Windows Analysis Report
tGm4SuP0sz.exe

Overview

General Information

Sample name: tGm4SuP0sz.exe
renamed because original name is a hash value
Original sample name: 42dcacc7a076e1496d9650cf3fed897e3267577cf23fa47cf8591e508984cbbc.exe
Analysis ID: 1465359
MD5: cabeb02d14a76418addc20a3943681c8
SHA1: 7a059897e5f686c9421c772e88d60ab5239b22d2
SHA256: 42dcacc7a076e1496d9650cf3fed897e3267577cf23fa47cf8591e508984cbbc
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://falseaudiencekd.shop/api Avira URL Cloud: Label: malware
Source: https://feighminoritsjda.shop/api1 Avira URL Cloud: Label: malware
Source: employeedscratshj.shop Avira URL Cloud: Label: malware
Source: marathonbeedksow.shop Avira URL Cloud: Label: malware
Source: https://employeedscratshj.shop/api Avira URL Cloud: Label: malware
Source: https://pleasurenarrowsdla.shop/api? Avira URL Cloud: Label: malware
Source: feighminoritsjda.shop Avira URL Cloud: Label: malware
Source: https://richardflorespoew.shop/api Avira URL Cloud: Label: malware
Source: https://strwawrunnygjwu.shop/api Avira URL Cloud: Label: malware
Source: https://feighminoritsjda.shop/apiK Avira URL Cloud: Label: malware
Source: https://justifycanddidatewd.shop/api Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9.dll Avira: detection malicious, Label: HEUR/AGEN.1301971
Found malware configuration
Source: 0.2.tGm4SuP0sz.exe.6d36f000.2.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "employeedscratshj.shop"], "Build id": "HpOoIh--@MoneyPayin"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9.dll ReversingLabs: Detection: 64%
Multi AV Scanner detection for submitted file
Source: tGm4SuP0sz.exe ReversingLabs: Detection: 71%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\d3d9.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: tGm4SuP0sz.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: richardflorespoew.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: strwawrunnygjwu.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: justifycanddidatewd.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: raiseboltskdlwpow.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: falseaudiencekd.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: pleasurenarrowsdla.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: feighminoritsjda.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: marathonbeedksow.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: employeedscratshj.shop
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1390484831.000000006D36F000.00000004.00000001.01000000.00000006.sdmp String decryptor: HpOoIh--@MoneyPayin
Uses 32bit PE files
Source: tGm4SuP0sz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tGm4SuP0sz.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D360B78 FindFirstFileExW, 0_2_6D360B78
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_6D378530
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_6D390D8C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp+00000230h] 0_2_6D381D80
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov word ptr [edx], cx 0_2_6D383DF8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_6D3A3DE0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_6D3A3DE0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then add ebx, 02h 0_2_6D383C39
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_6D38D470
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then jmp eax 0_2_6D38FC57
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, ecx 0_2_6D391CE1
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then cmp byte ptr [ecx+eax], 00000000h 0_2_6D37ECE8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov dword ptr [esp+00000A98h], 00000000h 0_2_6D37ECE8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp+00000230h] 0_2_6D37E724
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_6D384F2B
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 0_2_6D37B700
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_6D3A7F60
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then cmp byte ptr [ebx+esi], 00000000h 0_2_6D39079B
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_6D3A37F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then xor eax, eax 0_2_6D38F61A
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then xor eax, eax 0_2_6D38F53A
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_6D3A8130
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_6D371160
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h 0_2_6D383190
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_6D3939D8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [004401D8h] 0_2_6D38081C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [004401D8h] 0_2_6D38281B
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [004401D8h] 0_2_6D38081C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h 0_2_6D392070
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [004401D8h] 0_2_6D38081C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp+000000D8h] 0_2_6D37F889
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 0_2_6D3910F7
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov byte ptr [edx], al 0_2_6D3780D0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_6D390310
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 0_2_6D392300
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 0_2_6D37F3A5
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then cmp word ptr [eax], 0000h 0_2_6D381399
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp+00000888h] 0_2_6D38C38A
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov eax, dword ptr [esp+00000888h] 0_2_6D38C3F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then push esi 0_2_6D3863D3
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov dword ptr [esp+00000A98h], 00000000h 0_2_6D3823C0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov edi, ecx 0_2_6D385A1E
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_6D392A70
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then jmp eax 0_2_6D38FABE
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 0850A6E6h 0_2_6D3A82F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 4x nop then mov ecx, edi 0_2_6D375900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], B67AF9EBh 3_2_004377D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00421857
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then add ebx, 02h 3_2_00415822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [edx], cx 3_2_00415822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx eax, dx 3_2_004280C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], B67AF9EBh 3_2_004378CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, ecx 3_2_004238E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [ecx+eax], 00000000h 3_2_004108E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dword ptr [esp+00000A98h], 00000000h 3_2_004108E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [eax], 00000000h 3_2_00438950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00438950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then test edi, edi 3_2_00438950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_00431120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_0040A130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_004359E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_004359E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then test edi, edi 3_2_004391F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+00000230h] 3_2_00413980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [ebx+esi], 00000000h 3_2_004221B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [eax], 00000000h 3_2_00438AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00438AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then test edi, edi 3_2_00438AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_00439B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 3_2_0040D300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, dword ptr [esi] 3_2_00438305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ecx], al 3_2_00421B22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+00000230h] 3_2_00410324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_00416B2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, ecx 3_2_00416B2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [eax], 00000000h 3_2_00438BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00438BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then test edi, edi 3_2_00438BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_004353F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [004401D8h] 3_2_0041241C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h 3_2_00423C77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [004401D8h] 3_2_0041441B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [004401D8h] 3_2_0041241C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [004401D8h] 3_2_0041241C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00421439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edx], al 3_2_00409CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 3_2_00422CF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+000000D8h] 3_2_00411489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 3_2_00402D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [eax], 00000000h 3_2_00438500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00438500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then test edi, edi 3_2_00438500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_00439D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then xor eax, eax 3_2_00420DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_004255D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp ecx 3_2_00426DF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [ebp+00h], 00000000h 3_2_00414D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, dword ptr [esi] 3_2_004365B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then xor eax, eax 3_2_00420E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_00424670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h 3_2_00423E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 3_2_00423E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [eax], 00000000h 3_2_004386D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_004386D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then test edi, edi 3_2_004386D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 0850A6E6h 3_2_00439EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx eax, dx 3_2_00427F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, ecx 3_2_00427F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then push esi 3_2_00417F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_00438F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then test edi, edi 3_2_00438F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dword ptr [esp+00000A98h], 00000000h 3_2_00413FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], B67AF9EBh 3_2_004377D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+00000888h] 3_2_0041DFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0041EFFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, dword ptr [esp+00000888h] 3_2_0041DF8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp word ptr [eax], 0000h 3_2_00412F99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 3_2_00410FA5

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2053682 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop) 192.168.2.8:55154 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053680 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop) 192.168.2.8:50222 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053678 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop) 192.168.2.8:57904 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053676 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop) 192.168.2.8:49552 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053674 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop) 192.168.2.8:52482 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053672 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop) 192.168.2.8:55221 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053670 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop) 192.168.2.8:56366 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053668 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop) 192.168.2.8:61148 -> 1.1.1.1:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: richardflorespoew.shop
Source: Malware configuration extractor URLs: strwawrunnygjwu.shop
Source: Malware configuration extractor URLs: justifycanddidatewd.shop
Source: Malware configuration extractor URLs: raiseboltskdlwpow.shop
Source: Malware configuration extractor URLs: falseaudiencekd.shop
Source: Malware configuration extractor URLs: pleasurenarrowsdla.shop
Source: Malware configuration extractor URLs: feighminoritsjda.shop
Source: Malware configuration extractor URLs: marathonbeedksow.shop
Source: Malware configuration extractor URLs: employeedscratshj.shop
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: feighminoritsjda.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: justifycanddidatewd.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: employeedscratshj.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: falseaudiencekd.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: pleasurenarrowsdla.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: richardflorespoew.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: marathonbeedksow.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: strwawrunnygjwu.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: raiseboltskdlwpow.shop replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: employeedscratshj.shop
Source: global traffic DNS traffic detected: DNS query: marathonbeedksow.shop
Source: global traffic DNS traffic detected: DNS query: feighminoritsjda.shop
Source: global traffic DNS traffic detected: DNS query: pleasurenarrowsdla.shop
Source: global traffic DNS traffic detected: DNS query: falseaudiencekd.shop
Source: global traffic DNS traffic detected: DNS query: raiseboltskdlwpow.shop
Source: global traffic DNS traffic detected: DNS query: justifycanddidatewd.shop
Source: global traffic DNS traffic detected: DNS query: strwawrunnygjwu.shop
Source: global traffic DNS traffic detected: DNS query: richardflorespoew.shop
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employeedscratshj.shop/api
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://falseaudiencekd.shop/api
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feighminoritsjda.shop/api1
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feighminoritsjda.shop/apiK
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://justifycanddidatewd.shop/
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://justifycanddidatewd.shop/api
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pleasurenarrowsdla.shop/
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pleasurenarrowsdla.shop/api?
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raiseboltskdlwpow.shop/B
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/0
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/api
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/api7
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/apii
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/apiy
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/g
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://strwawrunnygjwu.shop//l
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://strwawrunnygjwu.shop/api
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0042E490 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_0042E490
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0042E490 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_0042E490
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0042F0D2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 3_2_0042F0D2

