popup

Report - 1.exe

Lumma Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.12.19 07:39 Machine s1_win7_x6403
Filename 1.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
11
 Behavior Score
7.2
ZERO API file : malware
VT API (file)
md5 2e4e7673a769c8ca39609bb6973f8a1f
sha256 c6930d431982ea0094f33313a2d2c373fb169478d3d17cae706012620d679242
ssdeep 12288:i4bZS+74XGs0vyBTbjcA2usBmdOcDbNbzIG1bK6q137vOXDCpcY:i4bZS+70Gs0g4A2us/ezIGm6qx7GWO
imphash 87276645a61980fa58d8085fc4df7bae
impfuzzy 24:UBWDCt/2DjtWOovbOG3CMUD1uBvg0WDkQyl3LL2SOTqEu9VJUsNeMpI1qy4F563B:UBQCtmx3r1Gz3hFOuYs6qy4F5M7ghOh/
  Network IP location

Signature (17cnts)

Level Description
watch Appends a known CryptoMix ransomware file extension to files that have been encrypted
watch Attempts to access Bitcoin/ALTCoin wallets
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects Virtual Machines through their custom firmware
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (6cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://crudeleavelegendew.fun/api
whois
US CLOUDFLARENET 172.67.207.100 38802 mailcious
crudeleavelegendew.fun
whois
US CLOUDFLARENET 172.67.207.100 mailcious
163.197.245.130
whois
US PEGTECHINC 163.197.245.130 mailcious
172.67.207.100
whois
US CLOUDFLARENET 172.67.207.100 mailcious

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 16
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x46e198 CloseHandle
 0x46e19c CompareStringW
 0x46e1a0 CreateFileA
 0x46e1a4 CreateFileW
 0x46e1a8 CreateProcessW
 0x46e1ac DecodePointer
 0x46e1b0 DeleteCriticalSection
 0x46e1b4 EncodePointer
 0x46e1b8 EnterCriticalSection
 0x46e1bc ExitProcess
 0x46e1c0 ExpandEnvironmentStringsW
 0x46e1c4 FindClose
 0x46e1c8 FindFirstFileExW
 0x46e1cc FindNextFileW
 0x46e1d0 FlushFileBuffers
 0x46e1d4 FreeEnvironmentStringsW
 0x46e1d8 FreeLibrary
 0x46e1dc GetACP
 0x46e1e0 GetCPInfo
 0x46e1e4 GetCommandLineA
 0x46e1e8 GetCommandLineW
 0x46e1ec GetComputerNameExA
 0x46e1f0 GetComputerNameW
 0x46e1f4 GetConsoleMode
 0x46e1f8 GetConsoleOutputCP
 0x46e1fc GetCurrentProcess
 0x46e200 GetCurrentProcessId
 0x46e204 GetCurrentThreadId
 0x46e208 GetEnvironmentStringsW
 0x46e20c GetFileSizeEx
 0x46e210 GetFileType
 0x46e214 GetLastError
 0x46e218 GetModuleFileNameA
 0x46e21c GetModuleFileNameW
 0x46e220 GetModuleHandleExW
 0x46e224 GetModuleHandleW
 0x46e228 GetOEMCP
 0x46e22c GetProcAddress
 0x46e230 GetProcessHeap
 0x46e234 GetStartupInfoW
 0x46e238 GetStdHandle
 0x46e23c GetStringTypeW
 0x46e240 GetSystemTimeAsFileTime
 0x46e244 GetTimeZoneInformation
 0x46e248 GetVolumeInformationW
 0x46e24c GetWindowsDirectoryW
 0x46e250 HeapAlloc
 0x46e254 HeapFree
 0x46e258 HeapReAlloc
 0x46e25c HeapSize
 0x46e260 InitializeCriticalSectionAndSpinCount
 0x46e264 InitializeSListHead
 0x46e268 IsDebuggerPresent
 0x46e26c IsProcessorFeaturePresent
 0x46e270 IsValidCodePage
 0x46e274 LCMapStringW
 0x46e278 LeaveCriticalSection
 0x46e27c LoadLibraryA
 0x46e280 LoadLibraryExW
 0x46e284 LoadLibraryW
 0x46e288 MultiByteToWideChar
 0x46e28c QueryPerformanceCounter
 0x46e290 RaiseException
 0x46e294 ReadFile
 0x46e298 RtlUnwind
 0x46e29c SetEndOfFile
 0x46e2a0 SetEnvironmentVariableW
 0x46e2a4 SetFilePointerEx
 0x46e2a8 SetLastError
 0x46e2ac SetStdHandle
 0x46e2b0 SetUnhandledExceptionFilter
 0x46e2b4 TerminateProcess
 0x46e2b8 TlsAlloc
 0x46e2bc TlsFree
 0x46e2c0 TlsGetValue
 0x46e2c4 TlsSetValue
 0x46e2c8 UnhandledExceptionFilter
 0x46e2cc WideCharToMultiByte
 0x46e2d0 WinExec
 0x46e2d4 WriteConsoleW
 0x46e2d8 WriteFile
 0x46e2dc lstrcatW
 0x46e2e0 lstrcmpW
 0x46e2e4 lstrcmpiW
 0x46e2e8 lstrlenW
ADVAPI32.dll
 0x46e2f0 GetUserNameW
 0x46e2f4 RegCloseKey
 0x46e2f8 RegEnumKeyExW
 0x46e2fc RegOpenKeyExW
 0x46e300 RegQueryValueExW
USER32.dll
 0x46e308 EnumDisplayDevicesA
 0x46e30c GetDC
 0x46e310 GetSystemMetrics
 0x46e314 ReleaseDC
 0x46e318 wsprintfW
GDI32.dll
 0x46e320 BitBlt
 0x46e324 CreateCompatibleBitmap
 0x46e328 CreateCompatibleDC
 0x46e32c CreateDCW
 0x46e330 DeleteDC
 0x46e334 DeleteObject
 0x46e338 GetDIBits
 0x46e33c GetObjectW
 0x46e340 SelectObject
WINHTTP.dll
 0x46e348 WinHttpAddRequestHeaders
 0x46e34c WinHttpCloseHandle
 0x46e350 WinHttpConnect
 0x46e354 WinHttpCrackUrl
 0x46e358 WinHttpOpen
 0x46e35c WinHttpOpenRequest
 0x46e360 WinHttpQueryDataAvailable
 0x46e364 WinHttpReadData
 0x46e368 WinHttpReceiveResponse
 0x46e36c WinHttpSendRequest
CRYPT32.dll
 0x46e374 CryptStringToBinaryA

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure