ScreenShot
| Created | 2023.10.30 17:42 | Machine | s1_win7_x6401 |
| Filename | 203.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 30 detected (AIDetectMalware, Stealerc, Artemis, Vk0g, malicious, confidence, 100%, ZexaF, QuY@aGulbxb, Attribute, HighConfidence, high confidence, GenKryptik, GPLS, score, Generic@AI, RDML, asCh2OCTI1pAVXVeTpr4xg, high, Static AI, Malicious PE, Detected, Sabsik, unsafe, FalseSign, Tnkl) | ||
| md5 | b4c67afbce5715b8bc9c3b652564ee22 | ||
| sha256 | 9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9 | ||
| ssdeep | 12288:4D6oYmy0vvcL0xzonhWwnW56viEUrvPiKaTicl80cwenIS93p3qVy4FML:ay0HcLIzMWFjvDPiKaTiclDcwi93MVyH | ||
| imphash | 24474625b01796b3171973a0cb41f62c | ||
| impfuzzy | 24:WjKNDoT/kNdZ+fcslvMZt/OovRB7kJ3CFQHRyvuT4UjMZvZA5lIoqmUkG0uOgAG5:JdZ+fceMZt2QZcOucBZuO09uOmXcU | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Collects information about installed applications |
| watch | Detects Virtual Machines through their custom firmware |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO HTTP Request to a *.pw domain
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET INFO HTTP Request to a *.pw domain
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41f000 WaitForSingleObject
0x41f004 Sleep
0x41f008 CreateThread
0x41f00c lstrlenW
0x41f010 VirtualProtect
0x41f014 GetProcAddress
0x41f018 LoadLibraryA
0x41f01c VirtualAlloc
0x41f020 GetModuleHandleA
0x41f024 CreateEventW
0x41f028 FreeConsole
0x41f02c InterlockedIncrement
0x41f030 InterlockedDecrement
0x41f034 WideCharToMultiByte
0x41f038 InterlockedExchange
0x41f03c InitializeCriticalSection
0x41f040 DeleteCriticalSection
0x41f044 EnterCriticalSection
0x41f048 LeaveCriticalSection
0x41f04c MultiByteToWideChar
0x41f050 GetLastError
0x41f054 HeapFree
0x41f058 HeapAlloc
0x41f05c RtlUnwind
0x41f060 RaiseException
0x41f064 TerminateProcess
0x41f068 GetCurrentProcess
0x41f06c UnhandledExceptionFilter
0x41f070 SetUnhandledExceptionFilter
0x41f074 IsDebuggerPresent
0x41f078 GetCommandLineA
0x41f07c GetCPInfo
0x41f080 LCMapStringA
0x41f084 LCMapStringW
0x41f088 HeapCreate
0x41f08c VirtualFree
0x41f090 HeapReAlloc
0x41f094 GetModuleHandleW
0x41f098 ExitProcess
0x41f09c WriteFile
0x41f0a0 GetStdHandle
0x41f0a4 GetModuleFileNameA
0x41f0a8 TlsGetValue
0x41f0ac TlsAlloc
0x41f0b0 TlsSetValue
0x41f0b4 TlsFree
0x41f0b8 SetLastError
0x41f0bc GetCurrentThreadId
0x41f0c0 FreeEnvironmentStringsA
0x41f0c4 GetEnvironmentStrings
0x41f0c8 FreeEnvironmentStringsW
0x41f0cc GetEnvironmentStringsW
0x41f0d0 SetHandleCount
0x41f0d4 GetFileType
0x41f0d8 GetStartupInfoA
0x41f0dc QueryPerformanceCounter
0x41f0e0 GetTickCount
0x41f0e4 GetCurrentProcessId
0x41f0e8 GetSystemTimeAsFileTime
0x41f0ec GetConsoleCP
0x41f0f0 GetConsoleMode
0x41f0f4 FlushFileBuffers
0x41f0f8 ReadFile
0x41f0fc SetFilePointer
0x41f100 CloseHandle
0x41f104 HeapSize
0x41f108 GetACP
0x41f10c GetOEMCP
0x41f110 IsValidCodePage
0x41f114 GetUserDefaultLCID
0x41f118 GetLocaleInfoA
0x41f11c EnumSystemLocalesA
0x41f120 IsValidLocale
0x41f124 GetStringTypeA
0x41f128 GetStringTypeW
0x41f12c InitializeCriticalSectionAndSpinCount
0x41f130 WriteConsoleA
0x41f134 GetConsoleOutputCP
0x41f138 WriteConsoleW
0x41f13c SetStdHandle
0x41f140 GetLocaleInfoW
0x41f144 CreateFileA
kernel32.dll
0x4ac714 EnhanceDatabase
0x4ac718 InnovateRequest
0x4ac71c SafeguardProtocol
user32.dll
0x4ac724 InnovateComponent
0x4ac728 DeployArtifact
0x4ac72c InteractAlgorithm
0x4ac730 AutomatePermission
advapi32.dll
0x4ac738 CreateRequest
0x4ac73c AuthorizeLog
0x4ac740 GenerateResource
0x4ac744 StreamlineProtocol
EAT(Export Address Table) is none
KERNEL32.dll
0x41f000 WaitForSingleObject
0x41f004 Sleep
0x41f008 CreateThread
0x41f00c lstrlenW
0x41f010 VirtualProtect
0x41f014 GetProcAddress
0x41f018 LoadLibraryA
0x41f01c VirtualAlloc
0x41f020 GetModuleHandleA
0x41f024 CreateEventW
0x41f028 FreeConsole
0x41f02c InterlockedIncrement
0x41f030 InterlockedDecrement
0x41f034 WideCharToMultiByte
0x41f038 InterlockedExchange
0x41f03c InitializeCriticalSection
0x41f040 DeleteCriticalSection
0x41f044 EnterCriticalSection
0x41f048 LeaveCriticalSection
0x41f04c MultiByteToWideChar
0x41f050 GetLastError
0x41f054 HeapFree
0x41f058 HeapAlloc
0x41f05c RtlUnwind
0x41f060 RaiseException
0x41f064 TerminateProcess
0x41f068 GetCurrentProcess
0x41f06c UnhandledExceptionFilter
0x41f070 SetUnhandledExceptionFilter
0x41f074 IsDebuggerPresent
0x41f078 GetCommandLineA
0x41f07c GetCPInfo
0x41f080 LCMapStringA
0x41f084 LCMapStringW
0x41f088 HeapCreate
0x41f08c VirtualFree
0x41f090 HeapReAlloc
0x41f094 GetModuleHandleW
0x41f098 ExitProcess
0x41f09c WriteFile
0x41f0a0 GetStdHandle
0x41f0a4 GetModuleFileNameA
0x41f0a8 TlsGetValue
0x41f0ac TlsAlloc
0x41f0b0 TlsSetValue
0x41f0b4 TlsFree
0x41f0b8 SetLastError
0x41f0bc GetCurrentThreadId
0x41f0c0 FreeEnvironmentStringsA
0x41f0c4 GetEnvironmentStrings
0x41f0c8 FreeEnvironmentStringsW
0x41f0cc GetEnvironmentStringsW
0x41f0d0 SetHandleCount
0x41f0d4 GetFileType
0x41f0d8 GetStartupInfoA
0x41f0dc QueryPerformanceCounter
0x41f0e0 GetTickCount
0x41f0e4 GetCurrentProcessId
0x41f0e8 GetSystemTimeAsFileTime
0x41f0ec GetConsoleCP
0x41f0f0 GetConsoleMode
0x41f0f4 FlushFileBuffers
0x41f0f8 ReadFile
0x41f0fc SetFilePointer
0x41f100 CloseHandle
0x41f104 HeapSize
0x41f108 GetACP
0x41f10c GetOEMCP
0x41f110 IsValidCodePage
0x41f114 GetUserDefaultLCID
0x41f118 GetLocaleInfoA
0x41f11c EnumSystemLocalesA
0x41f120 IsValidLocale
0x41f124 GetStringTypeA
0x41f128 GetStringTypeW
0x41f12c InitializeCriticalSectionAndSpinCount
0x41f130 WriteConsoleA
0x41f134 GetConsoleOutputCP
0x41f138 WriteConsoleW
0x41f13c SetStdHandle
0x41f140 GetLocaleInfoW
0x41f144 CreateFileA
kernel32.dll
0x4ac714 EnhanceDatabase
0x4ac718 InnovateRequest
0x4ac71c SafeguardProtocol
user32.dll
0x4ac724 InnovateComponent
0x4ac728 DeployArtifact
0x4ac72c InteractAlgorithm
0x4ac730 AutomatePermission
advapi32.dll
0x4ac738 CreateRequest
0x4ac73c AuthorizeLog
0x4ac740 GenerateResource
0x4ac744 StreamlineProtocol
EAT(Export Address Table) is none