Report - lem.exe

Gen1 Emotet Generic Malware Malicious Library Antivirus UPX Downloader Malicious Packer Anti_VM PE File PE32 OS Processor Check MZP Format DLL .NET DLL PE64 DllRegisterServer dll ftp
Created 2025.02.21 16:32 Machine s1_win7_x6401
Filename lem.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score Not founds Behavior Score
ZERO API file : mailcious
VT API (file) 14 detected (AIDetectMalware, Artemis, Unsafe, grayware, confidence, Vidar, MALICIOUS, LummaStealer)
md5 0c38e5cacc997db36aeb4678c1ddf3bc
sha256 62c09b2435ff52e29a56f8474f6307084383d73ecbf5dc62bd9767a23d50ec39
ssdeep 393216:Pkcbf0j8aPknFM7mqF6WEuDLEXgqqIv1MCNrrPgLX3wRHyNn:ccj0PPknFymqXE8gXKkJrPgL6SZ
imphash 48aa5c8931746a9655524f67b25a47ef
impfuzzy 48:o4/c+4QjuC5Q4FNO0MeAXGo4E/gjF5J/RscZr91budS19WOG/iB:oc94A5TNO0MHYZrHeS1oXiB
  Network IP location

Signature (12cnts)

Level Description
watch File has been identified by 14 AntiVirus engines on VirusTotal as malicious
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (28cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Network_Downloader File Downloader binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info DllRegisterServer_Zero execute regsvr32.exe binaries (download)
info ftp_command ftp command binaries (download)
info Is_DotNET_DLL (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids


IAT(Import Address Table) Library

 0x4192fc SysFreeString
 0x419300 SysReAllocStringLen
 0x419304 SysAllocStringLen
 0x41930c RegQueryValueExW
 0x419310 RegOpenKeyExW
 0x419314 RegCloseKey
 0x41931c GetKeyboardType
 0x419320 LoadStringW
 0x419324 MessageBoxA
 0x419328 CharNextW
 0x419330 GetACP
 0x419334 Sleep
 0x419338 VirtualFree
 0x41933c VirtualAlloc
 0x419340 GetSystemInfo
 0x419344 GetTickCount
 0x419348 QueryPerformanceCounter
 0x41934c GetVersion
 0x419350 GetCurrentThreadId
 0x419354 VirtualQuery
 0x419358 WideCharToMultiByte
 0x41935c MultiByteToWideChar
 0x419360 lstrlenW
 0x419364 lstrcpynW
 0x419368 LoadLibraryExW
 0x41936c GetThreadLocale
 0x419370 GetStartupInfoA
 0x419374 GetProcAddress
 0x419378 GetModuleHandleW
 0x41937c GetModuleFileNameW
 0x419380 GetLocaleInfoW
 0x419384 GetCommandLineW
 0x419388 FreeLibrary
 0x41938c FindFirstFileW
 0x419390 FindClose
 0x419394 ExitProcess
 0x419398 WriteFile
 0x41939c UnhandledExceptionFilter
 0x4193a0 RtlUnwind
 0x4193a4 RaiseException
 0x4193a8 GetStdHandle
 0x4193ac CloseHandle
 0x4193b4 TlsSetValue
 0x4193b8 TlsGetValue
 0x4193bc LocalAlloc
 0x4193c0 GetModuleHandleW
 0x4193c8 CreateWindowExW
 0x4193cc TranslateMessage
 0x4193d0 SetWindowLongW
 0x4193d4 PeekMessageW
 0x4193d8 MsgWaitForMultipleObjects
 0x4193dc MessageBoxW
 0x4193e0 LoadStringW
 0x4193e4 GetSystemMetrics
 0x4193e8 ExitWindowsEx
 0x4193ec DispatchMessageW
 0x4193f0 DestroyWindow
 0x4193f4 CharUpperBuffW
 0x4193f8 CallWindowProcW
 0x419400 WriteFile
 0x419404 WideCharToMultiByte
 0x419408 WaitForSingleObject
 0x41940c VirtualQuery
 0x419410 VirtualProtect
 0x419414 VirtualFree
 0x419418 VirtualAlloc
 0x41941c SizeofResource
 0x419420 SignalObjectAndWait
 0x419424 SetLastError
 0x419428 SetFilePointer
 0x41942c SetEvent
 0x419430 SetErrorMode
 0x419434 SetEndOfFile
 0x419438 ResetEvent
 0x41943c RemoveDirectoryW
 0x419440 ReadFile
 0x419444 MultiByteToWideChar
 0x419448 LockResource
 0x41944c LoadResource
 0x419450 LoadLibraryW
 0x419454 GetWindowsDirectoryW
 0x419458 GetVersionExW
 0x41945c GetUserDefaultLangID
 0x419460 GetThreadLocale
 0x419464 GetSystemInfo
 0x419468 GetStdHandle
 0x41946c GetProcAddress
 0x419470 GetModuleHandleW
 0x419474 GetModuleFileNameW
 0x419478 GetLocaleInfoW
 0x41947c GetLastError
 0x419480 GetFullPathNameW
 0x419484 GetFileSize
 0x419488 GetFileAttributesW
 0x41948c GetExitCodeProcess
 0x419490 GetEnvironmentVariableW
 0x419494 GetDiskFreeSpaceW
 0x419498 GetCurrentProcess
 0x41949c GetCommandLineW
 0x4194a0 GetCPInfo
 0x4194a4 InterlockedExchange
 0x4194a8 InterlockedCompareExchange
 0x4194ac FreeLibrary
 0x4194b0 FormatMessageW
 0x4194b4 FindResourceW
 0x4194b8 EnumCalendarInfoW
 0x4194bc DeleteFileW
 0x4194c0 CreateProcessW
 0x4194c4 CreateFileW
 0x4194c8 CreateEventW
 0x4194cc CreateDirectoryW
 0x4194d0 CloseHandle
 0x4194d8 RegQueryValueExW
 0x4194dc RegOpenKeyExW
 0x4194e0 RegCloseKey
 0x4194e4 OpenProcessToken
 0x4194e8 LookupPrivilegeValueW
 0x4194f0 InitCommonControls
 0x4194f8 Sleep
 0x419500 AdjustTokenPrivileges

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure