Windows Analysis Report
LisectAVT_2403002C_59.exe

Overview

General Information

Sample name: LisectAVT_2403002C_59.exe
Analysis ID: 1481318
MD5: 5a14cd37a8cb00b18ada9c2500e53e5f
SHA1: bdcaf7389ddd102e274cf61393fae49e0eb10ee6
SHA256: c0c7eff42ec59832f6fa3c9a8c9e08fce760b625383ec87ae69ba72f3060c59a
Tags: exeLummaStealer
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002C_59.exe Avira: detected
Antivirus detection for URL or domain
Source: associationokeo.shop Avira URL Cloud: Label: malware
Source: turkeyunlikelyofw.shop Avira URL Cloud: Label: malware
Source: detectordiscusser.shop Avira URL Cloud: Label: malware
Source: technologyenterdo.shop Avira URL Cloud: Label: malware
Found malware configuration
Source: LisectAVT_2403002C_59.exe Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pwo", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "problemregardybuiwo.fun"], "Build id": "9zXsP2--"}
Multi AV Scanner detection for submitted file
Source: LisectAVT_2403002C_59.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: LisectAVT_2403002C_59.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: LisectAVT_2403002C_59.exe String decryptor: associationokeo.shop
Source: LisectAVT_2403002C_59.exe String decryptor: turkeyunlikelyofw.shop
Source: LisectAVT_2403002C_59.exe String decryptor: pooreveningfuseor.pwo
Source: LisectAVT_2403002C_59.exe String decryptor: edurestunningcrackyow.fun
Source: LisectAVT_2403002C_59.exe String decryptor: detectordiscusser.shop
Source: LisectAVT_2403002C_59.exe String decryptor: problemregardybuiwo.fun
Source: LisectAVT_2403002C_59.exe String decryptor: lighterepisodeheighte.fun
Source: LisectAVT_2403002C_59.exe String decryptor: technologyenterdo.shop
Source: LisectAVT_2403002C_59.exe String decryptor: problemregardybuiwo.fun
Source: LisectAVT_2403002C_59.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: LisectAVT_2403002C_59.exe String decryptor: TeslaBrowser/5.5
Source: LisectAVT_2403002C_59.exe String decryptor: - Screen Resoluton:
Source: LisectAVT_2403002C_59.exe String decryptor: - Physical Installed Memory:
Source: LisectAVT_2403002C_59.exe String decryptor: Workgroup: -
Source: LisectAVT_2403002C_59.exe String decryptor: 9zXsP2--
Uses 32bit PE files
Source: LisectAVT_2403002C_59.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002C_59.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp dword ptr [ecx-08h], CCC8066Ah 0_2_004517F2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000128h] 0_2_0043504F
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh 0_2_00437031
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then movzx ebx, byte ptr [edx+esi] 0_2_004288C0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esi+40h] 0_2_0044095B
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 0_2_0043E960
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp dword ptr [eax-08h], 0AB35B01h 0_2_0043418B
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [edx+ebp], bl 0_2_004289A0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_00436266
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov word ptr [ebx], ax 0_2_0043F212
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov eax, dword ptr [esi+30h] 0_2_0043F212
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_00444A1C
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then jmp ecx 0_2_004532E1
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esp+0Ch] 0_2_00438AF0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov eax, dword ptr [esi+10h] 0_2_00439350
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esi] 0_2_00441B6B
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esi] 0_2_00441B6B
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h 0_2_004543C0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp byte ptr [edx+ebp], al 0_2_00423390
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C0D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C0D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C0D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C0D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov eax, dword ptr [esi] 0_2_00442C0D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C0D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], dl 0_2_00442C0D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C15
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C15
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C15
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C15
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov eax, dword ptr [esi] 0_2_00442C15
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00442C15
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [ecx], dl 0_2_00442C15
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 0_2_00429C20
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp byte ptr [ecx+eax+01h], 00000000h 0_2_00431CFA
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then jmp eax 0_2_00452C90
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov word ptr [ebp+00h], 0000h 0_2_0042A560
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_00443DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_00443DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then inc edi 0_2_004325E9
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov eax, dword ptr [esp+60h] 0_2_00437E5F
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esp] 0_2_00437E5F
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_0044466A
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_0044466A
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp byte ptr [esi], 00000000h 0_2_0043B6E2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp dword ptr [eax-08h], A352EDFDh 0_2_0043B6E2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh 0_2_00436EA2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov ecx, dword ptr [esp+000000BCh] 0_2_0043BF40
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then movzx eax, byte ptr [ebx] 0_2_0045276D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then cmp word ptr [eax], 0000h 0_2_004337F3
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov dword ptr [esi], ebp 0_2_004217A0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 4x nop then mov dword ptr [esi+000001B0h], 00000000h 0_2_004347AF

