Windows Analysis Report
LisectAVT_2403002B_445.exe

Overview

General Information

Sample name: LisectAVT_2403002B_445.exe
Analysis ID: 1481648
MD5: 101e706c8b509af541e6dca6b289f309
SHA1: 0335f29d8d5d39f4a40c2c38c48fda355f73b3a7
SHA256: 8137af71185f4017345064b8e12f0595af2622eed918fe6281a8e59ca5497f42
Tags: exe
Infos:

Detection

LummaC
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002B_445.exe Avira: detected
Antivirus detection for URL or domain
Source: https://associationokeo.shop/api Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/p Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/apiM Avira URL Cloud: Label: malware
Source: colorfulequalugliess.shop Avira URL Cloud: Label: phishing
Source: https://turkeyunlikelyofw.shop/api Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/ Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/_ Avira URL Cloud: Label: malware
Source: associationokeo.shop Avira URL Cloud: Label: malware
Source: turkeyunlikelyofw.shop Avira URL Cloud: Label: malware
Source: detectordiscusser.shop Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/api Avira URL Cloud: Label: malware
Source: https://colorfulequalugliess.shop/K Avira URL Cloud: Label: phishing
Source: https://detectordiscusser.shop/apie Avira URL Cloud: Label: malware
Source: https://associationokeo.shop// Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/ Avira URL Cloud: Label: malware
Source: sideindexfollowragelrew.pw Avira URL Cloud: Label: malware
Source: https://relevantvoicelesskw.shop// Avira URL Cloud: Label: phishing
Source: relevantvoicelesskw.shop Avira URL Cloud: Label: phishing
Source: https://associationokeo.shop/i Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.LisectAVT_2403002B_445.exe.5a0000.1.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "sideindexfollowragelrew.pw"], "Build id": "LPnhqo--@asasdasqr"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: LisectAVT_2403002B_445.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: associationokeo.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: turkeyunlikelyofw.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: pooreveningfuseor.pw
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: edurestunningcrackyow.fun
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: detectordiscusser.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: relevantvoicelesskw.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: colorfulequalugliess.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: wisemassiveharmonious.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: sideindexfollowragelrew.pw
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp String decryptor: LPnhqo--@asasdasqr
Uses 32bit PE files
Source: LisectAVT_2403002B_445.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002B_445.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00590F8A FindFirstFileExW, 0_2_00590F8A
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov ebx, eax 0_2_005A2060
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov byte ptr [edi], dl 0_2_005C2000
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov byte ptr [edi], dl 0_2_005C2000
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov byte ptr [edi], dl 0_2_005C1F63
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then add ebx, edi 0_2_005D308A
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 0_2_005B10B9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov byte ptr [edi], 0000002Bh 0_2_005C1168
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov ecx, dword ptr [esp+08h] 0_2_005B4160
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov ebx, eax 0_2_005A2220
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h 0_2_005D02D0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov word ptr [ecx], dx 0_2_005C02E6
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_005BF31D
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov edx, dword ptr [esp+0Ch] 0_2_005B638C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov word ptr [ecx], dx 0_2_005D2482
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp word ptr [edx+eax], 0000h 0_2_005D2482
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then jmp esi 0_2_005CE61E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then jmp ecx 0_2_005BC60E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then jmp esi 0_2_005D37BA
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov byte ptr [edx], al 0_2_005C2863
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov ecx, dword ptr [esp+0Ch] 0_2_005A8800
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov byte ptr [edx], cl 0_2_005A8800
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_005CC880
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh 0_2_005BC9B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then jmp eax 0_2_005BD9B6
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov eax, dword ptr [edi+0Ch] 0_2_005A19A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov edi, dword ptr [esi+0Ch] 0_2_005D1A5F
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000080h] 0_2_005C0A88
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_005C0A88
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then jmp eax 0_2_005D2B30
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh 0_2_005BFBAB
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp byte ptr [ecx], dl 0_2_005A7CF0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov edx, dword ptr [esp+08h] 0_2_005A8C90
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then lea esi, dword ptr [edx+ecx] 0_2_005BDC90
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov ecx, dword ptr [esp+0Ch] 0_2_005B6DDA
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then movzx eax, byte ptr [esi+ecx] 0_2_005ACDB0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then jmp edx 0_2_005D3DB3
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov edx, dword ptr [esp+08h] 0_2_005A8DA0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov edi, dword ptr [esi+0Ch] 0_2_0070265F
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp byte ptr [ecx], dl 0_2_006D88F0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov word ptr [ecx], dx 0_2_00703082
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then cmp word ptr [edx+eax], 0000h 0_2_00703082
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov edx, dword ptr [esp+08h] 0_2_006D9890
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then lea esi, dword ptr [edx+ecx] 0_2_006EE890
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 4x nop then mov ecx, edi 0_2_005A5D70

