ScreenShot
| Created | 2025.01.13 16:06 | Machine | s1_win7_x6403 |
| Filename | elm.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 57 detected (tsID, Lazy, Ghanarava, Kudj, Unsafe, Save, malicious, confidence, 100%, Genus, high confidence, SpywareX, score, akie, TrojanPSW, ktmvvs, TdorkZjkXQO, euxwf, Meduza, Static AI, Suspicious PE, Detected, MeduzaStealer, Malware@#p7zj3ueb960x, ABTrojan, LNVP, Artemis, Medeze, PasswordStealer, Chgt, Gencirc, 4JMclUDTc0o) | ||
| md5 | ac6323cfb95cc48955949b4d2e7f91a5 | ||
| sha256 | a681393f417174f96a6f0814677b28d81884fb836b501de132eb0003e4782eac | ||
| ssdeep | 24576:W2hVX3mzctl0cJQEcUKs9MjemJ5gx1wj7h0lhSMXl54Tud:9TX3yctl0E1Ks+egCx+jKp4T6 | ||
| imphash | 0095cfee1cdfcef936c4c086b6b4fe85 | ||
| impfuzzy | 96:MqJiTZHcEvX2uVtNCGfWWv5viLFoBIBg4ownx/0:nJiTyECWAm4d/0 | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
SURICATA Applayer Protocol detection skipped
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
SURICATA Applayer Protocol detection skipped
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x1400d5610 closesocket
0x1400d5618 inet_pton
0x1400d5620 WSAStartup
0x1400d5628 send
0x1400d5630 socket
0x1400d5638 connect
0x1400d5640 recv
0x1400d5648 WSACleanup
0x1400d5650 htons
CRYPT32.dll
0x1400d5090 CryptUnprotectData
0x1400d5098 CryptProtectData
WININET.dll
0x1400d55d0 InternetOpenW
0x1400d55d8 InternetCloseHandle
0x1400d55e0 InternetReadFile
0x1400d55e8 InternetQueryDataAvailable
0x1400d55f0 HttpQueryInfoW
0x1400d55f8 InternetOpenUrlA
0x1400d5600 InternetOpenA
ntdll.dll
0x1400d56f8 NtQuerySystemInformation
0x1400d5700 RtlInitUnicodeString
0x1400d5708 LdrEnumerateLoadedModules
0x1400d5710 RtlAcquirePebLock
0x1400d5718 RtlReleasePebLock
0x1400d5720 NtQueryObject
0x1400d5728 NtAllocateVirtualMemory
RstrtMgr.DLL
0x1400d5530 RmGetList
0x1400d5538 RmStartSession
0x1400d5540 RmEndSession
0x1400d5548 RmRegisterResources
crypt.dll
0x1400d5660 BCryptCloseAlgorithmProvider
0x1400d5668 BCryptOpenAlgorithmProvider
0x1400d5670 BCryptDecrypt
0x1400d5678 BCryptDestroyKey
0x1400d5680 BCryptGenerateSymmetricKey
0x1400d5688 BCryptSetProperty
KERNEL32.dll
0x1400d50f0 GetFileInformationByHandleEx
0x1400d50f8 AreFileApisANSI
0x1400d5100 FindFirstFileW
0x1400d5108 FindNextFileW
0x1400d5110 FindClose
0x1400d5118 OpenProcess
0x1400d5120 CreateToolhelp32Snapshot
0x1400d5128 Process32NextW
0x1400d5130 LoadLibraryA
0x1400d5138 Process32FirstW
0x1400d5140 CloseHandle
0x1400d5148 GetSystemInfo
0x1400d5150 GetProcAddress
0x1400d5158 LocalFree
0x1400d5160 FreeLibrary
0x1400d5168 GetLastError
0x1400d5170 ExitProcess
0x1400d5178 MultiByteToWideChar
0x1400d5180 WideCharToMultiByte
0x1400d5188 VirtualAlloc
0x1400d5190 ReadFile
0x1400d5198 WriteFile
0x1400d51a0 CreateFileW
0x1400d51a8 GetFileSize
0x1400d51b0 GetCurrentProcess
0x1400d51b8 VirtualQuery
0x1400d51c0 GetStdHandle
0x1400d51c8 TerminateProcess
0x1400d51d0 CreateMutexA
0x1400d51d8 ReleaseMutex
0x1400d51e0 OpenMutexA
0x1400d51e8 GetModuleFileNameA
0x1400d51f0 GetVolumeInformationW
0x1400d51f8 GetGeoInfoA
0x1400d5200 HeapFree
0x1400d5208 EnterCriticalSection
0x1400d5210 GetModuleFileNameW
0x1400d5218 GetProcessId
0x1400d5220 LeaveCriticalSection
0x1400d5228 SetFilePointer
0x1400d5230 InitializeCriticalSectionEx
0x1400d5238 FreeEnvironmentStringsW
0x1400d5240 GetModuleHandleA
0x1400d5248 HeapSize
0x1400d5250 GetLogicalDriveStringsW
0x1400d5258 GetFinalPathNameByHandleA
0x1400d5260 GetTimeZoneInformation
0x1400d5268 lstrcatW
0x1400d5270 HeapReAlloc
0x1400d5278 HeapAlloc
0x1400d5280 GetComputerNameW
0x1400d5288 GetProcessHeap
0x1400d5290 GlobalMemoryStatusEx
0x1400d5298 GetModuleHandleW
0x1400d52a0 lstrcpyW
0x1400d52a8 GetEnvironmentStringsW
0x1400d52b0 SetLastError
0x1400d52b8 RtlCaptureContext
0x1400d52c0 RtlLookupFunctionEntry
0x1400d52c8 RtlVirtualUnwind
0x1400d52d0 IsDebuggerPresent
0x1400d52d8 UnhandledExceptionFilter
0x1400d52e0 SetUnhandledExceptionFilter
0x1400d52e8 IsProcessorFeaturePresent
0x1400d52f0 GetCurrentProcessId
0x1400d52f8 GetSystemTimeAsFileTime
0x1400d5300 VirtualProtect
0x1400d5308 GetFileSizeEx
0x1400d5310 SetFilePointerEx
0x1400d5318 GetCurrentThreadId
0x1400d5320 GetFileType
0x1400d5328 GetStartupInfoW
0x1400d5330 FlushFileBuffers
0x1400d5338 GetConsoleOutputCP
0x1400d5340 GetConsoleMode
0x1400d5348 GetTempPathW
0x1400d5350 FlsAlloc
0x1400d5358 FlsGetValue
0x1400d5360 FlsSetValue
0x1400d5368 FlsFree
0x1400d5370 InitializeCriticalSectionAndSpinCount
0x1400d5378 LoadLibraryExW
0x1400d5380 GetDateFormatW
0x1400d5388 GetTimeFormatW
0x1400d5390 CompareStringW
0x1400d5398 LCMapStringW
0x1400d53a0 GetLocaleInfoW
0x1400d53a8 IsValidLocale
0x1400d53b0 SetEndOfFile
0x1400d53b8 EnumSystemLocalesW
0x1400d53c0 ReadConsoleW
0x1400d53c8 RaiseException
0x1400d53d0 GetModuleHandleExW
0x1400d53d8 SetStdHandle
0x1400d53e0 IsValidCodePage
0x1400d53e8 GetACP
0x1400d53f0 GetOEMCP
0x1400d53f8 GetCPInfo
0x1400d5400 GetStringTypeW
0x1400d5408 WriteConsoleW
0x1400d5410 OutputDebugStringW
0x1400d5418 SetEnvironmentVariableW
0x1400d5420 ReleaseSRWLockExclusive
0x1400d5428 AcquireSRWLockExclusive
0x1400d5430 WakeAllConditionVariable
0x1400d5438 SleepConditionVariableSRW
0x1400d5440 QueryPerformanceCounter
0x1400d5448 InitializeSListHead
0x1400d5450 RtlUnwindEx
0x1400d5458 RtlUnwind
0x1400d5460 RtlPcToFileHeader
0x1400d5468 EncodePointer
0x1400d5470 TlsAlloc
0x1400d5478 TlsGetValue
0x1400d5480 TlsSetValue
0x1400d5488 TlsFree
0x1400d5490 GetFileAttributesExW
0x1400d5498 GetFileAttributesW
0x1400d54a0 FindFirstFileExW
0x1400d54a8 GetCurrentDirectoryW
0x1400d54b0 GetNativeSystemInfo
0x1400d54b8 LCMapStringEx
0x1400d54c0 CompareStringEx
0x1400d54c8 DecodePointer
