Windows Analysis Report
07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe

Overview

General Information

Sample name: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe
Analysis ID: 1465250
MD5: 9e849d8e3b0b04bc6a5962972e56e62a
SHA1: c9b60072e3690d47df4b1814f71b03110f775abc
SHA256: 812e0c9b8511b090c461252ef56cae8c19b78acb964f240e45c840cee578846b
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Avira: detected
Antivirus detection for URL or domain
Source: contintnetksows.shop Avira URL Cloud: Label: malware
Source: potterryisiw.shop Avira URL Cloud: Label: malware
Source: swellfrrgwwos.xyz Avira URL Cloud: Label: malware
Source: penetratedpoopp.xyz Avira URL Cloud: Label: malware
Source: foodypannyjsud.shop Avira URL Cloud: Label: malware
Source: pedestriankodwu.xyz Avira URL Cloud: Label: malware
Found malware configuration
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyzd", "ellaboratepwsz.xyzu", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "potterryisiw.shop"], "Build id": "H8NgCl--default2806"}
Multi AV Scanner detection for submitted file
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Virustotal: Detection: 47% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.0% probability
Machine Learning detection for sample
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: pedestriankodwu.xyz
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: towerxxuytwi.xyzd
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: ellaboratepwsz.xyzu
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: penetratedpoopp.xyz
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: swellfrrgwwos.xyz
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: contintnetksows.shop
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: foodypannyjsud.shop
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: potterryisiw.shop
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: potterryisiw.shop
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: TeslaBrowser/5.5
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: - Screen Resoluton:
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: - Physical Installed Memory:
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: Workgroup: -
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe String decryptor: H8NgCl--default2806
Uses 32bit PE files
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp ecx 0_2_0047B00A
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov ecx, dword ptr [esp+14h] 0_2_004580AA
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov ebx, eax 0_2_004641DE
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h 0_2_004641DE
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00479270
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00479270
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov ecx, dword ptr [esp+08h] 0_2_004612D0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h 0_2_004612D0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then cmp word ptr [esi+eax], 0000h 0_2_00465350
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov edx, ecx 0_2_004483F0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov word ptr [ecx+eax*4], bx 0_2_004483F0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp eax 0_2_0045343E
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then push edi 0_2_00466483
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp esi 0_2_0047C4BB
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp esi 0_2_0047C5C0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov ecx, dword ptr [esp+08h] 0_2_00456637
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp ecx 0_2_0047B776
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp esi 0_2_0047C7C0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp esi 0_2_0047C8C0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 0_2_00453940
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov ecx, dword ptr [esp+08h] 0_2_00463976
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp ecx 0_2_00463976
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0045B990
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 0_2_0044EA70
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00466A10
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00465A2A
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then inc ebx 0_2_00456AD0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3BEBD150h 0_2_00476AD2
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov edx, dword ptr [esp+00000A90h] 0_2_0045FAE0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00468A88
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then cmp word ptr [esi+ebx], 0000h 0_2_0045BB40
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00473BF0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov eax, dword ptr [00489828h] 0_2_0047AC04
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00478C80
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov eax, dword ptr [edi+0Ch] 0_2_00442D60
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00453D71
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov eax, edi 0_2_00462E75
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then jmp edx 0_2_00461EB0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00468F65
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov ecx, dword ptr [esp+000000F4h] 0_2_00464F10
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then cmp word ptr [esi+eax], 0000h 0_2_00464F10
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 4x nop then mov edx, dword ptr [esp+18h] 0_2_0044FF30

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pedestriankodwu.xyz
Source: Malware configuration extractor URLs: towerxxuytwi.xyzd
Source: Malware configuration extractor URLs: ellaboratepwsz.xyzu
Source: Malware configuration extractor URLs: penetratedpoopp.xyz
Source: Malware configuration extractor URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor URLs: contintnetksows.shop
Source: Malware configuration extractor URLs: foodypannyjsud.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Source: Malware configuration extractor URLs: potterryisiw.shop
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00470CF0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00470CF0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00470CF0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00470CF0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00470F10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 0_2_00470F10
Detected potential crypto function
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00449060 0_2_00449060
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00441000 0_2_00441000
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00476120 0_2_00476120
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_004641DE 0_2_004641DE
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_004611E6 0_2_004611E6
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047E1E0 0_2_0047E1E0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00479270 0_2_00479270
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0045E2CE 0_2_0045E2CE
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_004483F0 0_2_004483F0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047C4BB 0_2_0047C4BB
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00462569 0_2_00462569
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047E510 0_2_0047E510
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047C5C0 0_2_0047C5C0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_004435E0 0_2_004435E0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00457592 0_2_00457592
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0046166A 0_2_0046166A
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00446770 0_2_00446770
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047C7C0 0_2_0047C7C0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_004627B0 0_2_004627B0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047C8C0 0_2_0047C8C0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_004588EE 0_2_004588EE
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00463976 0_2_00463976
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00443990 0_2_00443990
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047CA00 0_2_0047CA00
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00457AC5 0_2_00457AC5
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00466CC0 0_2_00466CC0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00441CDA 0_2_00441CDA
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00441CA4 0_2_00441CA4
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00446D40 0_2_00446D40
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047CD60 0_2_0047CD60
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0044FD90 0_2_0044FD90
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00444E70 0_2_00444E70
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00462EE3 0_2_00462EE3
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00462F52 0_2_00462F52
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00461F5A 0_2_00461F5A
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0045EF39 0_2_0045EF39
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_00442FA0 0_2_00442FA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: String function: 00448E40 appears 47 times
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: String function: 004495C0 appears 197 times
Uses 32bit PE files
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0046F339 CoCreateInstance, 0_2_0046F339
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Virustotal: Detection: 47%
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe File read: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Jump to behavior
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Section loaded: apphelp.dll Jump to behavior
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe Code function: 0_2_0047AAC0 LdrInitializeThunk, 0_2_0047AAC0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe, 00000000.00000002.3255981248.0000000000877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: pedestriankodwu.xyz
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe, 00000000.00000002.3255981248.0000000000877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: towerxxuytwi.xyzd
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe, 00000000.00000002.3255981248.0000000000877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ellaboratepwsz.xyzu
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe, 00000000.00000002.3255981248.0000000000877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: penetratedpoopp.xyz
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe, 00000000.00000002.3255981248.0000000000877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: swellfrrgwwos.xyz
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe, 00000000.00000002.3255981248.0000000000877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: contintnetksows.shop
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe, 00000000.00000002.3255981248.0000000000877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: foodypannyjsud.shop
Source: 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe, 00000000.00000002.3255981248.0000000000877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: potterryisiw.shop

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465250 Sample: 07c09ba5a84f619e5b83a54298f... Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 8 Found malware configuration 2->8 10 Antivirus detection for URL or domain 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 6 other signatures 2->14 5 07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35_dump.exe 2->5         started        process3 signatures4 16 LummaC encrypted strings found 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
contintnetksows.shop true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
ellaboratepwsz.xyzu true
  • Avira URL Cloud: safe
 unknown
potterryisiw.shop true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
penetratedpoopp.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
swellfrrgwwos.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
towerxxuytwi.xyzd true
  • Avira URL Cloud: safe
 unknown
foodypannyjsud.shop true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
pedestriankodwu.xyz true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown