Windows Analysis Report
8yprhxqBVs.exe

Overview

General Information

Sample name: 8yprhxqBVs.exe
renamed because original name is a hash value
Original sample name: 7acc6aaa73ad3bb7b36771f3c9311a0c.exe
Analysis ID: 1464584
MD5: 7acc6aaa73ad3bb7b36771f3c9311a0c
SHA1: da764b355b5f6c54f55ce7f1087de4b0de462478
SHA256: 93255a8d0cd55878926f556e68a34cdc802c5316bd469f035a1a3481299ac133
Tags: 32exetrojan
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 8yprhxqBVs.exe.7412.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["deadtrainingactioniw.xyzn", "qualificationjdwko.xyz", "grandcommonyktsju.xyz", "wordingnatturedowo.xyz", "crisisrottenyjs.xyz", "sweetcalcutangkdow.xyz", "cooperatvassquaidmew.xyzn", "exuberanttjdkwo.xyz"], "Build id": "bOKHNM--"}
Multi AV Scanner detection for domain / URL
Source: https://sweetcalcutangkdow.xyz/api Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: 8yprhxqBVs.exe ReversingLabs: Detection: 58%
Source: 8yprhxqBVs.exe Virustotal: Detection: 28% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.7% probability
Machine Learning detection for sample
Source: 8yprhxqBVs.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: deadtrainingactioniw.xyzn
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: qualificationjdwko.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: grandcommonyktsju.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: wordingnatturedowo.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: crisisrottenyjs.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: sweetcalcutangkdow.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: cooperatvassquaidmew.xyzn
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: exuberanttjdkwo.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: wordingnatturedowo.xyz
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String decryptor: bOKHNM--
Uses 32bit PE files
Source: 8yprhxqBVs.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 8yprhxqBVs.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esp] 0_2_00EB4700
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then movzx ebx, di 0_2_00EA8066
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00EA8066
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then movzx ebx, di 0_2_00EA8075
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00EA8075
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then movzx ebx, di 0_2_00EA8021
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00EA8021
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00E9E033
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov byte ptr [eax], bl 0_2_00E8F000
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00E971AC
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp eax 0_2_00E9E1AF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, edi 0_2_00E871A2
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E4AA2089h 0_2_00EA1170
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esi] 0_2_00EA4149
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00EA4149
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 0_2_00E924A8
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp ecx 0_2_00EB94A9
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 0_2_00E92487
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov dword ptr [esi], eax 0_2_00EA6490
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov dword ptr [esi], ecx 0_2_00EA6490
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esi+68h] 0_2_00EA6490
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00EA6490
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 0_2_00EB8494
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ebx, eax 0_2_00E83430
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov edx, dword ptr [esp+10h] 0_2_00E89400
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00EA0410
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp eax 0_2_00E8E5C7
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h 0_2_00E9F580
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00EA5580
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then inc ebx 0_2_00E95510
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [00EC4FE8h] 0_2_00EB76C4
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 0_2_00EB8600
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00EA5580
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp edx 0_2_00E9D7DE
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov byte ptr [ebx], cl 0_2_00EA67AF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then lea ecx, dword ptr [esi+40h] 0_2_00EA77A1
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp eax 0_2_00E81787
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then lea ecx, dword ptr [esi+40h] 0_2_00EA7731
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov word ptr [ebx], cx 0_2_00E93737
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00EA48DF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00E978AF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp edx 0_2_00E9D84F
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov byte ptr [ebx], cl 0_2_00EA684D
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov word ptr [ebx], cx 0_2_00E9394D
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esp] 0_2_00E89AD0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esp] 0_2_00E89AD0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 0_2_00E8CCB0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00E97864
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then cmp byte ptr [esi], 00000000h 0_2_00E93C08
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp ecx 0_2_00EB5D98
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00EA7D6E
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00E93D70
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 0_2_00E96D24
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esi+18h] 0_2_00EA6EBE
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esi+18h] 0_2_00EA6EB7
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp eax 0_2_00E91FEF
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then movzx ebx, di 0_2_00EA7F8F
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00EA7F8F
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00EAFF40
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00EA1F23
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then mov ecx, dword ptr [esp+5Ch] 0_2_00E95F09
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 4x nop then jmp eax 0_2_00E9DF00