0x1400d54d0 DeleteCriticalSection
0x1400d54d8 GetCommandLineA
0x1400d54e0 GetCommandLineW
0x1400d54e8 GetUserGeoID
0x1400d54f0 GetUserDefaultLCID
0x1400d54f8 GetLocaleInfoEx
0x1400d5500 FormatMessageA
USER32.dll
0x1400d5598 GetWindowRect
0x1400d55a0 ReleaseDC
0x1400d55a8 GetDesktopWindow
0x1400d55b0 EnumDisplayDevicesW
0x1400d55b8 GetSystemMetrics
0x1400d55c0 GetDC
GDI32.dll
0x1400d50a8 BitBlt
0x1400d50b0 CreateCompatibleBitmap
0x1400d50b8 SelectObject
0x1400d50c0 CreateCompatibleDC
0x1400d50c8 GetDeviceCaps
0x1400d50d0 DeleteDC
0x1400d50d8 GetObjectW
0x1400d50e0 DeleteObject
ADVAPI32.dll
0x1400d5000 LookupPrivilegeValueW
0x1400d5008 AdjustTokenPrivileges
0x1400d5010 GetCurrentHwProfileW
0x1400d5018 RegCloseKey
0x1400d5020 RegGetValueA
0x1400d5028 RegQueryValueExA
0x1400d5030 RegOpenKeyExA
0x1400d5038 GetUserNameW
0x1400d5040 RegEnumKeyExA
0x1400d5048 RevertToSelf
0x1400d5050 ConvertSidToStringSidA
0x1400d5058 ImpersonateLoggedOnUser
0x1400d5060 OpenProcessToken
0x1400d5068 DuplicateTokenEx
0x1400d5070 GetTokenInformation
0x1400d5078 CredEnumerateA
0x1400d5080 CredFree
SHELL32.dll
0x1400d5558 SHGetKnownFolderPath
0x1400d5560 ShellExecuteW
ole32.dll
0x1400d5738 CoTaskMemFree
0x1400d5740 CoGetObject
0x1400d5748 CoCreateInstance
0x1400d5750 CoUninitialize
0x1400d5758 CoSetProxyBlanket
0x1400d5760 CoInitializeSecurity
0x1400d5768 CoInitializeEx
OLEAUT32.dll
0x1400d5510 SysStringByteLen
0x1400d5518 SysAllocStringByteLen
0x1400d5520 SysFreeString
SHLWAPI.dll
0x1400d5570 None
0x1400d5578 None
0x1400d5580 None
0x1400d5588 None
gdiplus.dll
0x1400d5698 GdipGetImageEncodersSize
0x1400d56a0 GdipFree
0x1400d56a8 GdipDisposeImage
0x1400d56b0 GdiplusShutdown
0x1400d56b8 GdiplusStartup
0x1400d56c0 GdipCloneImage
0x1400d56c8 GdipAlloc
0x1400d56d0 GdipCreateBitmapFromScan0
0x1400d56d8 GdipCreateBitmapFromHBITMAP
0x1400d56e0 GdipSaveImageToStream
0x1400d56e8 GdipGetImageEncoders
EAT(Export Address Table) is none
WS2_32.dll
0x1400d5610 closesocket
0x1400d5618 inet_pton
0x1400d5620 WSAStartup
0x1400d5628 send
0x1400d5630 socket
0x1400d5638 connect
0x1400d5640 recv
0x1400d5648 WSACleanup
0x1400d5650 htons
CRYPT32.dll
0x1400d5090 CryptUnprotectData
0x1400d5098 CryptProtectData
WININET.dll
0x1400d55d0 InternetOpenW
0x1400d55d8 InternetCloseHandle
0x1400d55e0 InternetReadFile
0x1400d55e8 InternetQueryDataAvailable
0x1400d55f0 HttpQueryInfoW
0x1400d55f8 InternetOpenUrlA
0x1400d5600 InternetOpenA
ntdll.dll
0x1400d56f8 NtQuerySystemInformation
0x1400d5700 RtlInitUnicodeString
0x1400d5708 LdrEnumerateLoadedModules
0x1400d5710 RtlAcquirePebLock
0x1400d5718 RtlReleasePebLock
0x1400d5720 NtQueryObject
0x1400d5728 NtAllocateVirtualMemory
RstrtMgr.DLL
0x1400d5530 RmGetList
0x1400d5538 RmStartSession
0x1400d5540 RmEndSession
0x1400d5548 RmRegisterResources
crypt.dll
0x1400d5660 BCryptCloseAlgorithmProvider