System Summary
barindex
PE file contains section with special chars
Source: tGm4SuP0sz.exe Static PE information: section name: .$D$
Contains functionality to call native functions
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3530C0 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess, 0_2_6D3530C0
Detected potential crypto function
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3535D0 0_2_6D3535D0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3530C0 0_2_6D3530C0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3513F0 0_2_6D3513F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D367125 0_2_6D367125
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D351010 0_2_6D351010
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D35B700 0_2_6D35B700
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D375530 0_2_6D375530
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D392DC0 0_2_6D392DC0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D37E410 0_2_6D37E410
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D372CE0 0_2_6D372CE0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D374F20 0_2_6D374F20
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D373710 0_2_6D373710
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D39079B 0_2_6D39079B
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3A86F0 0_2_6D3A86F0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D374190 0_2_6D374190
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3939D8 0_2_6D3939D8
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3769C0 0_2_6D3769C0
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D38EB00 0_2_6D38EB00
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D38539C 0_2_6D38539C
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3A8A10 0_2_6D3A8A10
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D372250 0_2_6D372250
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D375900 0_2_6D375900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00410010 3_2_00410010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_004280C7 3_2_004280C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_004048E0 3_2_004048E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00420092 3_2_00420092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00438950 3_2_00438950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00407130 3_2_00407130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_004249C0 3_2_004249C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_004221B9 3_2_004221B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0043A2F0 3_2_0043A2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00438AB0 3_2_00438AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00405310 3_2_00405310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00406B20 3_2_00406B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00421B22 3_2_00421B22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00438BD0 3_2_00438BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00420410 3_2_00420410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00421439 3_2_00421439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00438500 3_2_00438500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_004085C0 3_2_004085C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00420DD0 3_2_00420DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_004255D8 3_2_004255D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00405D90 3_2_00405D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0041FDA0 3_2_0041FDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00420E4E 3_2_00420E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00403E50 3_2_00403E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0042A652 3_2_0042A652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0043A610 3_2_0043A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00401EC0 3_2_00401EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_004386D0 3_2_004386D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00432F50 3_2_00432F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00416F76 3_2_00416F76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00420700 3_2_00420700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00427F13 3_2_00427F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00438F30 3_2_00438F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0041C7EE 3_2_0041C7EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0041EFFD 3_2_0041EFFD
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: String function: 6D37E5C0 appears 51 times
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: String function: 6D377470 appears 70 times
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: String function: 6D35C6A0 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: String function: 004101C0 appears 162 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: String function: 00409070 appears 41 times
Sample file is different than original file name gathered from version info
Source: tGm4SuP0sz.exe, 00000000.00000002.1389292619.00000000015DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs tGm4SuP0sz.exe
Source: tGm4SuP0sz.exe, 00000000.00000000.1385888334.000000000101C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNovaEdge31599575803.exeT vs tGm4SuP0sz.exe
Source: tGm4SuP0sz.exe Binary or memory string: OriginalFilenameNovaEdge31599575803.exeT vs tGm4SuP0sz.exe
Uses 32bit PE files
Source: tGm4SuP0sz.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tGm4SuP0sz.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/2@9/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0042B109 CoCreateInstance, 3_2_0042B109
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe File created: C:\Users\user\AppData\Roaming\d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: tGm4SuP0sz.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tGm4SuP0sz.exe ReversingLabs: Detection: 71%
Source: unknown Process created: C:\Users\user\Desktop\tGm4SuP0sz.exe "C:\Users\user\Desktop\tGm4SuP0sz.exe"
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: msasn1.dll Jump to behavior
Source: tGm4SuP0sz.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: tGm4SuP0sz.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: tGm4SuP0sz.exe Static file information: File size 1609728 > 1048576
Source: tGm4SuP0sz.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14b200
Source: tGm4SuP0sz.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: tGm4SuP0sz.exe Static PE information: section name: .$D$
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D367854 push ecx; ret 0_2_6D367867
Source: tGm4SuP0sz.exe Static PE information: section name: .text entropy: 7.956028266051775
Drops PE files
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe File created: C:\Users\user\AppData\Roaming\d3d9.dll Jump to dropped file
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory allocated: 1790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory allocated: 3330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory allocated: 3150000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe API coverage: 7.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe TID: 7436 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7460 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7472 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D360B78 FindFirstFileExW, 0_2_6D360B78
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: aspnet_regiis.exe, 00000003.00000002.1403267726.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_00436A70 LdrInitializeThunk, 3_2_00436A70
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D35C52A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D35C52A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D36229E GetProcessHeap, 0_2_6D36229E
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D35C52A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D35C52A
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D35C051 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D35C051
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3604C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D3604C7
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D3535D0 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory, 0_2_6D3535D0
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: tGm4SuP0sz.exe String found in binary or memory: richardflorespoew.shop
Source: tGm4SuP0sz.exe String found in binary or memory: strwawrunnygjwu.shop
Source: tGm4SuP0sz.exe String found in binary or memory: falseaudiencekd.shop
Source: tGm4SuP0sz.exe String found in binary or memory: pleasurenarrowsdla.shop
Source: tGm4SuP0sz.exe String found in binary or memory: justifycanddidatewd.shop
Source: tGm4SuP0sz.exe String found in binary or memory: raiseboltskdlwpow.shop
Source: tGm4SuP0sz.exe String found in binary or memory: employeedscratshj.shop
Source: tGm4SuP0sz.exe String found in binary or memory: feighminoritsjda.shop
Source: tGm4SuP0sz.exe String found in binary or memory: marathonbeedksow.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 43B000 Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 790008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D35C6E8 cpuid 0_2_6D35C6E8
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Queries volume information: C:\Users\user\Desktop\tGm4SuP0sz.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tGm4SuP0sz.exe Code function: 0_2_6D35C173 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6D35C173