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: associationokeo.shop
Source: Malware configuration extractor URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor URLs: pooreveningfuseor.pwo
Source: Malware configuration extractor URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor URLs: detectordiscusser.shop
Source: Malware configuration extractor URLs: problemregardybuiwo.fun
Source: Malware configuration extractor URLs: lighterepisodeheighte.fun
Source: Malware configuration extractor URLs: technologyenterdo.shop
Source: Malware configuration extractor URLs: problemregardybuiwo.fun
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00448090 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 0_2_00448090
Contains functionality to call native functions
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004541A0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_004541A0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004519B2 NtClose, 0_2_004519B2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044DC00 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0044DC00
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004514BF NtOpenSection, 0_2_004514BF
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004516EC NtMapViewOfSection, 0_2_004516EC
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00450E9D NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00450E9D
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00453EB0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00453EB0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004517F2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_004517F2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043B06E NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043B06E
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00436010 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00436010
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00454820 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00454820
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004390C1 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_004390C1
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043A8E0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043A8E0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044F880 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0044F880
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00454090 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00454090
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004500A0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtFreeVirtualMemory, 0_2_004500A0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043F930 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043F930
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044513A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0044513A
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043418B NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043418B
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004371B9 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_004371B9
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043F212 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043F212
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043AAF0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043AAF0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004542B0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_004542B0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044FB40 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0044FB40
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00433B44 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00433B44
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00439B1C NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00439B1C
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00437B38 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00437B38
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004543C0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_004543C0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00454B90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00454B90
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043E3B0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043E3B0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043C3B8 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043C3B8
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004363BC NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_004363BC
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043E4F2 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043E4F2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044FCA0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0044FCA0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043C4BB NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043C4BB
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00454530 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00454530
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044FD90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0044FD90
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004415A3 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_004415A3
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043B6E2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00444EE6 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00444EE6
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00436EA2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00436EA2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00444FDC NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00444FDC
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044FF90 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0044FF90
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00454F90 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00454F90
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00421000 0_2_00421000
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00432823 0_2_00432823
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00424820 0_2_00424820
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043F930 0_2_0043F930
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044513A 0_2_0044513A
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044D9A0 0_2_0044D9A0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00426200 0_2_00426200
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0044520B 0_2_0044520B
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043F212 0_2_0043F212
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004452A9 0_2_004452A9
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00428B60 0_2_00428B60
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00423390 0_2_00423390
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00454B90 0_2_00454B90
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00425450 0_2_00425450
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00442C15 0_2_00442C15
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00443DC0 0_2_00443DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00437E5F 0_2_00437E5F
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00431600 0_2_00431600
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00427E10 0_2_00427E10
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00423E20 0_2_00423E20
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043B6E2 0_2_0043B6E2
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0042A7C0 0_2_0042A7C0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_004267F0 0_2_004267F0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00422FB0 0_2_00422FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: String function: 004288A0 appears 44 times
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: String function: 004291B0 appears 146 times
Uses 32bit PE files
Source: LisectAVT_2403002C_59.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_00447386 CoCreateInstance, 0_2_00447386
Source: LisectAVT_2403002C_59.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002C_59.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe File read: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Section loaded: winhttp.dll Jump to behavior
Source: LisectAVT_2403002C_59.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043B6E2
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0042BEDC rdtsc 0_2_0042BEDC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0042BEDC rdtsc 0_2_0042BEDC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LisectAVT_2403002C_59.exe Code function: 0_2_0043B6E2 LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_0043B6E2
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: associationokeo.shop
Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: turkeyunlikelyofw.shop
Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: pooreveningfuseor.pwo
Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: edurestunningcrackyow.fun
Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: detectordiscusser.shop
Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: problemregardybuiwo.fun
Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: lighterepisodeheighte.fun
Source: LisectAVT_2403002C_59.exe, 00000000.00000002.2636456142.0000000000F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: technologyenterdo.shop

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1481318 Sample: LisectAVT_2403002C_59.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 8 Found malware configuration 2->8 10 Antivirus detection for URL or domain 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 6 other signatures 2->14 5 LisectAVT_2403002C_59.exe 2->5         started        process3 signatures4 16 LummaC encrypted strings found 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
edurestunningcrackyow.fun true
  • Avira URL Cloud: safe
 unknown
turkeyunlikelyofw.shop true
  • Avira URL Cloud: malware
 unknown
problemregardybuiwo.fun true
  • Avira URL Cloud: safe
 unknown
lighterepisodeheighte.fun true
  • Avira URL Cloud: safe
 unknown
pooreveningfuseor.pwo true
  • Avira URL Cloud: safe
 unknown
detectordiscusser.shop true
  • Avira URL Cloud: malware
 unknown
technologyenterdo.shop true
  • Avira URL Cloud: malware
 unknown
associationokeo.shop true
  • Avira URL Cloud: malware
 unknown