Windows Analysis Report
Loader.exe

Overview

General Information

Sample name: Loader.exe
Analysis ID: 1465166
MD5: edda8f53633b4ea2270424b850d700bf
SHA1: d1cb6ed8d18f40ed4fafd70a70c8168396912f45
SHA256: bb8fd576341c8f75f014515016614c9b84505d2704fe3e960c32afebab2c19b0
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Loader.exe Avira: detected
Antivirus detection for URL or domain
Source: https://qualificationjdwko.xyz/api Avira URL Cloud: Label: malware
Source: https://sweetcalcutangkdow.xyz/api Avira URL Cloud: Label: malware
Source: https://exuberanttjdkwo.xyz/api Avira URL Cloud: Label: malware
Source: https://cooperatvassquaidmew.xyz/api Avira URL Cloud: Label: malware
Found malware configuration
Source: 3.2.aspnet_regiis.exe.550000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["deadtrainingactioniw.xyz", "qualificationjdwko.xyz", "grandcommonyktsju.xyz", "wordingnatturedowo.xyz", "crisisrottenyjs.xyz", "sweetcalcutangkdow.xyz", "cooperatvassquaidmew.xyz", "exuberanttjdkwo.xyz", "crisisrottenyjs.xyz"], "Build id": "LPnhqo--@fondnesssw"}
Multi AV Scanner detection for domain / URL
Source: https://qualificationjdwko.xyz/api Virustotal: Detection: 6% Perma Link
Source: https://sweetcalcutangkdow.xyz/api Virustotal: Detection: 7% Perma Link
Source: https://exuberanttjdkwo.xyz/api Virustotal: Detection: 6% Perma Link
Source: https://cooperatvassquaidmew.xyz/api Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9.dll ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: Loader.exe Virustotal: Detection: 72% Perma Link
Source: Loader.exe ReversingLabs: Detection: 79%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Loader.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: deadtrainingactioniw.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: qualificationjdwko.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: grandcommonyktsju.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: wordingnatturedowo.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: crisisrottenyjs.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: sweetcalcutangkdow.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: cooperatvassquaidmew.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: exuberanttjdkwo.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: crisisrottenyjs.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp String decryptor: LPnhqo--@fondnesssw
Uses 32bit PE files
Source: Loader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Loader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D331178 FindFirstFileExW, 0_2_6D331178
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 00D23749h 3_2_00587090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_00587090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_00587090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [edi], ax 3_2_00563F6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx eax, word ptr [edi+esi*4] 3_2_00558170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then lea eax, dword ptr [edi+04h] 3_2_00571135
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ecx+edx*8], 3BEBD150h 3_2_00584934
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, dword ptr [esi] 3_2_005889DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 3_2_0055D1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_005891FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp esi 3_2_0058A192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [edi+ebx+01h], 00000000h 3_2_0056CA4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h 3_2_00563A7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h 3_2_00563A7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp esi 3_2_0058A260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp edx 3_2_00571A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, dword ptr [esp] 3_2_00570239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esi+40h] 3_2_00577239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_00586A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 3_2_00566340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 0850A6E6h 3_2_0058BB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00573329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_0056E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp edx 3_2_00571BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then inc ebx 3_2_00565390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_00575BB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_005763BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_0057644B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then inc eax 3_2_00562470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then xor eax, eax 3_2_0056D413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], B33E16A3h 3_2_00586CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, dword ptr [esp+00000890h] 3_2_0056E4F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_0057638D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_0056E490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, dword ptr [esp+5Ch] 3_2_00566CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_00574D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00572D7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 3_2_00562D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 3_2_00573517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0056551E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 3_2_00563500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h 3_2_00563D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 3_2_005635C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_0056FDFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ebx, eax 3_2_005535A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esi+40h] 3_2_00577602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx eax, word ptr [edx] 3_2_00587E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp esi 3_2_0058A630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dword ptr [esp+24h], 0000005Ch 3_2_00584695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_00582680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, dword ptr [esp+18h] 3_2_0055FE8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00551755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [edi], ax 3_2_00564F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 3_2_00553760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then lea eax, dword ptr [eax+eax*4] 3_2_00558F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then or ebp, 04h 3_2_0055171B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edi], dl 3_2_00576704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, dword ptr [esp] 3_2_00559F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_00575FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then add ecx, 03h 3_2_00573FBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dword ptr [esi], ebp 3_2_00551FA0

