ScreenShot
| Created | 2024.10.14 11:22 | Machine | s1_win7_x6401 |
| Filename | 670a8ccf0c6f9_LofiseNose.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 47 detected (AIDetectMalware, Stealerc, Unsafe, GenericKD, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, LummaStealer, PWSX, TrojanPSW, Kryptik, LESS, bWQ1Okf+sbwhqY0N, Redcap, jiztw, Steam, YXEJMZ, score, Static AI, Suspicious PE, Detected, Lumma, MBXV, ABTrojan, GUKC, R672219, Artemis, Krypt, Chgt, PossibleThreat, Software, Wacatac, B9nj) | ||
| md5 | 400af20bb680795b1a047b588d8f1b26 | ||
| sha256 | f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986 | ||
| ssdeep | 24576:YRjxaXu0Nvce4l/4dZjXdjUUyFUXeVea4jNkvKpgJ6vtZWVnX:YJxaXu0NvT4OdjU/v94R1pgJ6vtZWVX | ||
| imphash | 285f07c66f98861b92460fa57c11d967 | ||
| impfuzzy | 24:WjjC9VcpVW6OCrttlS1wGzplJBl3eDoLoBOuFZMvuGMApTm+lpOovbOPZHu9J:b9VcpVqCrttlS1wGzPpXHuFZGQN3Y | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | This executable has a PDB path |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x489000 WaitForSingleObject
0x489004 CloseHandle
0x489008 CreateThread
0x48900c MultiByteToWideChar
0x489010 FormatMessageA
0x489014 GetStringTypeW
0x489018 WideCharToMultiByte
0x48901c EnterCriticalSection
0x489020 LeaveCriticalSection
0x489024 InitializeCriticalSectionEx
0x489028 DeleteCriticalSection
0x48902c EncodePointer
0x489030 DecodePointer
0x489034 LocalFree
0x489038 GetLocaleInfoEx
0x48903c LCMapStringEx
0x489040 CompareStringEx
0x489044 GetCPInfo
0x489048 IsProcessorFeaturePresent
0x48904c UnhandledExceptionFilter
0x489050 SetUnhandledExceptionFilter
0x489054 GetCurrentProcess
0x489058 TerminateProcess
0x48905c QueryPerformanceCounter
0x489060 GetCurrentProcessId
0x489064 GetCurrentThreadId
0x489068 GetSystemTimeAsFileTime
0x48906c InitializeSListHead
0x489070 IsDebuggerPresent
0x489074 GetStartupInfoW
0x489078 GetModuleHandleW
0x48907c CreateFileW
0x489080 RaiseException
0x489084 RtlUnwind
0x489088 InterlockedPushEntrySList
0x48908c InterlockedFlushSList
0x489090 GetLastError
0x489094 SetLastError
0x489098 InitializeCriticalSectionAndSpinCount
0x48909c TlsAlloc
0x4890a0 TlsGetValue
0x4890a4 TlsSetValue
0x4890a8 TlsFree
0x4890ac FreeLibrary
0x4890b0 GetProcAddress
0x4890b4 LoadLibraryExW
0x4890b8 GetStdHandle
0x4890bc WriteFile
0x4890c0 GetModuleFileNameW
0x4890c4 ExitProcess
0x4890c8 GetModuleHandleExW
0x4890cc HeapAlloc
0x4890d0 HeapFree
0x4890d4 GetDateFormatW
0x4890d8 GetTimeFormatW
0x4890dc CompareStringW
0x4890e0 LCMapStringW
0x4890e4 GetLocaleInfoW
0x4890e8 IsValidLocale
0x4890ec GetUserDefaultLCID
0x4890f0 EnumSystemLocalesW
0x4890f4 GetFileType
0x4890f8 GetCurrentThread
0x4890fc FlushFileBuffers
0x489100 GetConsoleOutputCP
0x489104 GetConsoleMode
0x489108 ReadFile
0x48910c GetFileSizeEx
0x489110 SetFilePointerEx
0x489114 ReadConsoleW
0x489118 SetConsoleCtrlHandler
0x48911c HeapReAlloc
0x489120 GetTimeZoneInformation
0x489124 OutputDebugStringW
0x489128 FindClose
0x48912c FindFirstFileExW
0x489130 FindNextFileW
0x489134 IsValidCodePage
0x489138 GetACP
0x48913c GetOEMCP
0x489140 GetCommandLineA
0x489144 GetCommandLineW
0x489148 GetEnvironmentStringsW
0x48914c FreeEnvironmentStringsW
0x489150 SetEnvironmentVariableW
0x489154 SetStdHandle
0x489158 GetProcessHeap
0x48915c HeapSize
0x489160 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x489000 WaitForSingleObject
0x489004 CloseHandle
0x489008 CreateThread
0x48900c MultiByteToWideChar
0x489010 FormatMessageA
0x489014 GetStringTypeW
0x489018 WideCharToMultiByte
0x48901c EnterCriticalSection
0x489020 LeaveCriticalSection
0x489024 InitializeCriticalSectionEx
0x489028 DeleteCriticalSection
0x48902c EncodePointer
0x489030 DecodePointer
0x489034 LocalFree
0x489038 GetLocaleInfoEx
0x48903c LCMapStringEx
0x489040 CompareStringEx
0x489044 GetCPInfo
0x489048 IsProcessorFeaturePresent
0x48904c UnhandledExceptionFilter
0x489050 SetUnhandledExceptionFilter
0x489054 GetCurrentProcess
0x489058 TerminateProcess
0x48905c QueryPerformanceCounter
0x489060 GetCurrentProcessId
0x489064 GetCurrentThreadId
0x489068 GetSystemTimeAsFileTime
0x48906c InitializeSListHead
0x489070 IsDebuggerPresent
0x489074 GetStartupInfoW
0x489078 GetModuleHandleW
0x48907c CreateFileW
0x489080 RaiseException
0x489084 RtlUnwind
0x489088 InterlockedPushEntrySList
0x48908c InterlockedFlushSList
0x489090 GetLastError
0x489094 SetLastError
0x489098 InitializeCriticalSectionAndSpinCount
0x48909c TlsAlloc
0x4890a0 TlsGetValue
0x4890a4 TlsSetValue
0x4890a8 TlsFree
0x4890ac FreeLibrary
0x4890b0 GetProcAddress
0x4890b4 LoadLibraryExW
0x4890b8 GetStdHandle
0x4890bc WriteFile
0x4890c0 GetModuleFileNameW
0x4890c4 ExitProcess
0x4890c8 GetModuleHandleExW
0x4890cc HeapAlloc
0x4890d0 HeapFree
0x4890d4 GetDateFormatW
0x4890d8 GetTimeFormatW
0x4890dc CompareStringW
0x4890e0 LCMapStringW
0x4890e4 GetLocaleInfoW
0x4890e8 IsValidLocale
0x4890ec GetUserDefaultLCID
0x4890f0 EnumSystemLocalesW
0x4890f4 GetFileType
0x4890f8 GetCurrentThread
0x4890fc FlushFileBuffers
0x489100 GetConsoleOutputCP
0x489104 GetConsoleMode
0x489108 ReadFile
0x48910c GetFileSizeEx
0x489110 SetFilePointerEx
0x489114 ReadConsoleW
0x489118 SetConsoleCtrlHandler
0x48911c HeapReAlloc
0x489120 GetTimeZoneInformation
0x489124 OutputDebugStringW
0x489128 FindClose
0x48912c FindFirstFileExW
0x489130 FindNextFileW
0x489134 IsValidCodePage
0x489138 GetACP
0x48913c GetOEMCP
0x489140 GetCommandLineA
0x489144 GetCommandLineW
0x489148 GetEnvironmentStringsW
0x48914c FreeEnvironmentStringsW
0x489150 SetEnvironmentVariableW
0x489154 SetStdHandle
0x489158 GetProcessHeap
0x48915c HeapSize
0x489160 WriteConsoleW
EAT(Export Address Table) is none