ScreenShot
| Created | 2023.10.27 07:38 | Machine | s1_win7_x6401 |
| Filename | 202.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 31 detected (AIDetectMalware, Artemis, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, GenKryptik, GPLS, score, Stealerc, Kryptik, NGnqaWXxXjL, Andromeda, moderate, Cinoshi, Detected, Casdet, Zbot, Eldorado, BScope, TrojanPSW, RedLine, unsafe, Ddhl, Static AI, Malicious PE, CrypterX) | ||
| md5 | 7102d2f457071b2c66c6c0ec3035ae7e | ||
| sha256 | 35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8 | ||
| ssdeep | 12288:89lnaoj5V1hCbwgNX3x02IvNYATdvoISl47lN5R/:AaobrC1NHx0do7MlN5F | ||
| imphash | 66bc811ac894535ffcee36d78d1ccd29 | ||
| impfuzzy | 24:WjKNDo7kNdZ+fcslmMZt/OovRB7dOJ3CFQHRyvuT4PjMdZA5l7F:HdZ+fcdMZt2QZMOuc8Zu7 | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Collects information about installed applications |
| watch | Detects Virtual Machines through their custom firmware |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41f000 WaitForSingleObject
0x41f004 Sleep
0x41f008 CreateThread
0x41f00c lstrlenW
0x41f010 VirtualProtect
0x41f014 GetProcAddress
0x41f018 LoadLibraryA
0x41f01c VirtualAlloc
0x41f020 GetModuleHandleA
0x41f024 InterlockedIncrement
0x41f028 InterlockedDecrement
0x41f02c WideCharToMultiByte
0x41f030 InterlockedExchange
0x41f034 InitializeCriticalSection
0x41f038 DeleteCriticalSection
0x41f03c EnterCriticalSection
0x41f040 LeaveCriticalSection
0x41f044 MultiByteToWideChar
0x41f048 GetLastError
0x41f04c HeapFree
0x41f050 HeapAlloc
0x41f054 GetSystemTimeAsFileTime
0x41f058 RtlUnwind
0x41f05c RaiseException
0x41f060 TerminateProcess
0x41f064 GetCurrentProcess
0x41f068 UnhandledExceptionFilter
0x41f06c SetUnhandledExceptionFilter
0x41f070 IsDebuggerPresent
0x41f074 GetCommandLineA
0x41f078 GetCPInfo
0x41f07c LCMapStringA
0x41f080 LCMapStringW
0x41f084 HeapCreate
0x41f088 VirtualFree
0x41f08c HeapReAlloc
0x41f090 GetModuleHandleW
0x41f094 ExitProcess
0x41f098 WriteFile
0x41f09c GetStdHandle
0x41f0a0 GetModuleFileNameA
0x41f0a4 ReadFile
0x41f0a8 TlsGetValue
0x41f0ac TlsAlloc
0x41f0b0 TlsSetValue
0x41f0b4 TlsFree
0x41f0b8 SetLastError
0x41f0bc GetCurrentThreadId
0x41f0c0 FreeEnvironmentStringsA
0x41f0c4 GetEnvironmentStrings
0x41f0c8 FreeEnvironmentStringsW
0x41f0cc GetEnvironmentStringsW
0x41f0d0 SetHandleCount
0x41f0d4 GetFileType
0x41f0d8 GetStartupInfoA
0x41f0dc QueryPerformanceCounter
0x41f0e0 GetTickCount
0x41f0e4 GetCurrentProcessId
0x41f0e8 GetConsoleCP
0x41f0ec GetConsoleMode
0x41f0f0 FlushFileBuffers
0x41f0f4 SetFilePointer
0x41f0f8 CloseHandle
0x41f0fc HeapSize
0x41f100 GetACP
0x41f104 GetOEMCP
0x41f108 IsValidCodePage
0x41f10c GetUserDefaultLCID
0x41f110 GetLocaleInfoA
0x41f114 EnumSystemLocalesA
0x41f118 IsValidLocale
0x41f11c GetStringTypeA
0x41f120 GetStringTypeW
0x41f124 InitializeCriticalSectionAndSpinCount
0x41f128 SetStdHandle
0x41f12c WriteConsoleA
0x41f130 GetConsoleOutputCP
0x41f134 WriteConsoleW
0x41f138 GetLocaleInfoW
0x41f13c CreateFileA
EAT(Export Address Table) is none
KERNEL32.dll
0x41f000 WaitForSingleObject
0x41f004 Sleep
0x41f008 CreateThread
0x41f00c lstrlenW
0x41f010 VirtualProtect
0x41f014 GetProcAddress
0x41f018 LoadLibraryA
0x41f01c VirtualAlloc
0x41f020 GetModuleHandleA
0x41f024 InterlockedIncrement
0x41f028 InterlockedDecrement
0x41f02c WideCharToMultiByte
0x41f030 InterlockedExchange
0x41f034 InitializeCriticalSection
0x41f038 DeleteCriticalSection
0x41f03c EnterCriticalSection
0x41f040 LeaveCriticalSection
0x41f044 MultiByteToWideChar
0x41f048 GetLastError
0x41f04c HeapFree
0x41f050 HeapAlloc
0x41f054 GetSystemTimeAsFileTime
0x41f058 RtlUnwind
0x41f05c RaiseException
0x41f060 TerminateProcess
0x41f064 GetCurrentProcess
0x41f068 UnhandledExceptionFilter
0x41f06c SetUnhandledExceptionFilter
0x41f070 IsDebuggerPresent
0x41f074 GetCommandLineA
0x41f078 GetCPInfo
0x41f07c LCMapStringA
0x41f080 LCMapStringW
0x41f084 HeapCreate
0x41f088 VirtualFree
0x41f08c HeapReAlloc
0x41f090 GetModuleHandleW
0x41f094 ExitProcess
0x41f098 WriteFile
0x41f09c GetStdHandle
0x41f0a0 GetModuleFileNameA
0x41f0a4 ReadFile
0x41f0a8 TlsGetValue
0x41f0ac TlsAlloc
0x41f0b0 TlsSetValue
0x41f0b4 TlsFree
0x41f0b8 SetLastError
0x41f0bc GetCurrentThreadId
0x41f0c0 FreeEnvironmentStringsA
0x41f0c4 GetEnvironmentStrings
0x41f0c8 FreeEnvironmentStringsW
0x41f0cc GetEnvironmentStringsW
0x41f0d0 SetHandleCount
0x41f0d4 GetFileType
0x41f0d8 GetStartupInfoA
0x41f0dc QueryPerformanceCounter
0x41f0e0 GetTickCount
0x41f0e4 GetCurrentProcessId
0x41f0e8 GetConsoleCP
0x41f0ec GetConsoleMode
0x41f0f0 FlushFileBuffers
0x41f0f4 SetFilePointer
0x41f0f8 CloseHandle
0x41f0fc HeapSize
0x41f100 GetACP
0x41f104 GetOEMCP
0x41f108 IsValidCodePage
0x41f10c GetUserDefaultLCID
0x41f110 GetLocaleInfoA
0x41f114 EnumSystemLocalesA
0x41f118 IsValidLocale
0x41f11c GetStringTypeA
0x41f120 GetStringTypeW
0x41f124 InitializeCriticalSectionAndSpinCount
0x41f128 SetStdHandle
0x41f12c WriteConsoleA
0x41f130 GetConsoleOutputCP
0x41f134 WriteConsoleW
0x41f138 GetLocaleInfoW
0x41f13c CreateFileA
EAT(Export Address Table) is none