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2054125 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz) 192.168.2.9:50884 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054131 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz) 192.168.2.9:50034 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054129 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz) 192.168.2.9:61762 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054127 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz) 192.168.2.9:55520 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054123 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz) 192.168.2.9:51384 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054121 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz) 192.168.2.9:55685 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054119 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz) 192.168.2.9:57788 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054117 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz) 192.168.2.9:58515 -> 1.1.1.1:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: deadtrainingactioniw.xyz
Source: Malware configuration extractor URLs: qualificationjdwko.xyz
Source: Malware configuration extractor URLs: grandcommonyktsju.xyz
Source: Malware configuration extractor URLs: wordingnatturedowo.xyz
Source: Malware configuration extractor URLs: crisisrottenyjs.xyz
Source: Malware configuration extractor URLs: sweetcalcutangkdow.xyz
Source: Malware configuration extractor URLs: cooperatvassquaidmew.xyz
Source: Malware configuration extractor URLs: exuberanttjdkwo.xyz
Source: Malware configuration extractor URLs: crisisrottenyjs.xyz
Performs DNS queries to domains with low reputation
Source: DNS query: crisisrottenyjs.xyz
Source: DNS query: exuberanttjdkwo.xyz
Source: DNS query: cooperatvassquaidmew.xyz
Source: DNS query: sweetcalcutangkdow.xyz
Source: DNS query: wordingnatturedowo.xyz
Source: DNS query: grandcommonyktsju.xyz
Source: DNS query: qualificationjdwko.xyz
Source: DNS query: deadtrainingactioniw.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: grandcommonyktsju.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: deadtrainingactioniw.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: sweetcalcutangkdow.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: crisisrottenyjs.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: wordingnatturedowo.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cooperatvassquaidmew.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: exuberanttjdkwo.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: qualificationjdwko.xyz replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: crisisrottenyjs.xyz
Source: global traffic DNS traffic detected: DNS query: exuberanttjdkwo.xyz
Source: global traffic DNS traffic detected: DNS query: cooperatvassquaidmew.xyz
Source: global traffic DNS traffic detected: DNS query: sweetcalcutangkdow.xyz
Source: global traffic DNS traffic detected: DNS query: wordingnatturedowo.xyz
Source: global traffic DNS traffic detected: DNS query: grandcommonyktsju.xyz
Source: global traffic DNS traffic detected: DNS query: qualificationjdwko.xyz
Source: global traffic DNS traffic detected: DNS query: deadtrainingactioniw.xyz
Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cooperatvassquaidmew.xyz/
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cooperatvassquaidmew.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisisrottenyjs.xyz/api
Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deadtrainingactioniw.xyz/
Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deadtrainingactioniw.xyz/0
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://deadtrainingactioniw.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://exuberanttjdkwo.xyz/api
Source: aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grandcommonyktsju.xyz/
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grandcommonyktsju.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grandcommonyktsju.xyz/apiz?
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/7
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/A
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/apidO
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://qualificationjdwko.xyz/apizC
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sweetcalcutangkdow.xyz/
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sweetcalcutangkdow.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sweetcalcutangkdow.xyz/apiz9
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0057ED60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_0057ED60
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0057ED60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_0057ED60