0x1400d5668 BCryptOpenAlgorithmProvider
0x1400d5670 BCryptDecrypt
0x1400d5678 BCryptDestroyKey
0x1400d5680 BCryptGenerateSymmetricKey
0x1400d5688 BCryptSetProperty
KERNEL32.dll
0x1400d50f0 GetFileInformationByHandleEx
0x1400d50f8 AreFileApisANSI
0x1400d5100 FindFirstFileW
0x1400d5108 FindNextFileW
0x1400d5110 FindClose
0x1400d5118 OpenProcess
0x1400d5120 CreateToolhelp32Snapshot
0x1400d5128 Process32NextW
0x1400d5130 LoadLibraryA
0x1400d5138 Process32FirstW
0x1400d5140 CloseHandle
0x1400d5148 GetSystemInfo
0x1400d5150 GetProcAddress
0x1400d5158 LocalFree
0x1400d5160 FreeLibrary
0x1400d5168 GetLastError
0x1400d5170 ExitProcess
0x1400d5178 MultiByteToWideChar
0x1400d5180 WideCharToMultiByte
0x1400d5188 VirtualAlloc
0x1400d5190 ReadFile
0x1400d5198 WriteFile
0x1400d51a0 CreateFileW
0x1400d51a8 GetFileSize
0x1400d51b0 GetCurrentProcess
0x1400d51b8 VirtualQuery
0x1400d51c0 GetStdHandle
0x1400d51c8 TerminateProcess
0x1400d51d0 CreateMutexA
0x1400d51d8 ReleaseMutex
0x1400d51e0 OpenMutexA
0x1400d51e8 GetModuleFileNameA
0x1400d51f0 GetVolumeInformationW
0x1400d51f8 GetGeoInfoA
0x1400d5200 HeapFree
0x1400d5208 EnterCriticalSection
0x1400d5210 GetModuleFileNameW
0x1400d5218 GetProcessId
0x1400d5220 LeaveCriticalSection
0x1400d5228 SetFilePointer
0x1400d5230 InitializeCriticalSectionEx
0x1400d5238 FreeEnvironmentStringsW
0x1400d5240 GetModuleHandleA
0x1400d5248 HeapSize
0x1400d5250 GetLogicalDriveStringsW
0x1400d5258 GetFinalPathNameByHandleA
0x1400d5260 GetTimeZoneInformation
0x1400d5268 lstrcatW
0x1400d5270 HeapReAlloc
0x1400d5278 HeapAlloc
0x1400d5280 GetComputerNameW
0x1400d5288 GetProcessHeap
0x1400d5290 GlobalMemoryStatusEx
0x1400d5298 GetModuleHandleW
0x1400d52a0 lstrcpyW
0x1400d52a8 GetEnvironmentStringsW
0x1400d52b0 SetLastError
0x1400d52b8 RtlCaptureContext
0x1400d52c0 RtlLookupFunctionEntry
0x1400d52c8 RtlVirtualUnwind
0x1400d52d0 IsDebuggerPresent
0x1400d52d8 UnhandledExceptionFilter
0x1400d52e0 SetUnhandledExceptionFilter
0x1400d52e8 IsProcessorFeaturePresent
0x1400d52f0 GetCurrentProcessId
0x1400d52f8 GetSystemTimeAsFileTime
0x1400d5300 VirtualProtect
0x1400d5308 GetFileSizeEx
0x1400d5310 SetFilePointerEx
0x1400d5318 GetCurrentThreadId
0x1400d5320 GetFileType
0x1400d5328 GetStartupInfoW
0x1400d5330 FlushFileBuffers
0x1400d5338 GetConsoleOutputCP
0x1400d5340 GetConsoleMode
0x1400d5348 GetTempPathW
0x1400d5350 FlsAlloc
0x1400d5358 FlsGetValue
0x1400d5360 FlsSetValue
0x1400d5368 FlsFree
0x1400d5370 InitializeCriticalSectionAndSpinCount
0x1400d5378 LoadLibraryExW
0x1400d5380 GetDateFormatW
0x1400d5388 GetTimeFormatW
0x1400d5390 CompareStringW
0x1400d5398 LCMapStringW
0x1400d53a0 GetLocaleInfoW
0x1400d53a8 IsValidLocale
0x1400d53b0 SetEndOfFile
0x1400d53b8 EnumSystemLocalesW
0x1400d53c0 ReadConsoleW
0x1400d53c8 RaiseException
0x1400d53d0 GetModuleHandleExW
