ScreenShot
| Created | 2023.12.11 19:55 | Machine | s1_win7_x6401 |
| Filename | deluxe_crypted.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 53 detected (AIDetectMalware, Stealerc, malicious, high confidence, GenericKD, FakeSig, Vh76, TrojanPSW, RiseProStealer, confidence, 100%, Attribute, HighConfidence, Kryptik, HVLZ, kevfmv, PWSX, Gencirc, AGEN, DownLoader46, LUMMASTEALER, YXDLEZ, high, score, Static AI, Malicious PE, ai score=89, aggf, GenKD, Detected, Eldorado, GenKryptik, gpyt, Malware@#1nk66a7m3j048, BScope, Lumma, unsafe, Chgt, Hzf3rTla4vV, Krypt, susgen, HUTD, ZexaF, SqX@ai7h01o) | ||
| md5 | d7f80ac5e408c10c0f6d953a08b8db74 | ||
| sha256 | a49b3483e2f2bd0049198e2738acc62b8326f4b86d09a55b12b94f0bb4505f66 | ||
| ssdeep | 12288:4PnZxc7iv9jRwjU7mdCGma95StTAWj9U7+ICWd1Ur3SxeKtdP2OS4hS2l:4PnY7iFFGma95StTj9U7+ICWd1UjSxec | ||
| imphash | da4cbf4e33005e7c68a994bb459b6d6f | ||
| impfuzzy | 24:o5QgLJDPjMacpVJ+ZXteVGhlJBl39WuPLOovbO3gv9FZ+GMA+EZHu9U:oqgL2acpVJ2XteVGnpn63y9FZJ | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Virtual Machines through their custom firmware |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO HTTP Request to a *.pw domain
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET DNS Query to a *.pw domain - Likely Hostile
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET DNS Query to a *.pw domain - Likely Hostile
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
PE API
IAT(Import Address Table) Library
GDI32.dll
0x426008 ArcTo
0x42600c RoundRect
0x426010 GetTextCharacterExtra
USER32.dll
0x42615c PhysicalToLogicalPoint
ADVAPI32.dll
0x426000 SetServiceStatus
KERNEL32.dll
0x426018 HeapSize
0x42601c CreateFileW
0x426020 GetProcAddress
0x426024 CloseHandle
0x426028 WaitForSingleObjectEx
0x42602c GetCurrentThreadId
0x426030 GetExitCodeThread
0x426034 WideCharToMultiByte
0x426038 MultiByteToWideChar
0x42603c GetStringTypeW
0x426040 EnterCriticalSection
0x426044 LeaveCriticalSection
0x426048 InitializeCriticalSectionEx
0x42604c DeleteCriticalSection
0x426050 QueryPerformanceCounter
0x426054 EncodePointer
0x426058 DecodePointer
0x42605c LCMapStringEx
0x426060 GetSystemTimeAsFileTime
0x426064 GetModuleHandleW
0x426068 GetCPInfo
0x42606c IsProcessorFeaturePresent
0x426070 UnhandledExceptionFilter
0x426074 SetUnhandledExceptionFilter
0x426078 GetCurrentProcess
0x42607c TerminateProcess
0x426080 GetCurrentProcessId
0x426084 InitializeSListHead
0x426088 IsDebuggerPresent
0x42608c GetStartupInfoW
0x426090 ReadConsoleW
0x426094 RaiseException
0x426098 RtlUnwind
0x42609c GetLastError
0x4260a0 SetLastError
0x4260a4 InitializeCriticalSectionAndSpinCount
0x4260a8 TlsAlloc
0x4260ac TlsGetValue
0x4260b0 TlsSetValue
0x4260b4 TlsFree
0x4260b8 FreeLibrary
0x4260bc LoadLibraryExW
0x4260c0 CreateThread
0x4260c4 ExitThread
0x4260c8 FreeLibraryAndExitThread
0x4260cc GetModuleHandleExW
0x4260d0 GetStdHandle
0x4260d4 WriteFile
0x4260d8 GetModuleFileNameW
0x4260dc ExitProcess
0x4260e0 GetCommandLineA
0x4260e4 GetCommandLineW
0x4260e8 HeapAlloc
0x4260ec HeapFree
0x4260f0 GetFileType
0x4260f4 CompareStringW
0x4260f8 LCMapStringW
0x4260fc GetLocaleInfoW
0x426100 IsValidLocale
0x426104 GetUserDefaultLCID
0x426108 EnumSystemLocalesW
0x42610c GetFileSizeEx
0x426110 SetFilePointerEx
0x426114 FlushFileBuffers
0x426118 GetConsoleOutputCP
0x42611c GetConsoleMode
0x426120 ReadFile
0x426124 HeapReAlloc
0x426128 FindClose
0x42612c FindFirstFileExW
0x426130 FindNextFileW
0x426134 IsValidCodePage
0x426138 GetACP
0x42613c GetOEMCP
0x426140 GetEnvironmentStringsW
0x426144 FreeEnvironmentStringsW
0x426148 SetEnvironmentVariableW
0x42614c SetStdHandle
0x426150 GetProcessHeap
0x426154 WriteConsoleW
EAT(Export Address Table) is none
GDI32.dll
0x426008 ArcTo
0x42600c RoundRect
0x426010 GetTextCharacterExtra
USER32.dll
0x42615c PhysicalToLogicalPoint
ADVAPI32.dll
0x426000 SetServiceStatus
KERNEL32.dll
0x426018 HeapSize
0x42601c CreateFileW
0x426020 GetProcAddress
0x426024 CloseHandle
0x426028 WaitForSingleObjectEx
0x42602c GetCurrentThreadId
0x426030 GetExitCodeThread
0x426034 WideCharToMultiByte
0x426038 MultiByteToWideChar
0x42603c GetStringTypeW
0x426040 EnterCriticalSection
0x426044 LeaveCriticalSection
0x426048 InitializeCriticalSectionEx
0x42604c DeleteCriticalSection
0x426050 QueryPerformanceCounter
0x426054 EncodePointer
0x426058 DecodePointer
0x42605c LCMapStringEx
0x426060 GetSystemTimeAsFileTime
0x426064 GetModuleHandleW
0x426068 GetCPInfo
0x42606c IsProcessorFeaturePresent
0x426070 UnhandledExceptionFilter
0x426074 SetUnhandledExceptionFilter
0x426078 GetCurrentProcess
0x42607c TerminateProcess
0x426080 GetCurrentProcessId
0x426084 InitializeSListHead
0x426088 IsDebuggerPresent
0x42608c GetStartupInfoW
0x426090 ReadConsoleW
0x426094 RaiseException
0x426098 RtlUnwind
0x42609c GetLastError
0x4260a0 SetLastError
0x4260a4 InitializeCriticalSectionAndSpinCount
0x4260a8 TlsAlloc
0x4260ac TlsGetValue
0x4260b0 TlsSetValue
0x4260b4 TlsFree
0x4260b8 FreeLibrary
0x4260bc LoadLibraryExW
0x4260c0 CreateThread
0x4260c4 ExitThread
0x4260c8 FreeLibraryAndExitThread
0x4260cc GetModuleHandleExW
0x4260d0 GetStdHandle
0x4260d4 WriteFile
0x4260d8 GetModuleFileNameW
0x4260dc ExitProcess
0x4260e0 GetCommandLineA
0x4260e4 GetCommandLineW
0x4260e8 HeapAlloc
0x4260ec HeapFree
0x4260f0 GetFileType
0x4260f4 CompareStringW
0x4260f8 LCMapStringW
0x4260fc GetLocaleInfoW
0x426100 IsValidLocale
0x426104 GetUserDefaultLCID
0x426108 EnumSystemLocalesW
0x42610c GetFileSizeEx
0x426110 SetFilePointerEx
0x426114 FlushFileBuffers
0x426118 GetConsoleOutputCP
0x42611c GetConsoleMode
0x426120 ReadFile
0x426124 HeapReAlloc
0x426128 FindClose
0x42612c FindFirstFileExW
0x426130 FindNextFileW
0x426134 IsValidCodePage
0x426138 GetACP
0x42613c GetOEMCP
0x426140 GetEnvironmentStringsW
0x426144 FreeEnvironmentStringsW
0x426148 SetEnvironmentVariableW
0x42614c SetStdHandle
0x426150 GetProcessHeap
0x426154 WriteConsoleW
EAT(Export Address Table) is none