System Summary
barindex
PE file contains section with special chars
Source: Loader.exe Static PE information: section name: "GT]\
PE file has nameless sections
Source: Loader.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D322ED0 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess, 0_2_6D322ED0
Detected potential crypto function
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D321090 0_2_6D321090
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D323750 0_2_6D323750
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D322ED0 0_2_6D322ED0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D32BC40 0_2_6D32BC40
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D337715 0_2_6D337715
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D3233E0 0_2_6D3233E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0055F070 3_2_0055F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00551000 3_2_00551000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00587090 3_2_00587090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00558170 3_2_00558170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00567171 3_2_00567171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00571135 3_2_00571135
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0058A192 3_2_0058A192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_005749A0 3_2_005749A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0058C250 3_2_0058C250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00555A40 3_2_00555A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0056CA4C 3_2_0056CA4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0058A260 3_2_0058A260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00571A15 3_2_00571A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00570239 3_2_00570239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00553AA0 3_2_00553AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00576BF9 3_2_00576BF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00575BEA 3_2_00575BEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0056D413 3_2_0056D413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00570C00 3_2_00570C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00556CB0 3_2_00556CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00566CB0 3_2_00566CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00554540 3_2_00554540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00572D7E 3_2_00572D7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0056F511 3_2_0056F511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00577DF3 3_2_00577DF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0058A630 3_2_0058A630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00554F50 3_2_00554F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0058A740 3_2_0058A740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0058BF40 3_2_0058BF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00558F60 3_2_00558F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00556780 3_2_00556780
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 6D32CCA0 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: String function: 00559550 appears 149 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: String function: 00558C40 appears 45 times
Sample file is different than original file name gathered from version info
Source: Loader.exe, 00000000.00000000.1370386916.0000000000CDA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCosmicEdge40765084938.exeT vs Loader.exe
Source: Loader.exe, 00000000.00000002.1387171648.00000000014BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Loader.exe
Source: Loader.exe Binary or memory string: OriginalFilenameCosmicEdge40765084938.exeT vs Loader.exe
Uses 32bit PE files
Source: Loader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Loader.exe Static PE information: Section: "GT]\ ZLIB complexity 1.0003398362810707
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/2@8/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0057C16B CoCreateInstance, 3_2_0057C16B
Source: C:\Users\user\Desktop\Loader.exe File created: C:\Users\user\AppData\Roaming\d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: Loader.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Loader.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Loader.exe Virustotal: Detection: 72%
Source: Loader.exe ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Loader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Loader.exe Unpacked PE file: 0.2.Loader.exe.c70000.0.unpack "GT]\:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
PE file contains sections with non-standard names
Source: Loader.exe Static PE information: section name: "GT]\
Source: Loader.exe Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D337E44 push ecx; ret 0_2_6D337E57
Source: Loader.exe Static PE information: section name: "GT]\ entropy: 7.999307018864717
Drops PE files
Source: C:\Users\user\Desktop\Loader.exe File created: C:\Users\user\AppData\Roaming\d3d9.dll Jump to dropped file
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Loader.exe PID: 7336, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 1340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 30C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 16B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 56C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 66C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 67F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 77F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 7B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 8B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 9B40000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Loader.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Loader.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Loader.exe TID: 7432 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7476 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D331178 FindFirstFileExW, 0_2_6D331178
Source: C:\Users\user\Desktop\Loader.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00588AA0 LdrInitializeThunk, 3_2_00588AA0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D32CB2A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D32CB2A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D33289B GetProcessHeap, 0_2_6D33289B
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D32CB2A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D32CB2A
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D32C651 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D32C651
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D330AC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D330AC7
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D323750 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 0_2_6D323750
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: deadtrainingactioniw.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: qualificationjdwko.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: grandcommonyktsju.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: wordingnatturedowo.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: crisisrottenyjs.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: sweetcalcutangkdow.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: cooperatvassquaidmew.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: exuberanttjdkwo.xyz
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 551000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 58D000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 590000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 5A2000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A6008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D32CCE8 cpuid 0_2_6D32CCE8
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Loader.exe Queries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6D32C773 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6D32C773

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465166 Sample: Loader.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 19 wordingnatturedowo.xyz 2->19 21 sweetcalcutangkdow.xyz 2->21 23 6 other IPs or domains 2->23 25 Snort IDS alert for network traffic 2->25 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 33 13 other signatures 2->33 7 Loader.exe 3 2->7         started        signatures3 31 Performs DNS queries to domains with low reputation 21->31 process4 file5 15 C:\Users\user\AppData\Roaming\d3d9.dll, PE32 7->15 dropped 17 C:\Users\user\AppData\...\Loader.exe.log, ASCII 7->17 dropped 35 Detected unpacking (changes PE section rights) 7->35 37 Contains functionality to inject code into remote processes 7->37 39 Writes to foreign memory regions 7->39 41 3 other signatures 7->41 11 conhost.exe 7->11         started        13 aspnet_regiis.exe 7->13         started        signatures6 process7
No contacted IP infos

Contacted Domains

Name IP Active
qualificationjdwko.xyz unknown unknown
crisisrottenyjs.xyz unknown unknown
deadtrainingactioniw.xyz unknown unknown
grandcommonyktsju.xyz unknown unknown
cooperatvassquaidmew.xyz unknown unknown
sweetcalcutangkdow.xyz unknown unknown
exuberanttjdkwo.xyz unknown unknown
wordingnatturedowo.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
grandcommonyktsju.xyz true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
cooperatvassquaidmew.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
exuberanttjdkwo.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
qualificationjdwko.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
wordingnatturedowo.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
deadtrainingactioniw.xyz true
  • Avira URL Cloud: safe
 unknown
crisisrottenyjs.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
sweetcalcutangkdow.xyz true
  • Avira URL Cloud: safe
 unknown