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: associationokeo.shop
Source: Malware configuration extractor URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor URLs: pooreveningfuseor.pw
Source: Malware configuration extractor URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor URLs: detectordiscusser.shop
Source: Malware configuration extractor URLs: relevantvoicelesskw.shop
Source: Malware configuration extractor URLs: colorfulequalugliess.shop
Source: Malware configuration extractor URLs: wisemassiveharmonious.shop
Source: Malware configuration extractor URLs: sideindexfollowragelrew.pw
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: wisemassiveharmonious.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: turkeyunlikelyofw.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: associationokeo.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: relevantvoicelesskw.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: detectordiscusser.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: colorfulequalugliess.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: edurestunningcrackyow.fun replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: sideindexfollowragelrew.pw
Source: global traffic DNS traffic detected: DNS query: wisemassiveharmonious.shop
Source: global traffic DNS traffic detected: DNS query: colorfulequalugliess.shop
Source: global traffic DNS traffic detected: DNS query: relevantvoicelesskw.shop
Source: global traffic DNS traffic detected: DNS query: detectordiscusser.shop
Source: global traffic DNS traffic detected: DNS query: edurestunningcrackyow.fun
Source: global traffic DNS traffic detected: DNS query: pooreveningfuseor.pw
Source: global traffic DNS traffic detected: DNS query: turkeyunlikelyofw.shop
Source: global traffic DNS traffic detected: DNS query: associationokeo.shop
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop//
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/_
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671254395.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/api
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671254395.00000000008BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/apiM
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/i
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://colorfulequalugliess.shop/K
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://detectordiscusser.shop/
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://detectordiscusser.shop/api
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://detectordiscusser.shop/apie
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://edurestunningcrackyow.fun/
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw/
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw/t
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://relevantvoicelesskw.shop//
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turkeyunlikelyofw.shop/
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turkeyunlikelyofw.shop/api
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turkeyunlikelyofw.shop/p
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_006FA0A0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_006FA0A0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_006FA0A0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_006FA0A0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00703127 NtClose, 0_2_00703127
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_007052B0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_007052B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00702AB2 NtOpenSection, 0_2_00702AB2
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00702C33 NtMapViewOfSection, 0_2_00702C33
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00702E7A NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_00702E7A
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_007057A0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 0_2_007057A0
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00440060 0_2_00440060
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_004410E0 0_2_004410E0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00512060 0_2_00512060
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00523460 0_2_00523460
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0053FC10 0_2_0053FC10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00579C10 0_2_00579C10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00578400 0_2_00578400
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0056A8F0 0_2_0056A8F0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0051BCE0 0_2_0051BCE0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0056C480 0_2_0056C480
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005060B0 0_2_005060B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005808B0 0_2_005808B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005074A0 0_2_005074A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0055AD50 0_2_0055AD50
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00514540 0_2_00514540
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00547D10 0_2_00547D10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0050FD00 0_2_0050FD00
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005495C0 0_2_005495C0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005981F1 0_2_005981F1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_004FFA40 0_2_004FFA40
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00503640 0_2_00503640
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0053D260 0_2_0053D260
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0054EA10 0_2_0054EA10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0054F6D0 0_2_0054F6D0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00531EC0 0_2_00531EC0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005612C0 0_2_005612C0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005332F0 0_2_005332F0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00502E80 0_2_00502E80
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0052DF50 0_2_0052DF50
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005E9371 0_2_005E9371
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00546360 0_2_00546360
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00513710 0_2_00513710
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0056EF10 0_2_0056EF10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00568B00 0_2_00568B00
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0052C730 0_2_0052C730
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005E93E3 0_2_005E93E3
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00517B90 0_2_00517B90
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0052FBA0 0_2_0052FBA0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005A3050 0_2_005A3050
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005C6080 0_2_005C6080
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005A70A0 0_2_005A70A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005B5170 0_2_005B5170
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005A2220 0_2_005A2220
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005D5290 0_2_005D5290
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005A53D0 0_2_005A53D0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005A2630 0_2_005A2630
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005D5630 0_2_005D5630
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005A4680 0_2_005A4680
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005C2863 0_2_005C2863
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005A3A10 0_2_005A3A10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005AFAB0 0_2_005AFAB0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005BDC90 0_2_005BDC90
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_006EE890 0_2_006EE890
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005CE750 0_2_005CE750
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005A5D70 0_2_005A5D70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: String function: 0058AF80 appears 33 times
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: String function: 005A8250 appears 145 times
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: String function: 005A7B10 appears 43 times
Uses 32bit PE files
Source: LisectAVT_2403002B_445.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal92.troj.evad.winEXE@2/0@9/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_03
Source: LisectAVT_2403002B_445.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe File read: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe "C:\Users\user\Desktop\LisectAVT_2403002B_445.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Section loaded: msasn1.dll Jump to behavior
Source: LisectAVT_2403002B_445.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: LisectAVT_2403002B_445.exe Static file information: File size 2012017 > 1048576
Source: LisectAVT_2403002B_445.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x197e00
Source: LisectAVT_2403002B_445.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: LisectAVT_2403002B_445.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00598901 push ecx; ret 0_2_00598914
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005D7C47 push ecx; ret 0_2_005D7C48
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe TID: 984 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe TID: 984 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_00590F8A FindFirstFileExW, 0_2_00590F8A
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671254395.00000000008BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0058ECA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0058ECA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_005936A3 GetProcessHeap, 0_2_005936A3
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0058A882 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0058A882
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0058ECA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0058ECA0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0058AD60 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0058AD60
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0058AEBC SetUnhandledExceptionFilter, 0_2_0058AEBC