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2054123 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz) 192.168.2.4:52161 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054131 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz) 192.168.2.4:55481 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054129 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz) 192.168.2.4:54788 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054127 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz) 192.168.2.4:55158 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054125 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz) 192.168.2.4:52303 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054121 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz) 192.168.2.4:53151 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054119 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz) 192.168.2.4:64410 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054117 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz) 192.168.2.4:56912 -> 1.1.1.1:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: deadtrainingactioniw.xyzn
Source: Malware configuration extractor URLs: qualificationjdwko.xyz
Source: Malware configuration extractor URLs: grandcommonyktsju.xyz
Source: Malware configuration extractor URLs: wordingnatturedowo.xyz
Source: Malware configuration extractor URLs: crisisrottenyjs.xyz
Source: Malware configuration extractor URLs: sweetcalcutangkdow.xyz
Source: Malware configuration extractor URLs: cooperatvassquaidmew.xyzn
Source: Malware configuration extractor URLs: exuberanttjdkwo.xyz
Performs DNS queries to domains with low reputation
Source: DNS query: wordingnatturedowo.xyz
Source: DNS query: exuberanttjdkwo.xyz
Source: DNS query: cooperatvassquaidmew.xyz
Source: DNS query: sweetcalcutangkdow.xyz
Source: DNS query: crisisrottenyjs.xyz
Source: DNS query: grandcommonyktsju.xyz
Source: DNS query: qualificationjdwko.xyz
Source: DNS query: deadtrainingactioniw.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: grandcommonyktsju.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: deadtrainingactioniw.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: sweetcalcutangkdow.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: crisisrottenyjs.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: wordingnatturedowo.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cooperatvassquaidmew.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: exuberanttjdkwo.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: qualificationjdwko.xyz replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: wordingnatturedowo.xyz
Source: global traffic DNS traffic detected: DNS query: exuberanttjdkwo.xyz
Source: global traffic DNS traffic detected: DNS query: cooperatvassquaidmew.xyz
Source: global traffic DNS traffic detected: DNS query: sweetcalcutangkdow.xyz
Source: global traffic DNS traffic detected: DNS query: crisisrottenyjs.xyz
Source: global traffic DNS traffic detected: DNS query: grandcommonyktsju.xyz
Source: global traffic DNS traffic detected: DNS query: qualificationjdwko.xyz
Source: global traffic DNS traffic detected: DNS query: deadtrainingactioniw.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cooperatvassquaidmew.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisisrottenyjs.xyz/SOR
Source: 8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisisrottenyjs.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deadtrainingactioniw.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deadtrainingactioniw.xyz/)G4
Source: 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deadtrainingactioniw.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deadtrainingactioniw.xyz/api(
Source: 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001974000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deadtrainingactioniw.xyz:443/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://exuberanttjdkwo.xyz/es(
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grandcommonyktsju.xyz/B
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/a
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001952000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001952000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/api4
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sweetcalcutangkdow.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693473089.0000000001966000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sweetcalcutangkdow.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693036124.00000000017A8000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://turbosms.ua
Source: 8yprhxqBVs.exe, 00000000.00000002.1693446277.000000000194B000.00000004.00000020.00020000.00000000.sdmp, 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wordingnatturedowo.xyz/
Source: 8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wordingnatturedowo.xyz/api
Source: 8yprhxqBVs.exe, 00000000.00000002.1693326538.000000000192E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wordingnatturedowo.xyz/apisX
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EADC70 OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard, 0_2_00EADC70
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EADC70 OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard, 0_2_00EADC70
Detected potential crypto function
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E860AC 0_2_00E860AC
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EB5070 0_2_00EB5070
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EA8075 0_2_00EA8075
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EA8021 0_2_00EA8021
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EA1170 0_2_00EA1170
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E88210 0_2_00E88210
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E8436F 0_2_00E8436F
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EBA410 0_2_00EBA410
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EA35F7 0_2_00EA35F7
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E865C0 0_2_00E865C0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EBA730 0_2_00EBA730
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E9C870 0_2_00E9C870
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EA5830 0_2_00EA5830
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E89AD0 0_2_00E89AD0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E85BF8 0_2_00E85BF8
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EB1DC0 0_2_00EB1DC0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E85D9D 0_2_00E85D9D
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E84D60 0_2_00E84D60
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E9FECD 0_2_00E9FECD
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E8EE60 0_2_00E8EE60
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EA7F8F 0_2_00EA7F8F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: String function: 00E89170 appears 131 times
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: String function: 00E88B50 appears 72 times
Uses 32bit PE files
Source: 8yprhxqBVs.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@8/0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 8yprhxqBVs.exe ReversingLabs: Detection: 58%
Source: 8yprhxqBVs.exe Virustotal: Detection: 28%
Source: C:\Users\user\Desktop\8yprhxqBVs.exe File read: C:\Users\user\Desktop\8yprhxqBVs.exe Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Section loaded: msasn1.dll Jump to behavior
Source: 8yprhxqBVs.exe Static file information: File size 6253568 > 1048576
Source: 8yprhxqBVs.exe Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x5ed400
Source: 8yprhxqBVs.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp
PE file contains sections with non-standard names
Source: 8yprhxqBVs.exe Static PE information: section name: .vmp
Source: 8yprhxqBVs.exe Static PE information: section name: .vmp
Source: 8yprhxqBVs.exe Static PE information: section name: .vmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00E8802D push eax; ret 0_2_00E88033

