popup

Report - lum_agent_online.exe

Emotet Generic Malware Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL PE64 DllRegisterServer dll
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.08.23 20:12 Machine s1_win7_x6401
Filename lum_agent_online.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
7.4
ZERO API file : clean
VT API (file)
md5 d09a787b5982cf6eccd6e4bbe6290850
sha256 fe348d2b311b9557d62c3d2e8aeff986bb9d53275a269d004d8b371b4a460ece
ssdeep 24576:BLKM91coozik2PZPzoOxLh8exZwmpqLlKXA6TZY2g8:FKM9iIPho2LvZLuOAIjz
imphash 06f73061078eee65d5f7f95b3868063b
impfuzzy 24:bS1jtuhlJnc+pl3eDo/CyozFUSOovbO9Ziv2jMkX+jr90yO3oNBjLEvwkgU:bS1jtu5c+ppmyH3Af9JO4nEv/gU
  Network IP location

Signature (19cnts)

Level Description
watch Appends a new file extension or content to 68 files indicative of a ransomware file encryption process
watch Created a service where a service was also not started
watch Installs itself for autorun at Windows startup
watch Performs 68 file moves indicative of a ransomware file encryption process
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice Foreign language identified in PE resource
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Queries for the computername
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (18cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info DllRegisterServer_Zero execute regsvr32.exe binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://client-updates.lumu.io/service/update2?cup2key=1:aiyktIlMWjC_YDIJkn6k3-6XqffwkP2DaBfamURTQIA&cup2hreq=a4125a8074c9af063159ba78027272f9671c42488dea9878a9c5f20b4b7c8dc7
whois
US AMAZON-AES 3.229.137.113 clean
http://x1.i.lencr.org/
whois
US Akamai International B.V. 23.207.177.83 clean
http://client-updates.lumu.io/service/update2
whois
US AMAZON-AES 3.229.137.113 clean
https://lumu-updates.s3.amazonaws.com/build/Agent/win/2203318943744/desktop_single_agent-d47545d41d.exe
whois
DE AMAZON-02 54.231.194.33 clean
client-updates.lumu.io
whois
US AMAZON-AES 3.229.137.113 clean
x1.i.lencr.org
whois
US Akamai International B.V. 23.207.177.83 clean
lumu-updates.s3.amazonaws.com
whois
Unknown 54.231.203.249 clean
3.229.137.113
whois
US AMAZON-AES 3.229.137.113 clean
23.52.33.11
whois
US Telenor Norge AS 23.52.33.11 clean
23.41.113.9
whois
US NTT DOCOMO, INC. 23.41.113.9 clean
54.231.194.33
whois
DE AMAZON-02 54.231.194.33 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x418000 QueryPerformanceCounter
 0x418004 GetCurrentProcessId
 0x418008 GetCurrentThreadId
 0x41800c GetSystemTimeAsFileTime
 0x418010 InitializeSListHead
 0x418014 IsDebuggerPresent
 0x418018 UnhandledExceptionFilter
 0x41801c SetUnhandledExceptionFilter
 0x418020 GetStartupInfoW
 0x418024 IsProcessorFeaturePresent
 0x418028 GetModuleHandleW
 0x41802c GetCurrentProcess
 0x418030 TerminateProcess
 0x418034 RtlUnwind
 0x418038 GetLastError
 0x41803c SetLastError
 0x418040 EnterCriticalSection
 0x418044 LeaveCriticalSection
 0x418048 DeleteCriticalSection
 0x41804c InitializeCriticalSectionAndSpinCount
 0x418050 TlsAlloc
 0x418054 TlsGetValue
 0x418058 TlsSetValue
 0x41805c TlsFree
 0x418060 FreeLibrary
 0x418064 GetProcAddress
 0x418068 LoadLibraryExW
 0x41806c EncodePointer
 0x418070 RaiseException
 0x418074 GetStdHandle
 0x418078 WriteFile
 0x41807c GetModuleFileNameW
 0x418080 ExitProcess
 0x418084 GetModuleHandleExW
 0x418088 OutputDebugStringW
 0x41808c HeapAlloc
 0x418090 HeapFree
 0x418094 FindClose
 0x418098 FindFirstFileExW
 0x41809c FindNextFileW
 0x4180a0 IsValidCodePage
 0x4180a4 GetACP
 0x4180a8 GetOEMCP
 0x4180ac GetCPInfo
 0x4180b0 GetCommandLineA
 0x4180b4 GetCommandLineW
 0x4180b8 MultiByteToWideChar
 0x4180bc WideCharToMultiByte
 0x4180c0 GetEnvironmentStringsW
 0x4180c4 FreeEnvironmentStringsW
 0x4180c8 SetStdHandle
 0x4180cc GetFileType
 0x4180d0 GetStringTypeW
 0x4180d4 LCMapStringW
 0x4180d8 GetProcessHeap
 0x4180dc HeapSize
 0x4180e0 HeapReAlloc
 0x4180e4 FlushFileBuffers
 0x4180e8 GetConsoleCP
 0x4180ec GetConsoleMode
 0x4180f0 SetFilePointerEx
 0x4180f4 ReadFile
 0x4180f8 CreateFileW
 0x4180fc CloseHandle
 0x418100 WriteConsoleW
 0x418104 DecodePointer
 0x418108 CreateEventW
 0x41810c WaitForSingleObjectEx
 0x418110 ResetEvent
 0x418114 SetEvent
 0x418118 CreateDirectoryW
 0x41811c SizeofResource
 0x418120 RemoveDirectoryW
 0x418124 GetTempPathW
 0x418128 FormatMessageW
 0x41812c LockResource
 0x418130 DeleteFileW
 0x418134 FindResourceExW
 0x418138 LoadResource
 0x41813c FindResourceW
 0x418140 HeapDestroy
 0x418144 LocalFree
 0x418148 VerSetConditionMask
 0x41814c CopyFileW
 0x418150 VerifyVersionInfoW
 0x418154 GetTempFileNameW
 0x418158 lstrcmpiW
 0x41815c UnmapViewOfFile
 0x418160 CreateFileMappingW
 0x418164 MapViewOfFile
 0x418168 VirtualQuery
 0x41816c SetFilePointer
 0x418170 WaitForSingleObject
 0x418174 CreateProcessW
 0x418178 GetExitCodeProcess
SHLWAPI.dll
 0x41818c PathQuoteSpacesW
 0x418190 PathAppendW
ole32.dll
 0x4181a4 CoUninitialize
 0x4181a8 CoInitializeEx
SHELL32.dll
 0x418180 SHGetFolderPathW
 0x418184 None
USER32.dll
 0x418198 MessageBoxW
 0x41819c CharLowerBuffW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure