HeapSize
0x1401461c0 GetACP
0x1401461c8 GetOEMCP
0x1401461d0 IsValidCodePage
0x1401461d8 GetUserDefaultLCID
0x1401461e0 GetLocaleInfoA
0x1401461e8 EnumSystemLocalesA
0x1401461f0 IsValidLocale
0x1401461f8 GetConsoleCP
0x140146200 GetConsoleMode
0x140146208 FlushFileBuffers
0x140146210 ReadFile
0x140146218 SetFilePointer
0x140146220 HeapReAlloc
0x140146228 SetStdHandle
0x140146230 CreateFileA
0x140146238 LoadLibraryW
0x140146240 WriteConsoleW
0x140146248 SetEndOfFile
0x140146250 GetProcessHeap
0x140146258 CreateFileW
EAT(Export Address Table) is none