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: LisectAVT_2403002B_445.exe String found in binary or memory: sideindexfollowragelrew.pw
Source: LisectAVT_2403002B_445.exe String found in binary or memory: associationokeo.shop
Source: LisectAVT_2403002B_445.exe String found in binary or memory: turkeyunlikelyofw.shop
Source: LisectAVT_2403002B_445.exe String found in binary or memory: pooreveningfuseor.pw
Source: LisectAVT_2403002B_445.exe String found in binary or memory: edurestunningcrackyow.fun
Source: LisectAVT_2403002B_445.exe String found in binary or memory: detectordiscusser.shop
Source: LisectAVT_2403002B_445.exe String found in binary or memory: relevantvoicelesskw.shop
Source: LisectAVT_2403002B_445.exe String found in binary or memory: colorfulequalugliess.shop
Source: LisectAVT_2403002B_445.exe String found in binary or memory: wisemassiveharmonious.shop
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0058AFC5 cpuid 0_2_0058AFC5
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe Code function: 0_2_0058AC47 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0058AC47

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481648 Sample: LisectAVT_2403002B_445.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 92 11 wisemassiveharmonious.shop 2->11 13 turkeyunlikelyofw.shop 2->13 15 7 other IPs or domains 2->15 17 Found malware configuration 2->17 19 Antivirus detection for URL or domain 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 6 other signatures 2->23 7 LisectAVT_2403002B_445.exe 1 2->7         started        signatures3 process4 process5 9 conhost.exe 7->9         started       
No contacted IP infos

Contacted Domains

Name IP Active
edurestunningcrackyow.fun unknown unknown
turkeyunlikelyofw.shop unknown unknown
sideindexfollowragelrew.pw unknown unknown
detectordiscusser.shop unknown unknown
relevantvoicelesskw.shop unknown unknown
pooreveningfuseor.pw unknown unknown
wisemassiveharmonious.shop unknown unknown
associationokeo.shop unknown unknown
colorfulequalugliess.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
edurestunningcrackyow.fun true
  • Avira URL Cloud: safe
 unknown
pooreveningfuseor.pw true
  • Avira URL Cloud: safe
 unknown
associationokeo.shop true
  • Avira URL Cloud: malware
 unknown
colorfulequalugliess.shop true
  • Avira URL Cloud: phishing
 unknown
turkeyunlikelyofw.shop true
  • Avira URL Cloud: malware
 unknown
detectordiscusser.shop true
  • Avira URL Cloud: malware
 unknown
wisemassiveharmonious.shop true
  • Avira URL Cloud: safe
 unknown
sideindexfollowragelrew.pw true
  • Avira URL Cloud: malware
 unknown
relevantvoicelesskw.shop true
  • Avira URL Cloud: phishing
 unknown