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465359 Sample: tGm4SuP0sz.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 19 strwawrunnygjwu.shop 2->19 21 richardflorespoew.shop 2->21 23 7 other IPs or domains 2->23 25 Snort IDS alert for network traffic 2->25 27 Found malware configuration 2->27 29 Antivirus detection for URL or domain 2->29 31 11 other signatures 2->31 7 tGm4SuP0sz.exe 3 2->7         started        signatures3 process4 file5 15 C:\Users\user\AppData\Roaming\d3d9.dll, PE32 7->15 dropped 17 C:\Users\user\AppData\...\tGm4SuP0sz.exe.log, CSV 7->17 dropped 33 Contains functionality to inject code into remote processes 7->33 35 Writes to foreign memory regions 7->35 37 Allocates memory in foreign processes 7->37 39 Injects a PE file into a foreign processes 7->39 11 conhost.exe 7->11         started        13 aspnet_regiis.exe 7->13         started        signatures6 process7
No contacted IP infos

Contacted Domains

Name IP Active
justifycanddidatewd.shop unknown unknown
richardflorespoew.shop unknown unknown
strwawrunnygjwu.shop unknown unknown
falseaudiencekd.shop unknown unknown
raiseboltskdlwpow.shop unknown unknown
employeedscratshj.shop unknown unknown
marathonbeedksow.shop unknown unknown
feighminoritsjda.shop unknown unknown
pleasurenarrowsdla.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
justifycanddidatewd.shop true
  • Avira URL Cloud: safe
 unknown
employeedscratshj.shop true
  • Avira URL Cloud: malware
 unknown
marathonbeedksow.shop true
  • Avira URL Cloud: malware
 unknown
pleasurenarrowsdla.shop true
  • Avira URL Cloud: safe
 unknown
richardflorespoew.shop true
  • Avira URL Cloud: safe
 unknown
falseaudiencekd.shop true
  • Avira URL Cloud: safe
 unknown
feighminoritsjda.shop true
  • Avira URL Cloud: malware
 unknown
strwawrunnygjwu.shop true
  • Avira URL Cloud: safe
 unknown
raiseboltskdlwpow.shop true
  • Avira URL Cloud: safe
 unknown