0x1400d53d8 SetStdHandle
0x1400d53e0 IsValidCodePage
0x1400d53e8 GetACP
0x1400d53f0 GetOEMCP
0x1400d53f8 GetCPInfo
0x1400d5400 GetStringTypeW
0x1400d5408 WriteConsoleW
0x1400d5410 OutputDebugStringW
0x1400d5418 SetEnvironmentVariableW
0x1400d5420 ReleaseSRWLockExclusive
0x1400d5428 AcquireSRWLockExclusive
0x1400d5430 WakeAllConditionVariable
0x1400d5438 SleepConditionVariableSRW
0x1400d5440 QueryPerformanceCounter
0x1400d5448 InitializeSListHead
0x1400d5450 RtlUnwindEx
0x1400d5458 RtlUnwind
0x1400d5460 RtlPcToFileHeader
0x1400d5468 EncodePointer
0x1400d5470 TlsAlloc
0x1400d5478 TlsGetValue
0x1400d5480 TlsSetValue
0x1400d5488 TlsFree
0x1400d5490 GetFileAttributesExW
0x1400d5498 GetFileAttributesW
0x1400d54a0 FindFirstFileExW
0x1400d54a8 GetCurrentDirectoryW
0x1400d54b0 GetNativeSystemInfo
0x1400d54b8 LCMapStringEx
0x1400d54c0 CompareStringEx
0x1400d54c8 DecodePointer
0x1400d54d0 DeleteCriticalSection
0x1400d54d8 GetCommandLineA
0x1400d54e0 GetCommandLineW
0x1400d54e8 GetUserGeoID
0x1400d54f0 GetUserDefaultLCID
0x1400d54f8 GetLocaleInfoEx
0x1400d5500 FormatMessageA
USER32.dll
0x1400d5598 GetWindowRect
0x1400d55a0 ReleaseDC
0x1400d55a8 GetDesktopWindow
0x1400d55b0 EnumDisplayDevicesW
0x1400d55b8 GetSystemMetrics
0x1400d55c0 GetDC
GDI32.dll
0x1400d50a8 BitBlt
0x1400d50b0 CreateCompatibleBitmap
0x1400d50b8 SelectObject
0x1400d50c0 CreateCompatibleDC
0x1400d50c8 GetDeviceCaps
0x1400d50d0 DeleteDC
0x1400d50d8 GetObjectW
0x1400d50e0 DeleteObject
ADVAPI32.dll
0x1400d5000 LookupPrivilegeValueW
0x1400d5008 AdjustTokenPrivileges
0x1400d5010 GetCurrentHwProfileW
0x1400d5018 RegCloseKey
0x1400d5020 RegGetValueA
0x1400d5028 RegQueryValueExA
0x1400d5030 RegOpenKeyExA
0x1400d5038 GetUserNameW
0x1400d5040 RegEnumKeyExA
0x1400d5048 RevertToSelf
0x1400d5050 ConvertSidToStringSidA
0x1400d5058 ImpersonateLoggedOnUser
0x1400d5060 OpenProcessToken
0x1400d5068 DuplicateTokenEx
0x1400d5070 GetTokenInformation
0x1400d5078 CredEnumerateA
0x1400d5080 CredFree
SHELL32.dll
0x1400d5558 SHGetKnownFolderPath
0x1400d5560 ShellExecuteW
ole32.dll
0x1400d5738 CoTaskMemFree
0x1400d5740 CoGetObject
0x1400d5748 CoCreateInstance
0x1400d5750 CoUninitialize
0x1400d5758 CoSetProxyBlanket
0x1400d5760 CoInitializeSecurity
0x1400d5768 CoInitializeEx
OLEAUT32.dll
0x1400d5510 SysStringByteLen
0x1400d5518 SysAllocStringByteLen
0x1400d5520 SysFreeString
SHLWAPI.dll
0x1400d5570 None
0x1400d5578 None
0x1400d5580 None
0x1400d5588 None
gdiplus.dll
0x1400d5698 GdipGetImageEncodersSize
0x1400d56a0 GdipFree
0x1400d56a8 GdipDisposeImage
0x1400d56b0 GdiplusShutdown
0x1400d56b8 GdiplusStartup
0x1400d56c0 GdipCloneImage
0x1400d56c8 GdipAlloc
0x1400d56d0 GdipCreateBitmapFromScan0
0x1400d56d8 GdipCreateBitmapFromHBITMAP
0x1400d56e0 GdipSaveImageToStream
0x1400d56e8 GdipGetImageEncoders
EAT(Export Address Table) is none