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\8yprhxqBVs.exe API/Special instruction interceptor: Address: 166BCC0
Source: C:\Users\user\Desktop\8yprhxqBVs.exe API/Special instruction interceptor: Address: 1374981
Source: C:\Users\user\Desktop\8yprhxqBVs.exe API/Special instruction interceptor: Address: 1740D60
Source: C:\Users\user\Desktop\8yprhxqBVs.exe API/Special instruction interceptor: Address: 11BDE75
Source: C:\Users\user\Desktop\8yprhxqBVs.exe API/Special instruction interceptor: Address: 1685F2E
Source: C:\Users\user\Desktop\8yprhxqBVs.exe API/Special instruction interceptor: Address: 133CA72
Source: C:\Users\user\Desktop\8yprhxqBVs.exe API/Special instruction interceptor: Address: 17818E2
Source: C:\Users\user\Desktop\8yprhxqBVs.exe API/Special instruction interceptor: Address: 11BA5AE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\8yprhxqBVs.exe TID: 7428 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\8yprhxqBVs.exe TID: 7428 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: 8yprhxqBVs.exe, 00000000.00000003.1689828729.0000000001948000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\8yprhxqBVs.exe Code function: 0_2_00EB6B90 LdrInitializeThunk, 0_2_00EB6B90

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: deadtrainingactioniw.xyzn
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: qualificationjdwko.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: grandcommonyktsju.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: wordingnatturedowo.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: crisisrottenyjs.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: sweetcalcutangkdow.xyz
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: cooperatvassquaidmew.xyzn
Source: 8yprhxqBVs.exe, 00000000.00000002.1690923515.0000000000EBB000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: exuberanttjdkwo.xyz

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464584 Sample: 8yprhxqBVs.exe Startdate: 29/06/2024 Architecture: WINDOWS Score: 100 9 wordingnatturedowo.xyz 2->9 11 sweetcalcutangkdow.xyz 2->11 13 6 other IPs or domains 2->13 15 Snort IDS alert for network traffic 2->15 17 Multi AV Scanner detection for domain / URL 2->17 19 Found malware configuration 2->19 23 6 other signatures 2->23 6 8yprhxqBVs.exe 2->6         started        signatures3 21 Performs DNS queries to domains with low reputation 11->21 process4 signatures5 25 Switches to a custom stack to bypass stack traces 6->25 27 LummaC encrypted strings found 6->27
No contacted IP infos

Contacted Domains

Name IP Active
qualificationjdwko.xyz unknown unknown
crisisrottenyjs.xyz unknown unknown
deadtrainingactioniw.xyz unknown unknown
grandcommonyktsju.xyz unknown unknown
cooperatvassquaidmew.xyz unknown unknown
sweetcalcutangkdow.xyz unknown unknown
wordingnatturedowo.xyz unknown unknown
exuberanttjdkwo.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
cooperatvassquaidmew.xyzn true
  • Avira URL Cloud: safe
 unknown
grandcommonyktsju.xyz true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
exuberanttjdkwo.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
qualificationjdwko.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
wordingnatturedowo.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
deadtrainingactioniw.xyzn true
  • Avira URL Cloud: safe
 unknown
crisisrottenyjs.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
sweetcalcutangkdow.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown