Windows Analysis Report
LisectAVT_2403002A_96.exe

Overview

General Information

Sample name: LisectAVT_2403002A_96.exe
Analysis ID: 1482133
MD5: 9256cf8bc71250fd9c9692477c308668
SHA1: d10d2a348bf3e76c728da35161307bc8872174f3
SHA256: 7adf609b3d22801ddddc39747ef6344a17129f7159318962bcc67247be048ef2
Tags: exeLummaStealer
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_96.exe Avira: detected
Antivirus detection for URL or domain
Source: https://associationokeo.shop//i Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/api Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/ Avira URL Cloud: Label: malware
Source: associationokeo.shop Avira URL Cloud: Label: malware
Source: colorfulequalugliess.shop Avira URL Cloud: Label: phishing
Source: https://associationokeo.shop/api Avira URL Cloud: Label: malware
Source: https://associationokeo.shop// Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/ Avira URL Cloud: Label: malware
Source: detectordiscusser.shop Avira URL Cloud: Label: malware
Source: relevantvoicelesskw.shop Avira URL Cloud: Label: phishing
Source: turkeyunlikelyofw.shop Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 3.2.RegAsm.exe.400000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "sailsystemeyeusjw.shop"], "Build id": "1AsNN2--babah2"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: LisectAVT_2403002A_96.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: associationokeo.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: turkeyunlikelyofw.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: pooreveningfuseor.pw
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: edurestunningcrackyow.fun
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: detectordiscusser.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: relevantvoicelesskw.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: colorfulequalugliess.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: wisemassiveharmonious.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: sailsystemeyeusjw.shop
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000003.00000002.1651401322.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: 1AsNN2--babah2
Uses 32bit PE files
Source: LisectAVT_2403002A_96.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: LisectAVT_2403002A_96.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Casis.pdb source: LisectAVT_2403002A_96.exe
Source: Binary string: Casis.pdbx source: LisectAVT_2403002A_96.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+08h] 3_2_00432156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx eax, byte ptr [esi+ecx] 3_2_0040D1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000080h] 3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then test esi, esi 3_2_004352C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 3_2_004212E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 3_2_00433458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh 3_2_0041541A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 3_2_00434489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 3_2_004095E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 3_2_004105BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+28h] 3_2_0041561D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_0042D620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000080h] 3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+00000080h] 3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then lea esi, dword ptr [edx+ecx] 3_2_0041D860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+000000A8h] 3_2_00414810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 3_2_0041390E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 3_2_004119E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 3_2_0040FA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 3_2_0040FA7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [0043DC58h] 3_2_0041CB43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h] 3_2_00407B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 3_2_0041CB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edi, dword ptr [esi+0Ch] 3_2_0041FB8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+08h] 3_2_00432C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000080h] 3_2_00420D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 3_2_00410E43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, edi 3_2_00434FB2

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: associationokeo.shop
Source: Malware configuration extractor URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor URLs: pooreveningfuseor.pw
Source: Malware configuration extractor URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor URLs: detectordiscusser.shop
Source: Malware configuration extractor URLs: relevantvoicelesskw.shop
Source: Malware configuration extractor URLs: colorfulequalugliess.shop
Source: Malware configuration extractor URLs: wisemassiveharmonious.shop
Source: Malware configuration extractor URLs: sailsystemeyeusjw.shop
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: wisemassiveharmonious.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: sailsystemeyeusjw.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: turkeyunlikelyofw.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: associationokeo.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: relevantvoicelesskw.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: detectordiscusser.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: colorfulequalugliess.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: edurestunningcrackyow.fun replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: sailsystemeyeusjw.shop
Source: global traffic DNS traffic detected: DNS query: wisemassiveharmonious.shop
Source: global traffic DNS traffic detected: DNS query: colorfulequalugliess.shop
Source: global traffic DNS traffic detected: DNS query: relevantvoicelesskw.shop
Source: global traffic DNS traffic detected: DNS query: detectordiscusser.shop
Source: global traffic DNS traffic detected: DNS query: edurestunningcrackyow.fun
Source: global traffic DNS traffic detected: DNS query: pooreveningfuseor.pw
Source: global traffic DNS traffic detected: DNS query: turkeyunlikelyofw.shop
Source: global traffic DNS traffic detected: DNS query: associationokeo.shop
Source: RegAsm.exe, 00000003.00000002.1651767284.0000000001522000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop//
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop//i
Source: RegAsm.exe, 00000003.00000002.1651681626.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/api
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://detectordiscusser.shop/
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw/
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw//
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sailsystemeyeusjw.shop/
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sailsystemeyeusjw.shop/.
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turkeyunlikelyofw.shop/
Source: RegAsm.exe, 00000003.00000002.1651681626.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turkeyunlikelyofw.shop/api
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042AC90 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_0042AC90
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042AC90 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_0042AC90
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042AE40 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 3_2_0042AE40
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414280 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00414280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00435440 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00435440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004324B2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004324B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004327F1 NtMapViewOfSection, 3_2_004327F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004327AF NtOpenSection, 3_2_004327AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043286A NtClose, 3_2_0043286A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00432987 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00432987
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436060 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004220C1 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004220C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419080 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00419080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042F1E0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0042F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00412277 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00412277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431220 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00417305 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00417305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436400 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041541A NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041541A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00416492 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00416492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004314A0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041C5F0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00435640 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00435640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431600 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041960A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041960A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004156F7 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004156F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004146B7 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004146B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041A762 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041A762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041C765 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041C765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00412700 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00412700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431710 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004367D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004367D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00416790 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00416790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431840 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041D860 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041D860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00435810 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00435810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041A880 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00435940 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00435940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00435AB0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00435AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00435BD0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00435BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419C41 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00419C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00432C52 NtFreeVirtualMemory, 3_2_00432C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00417C59 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00417C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00435D40 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00435D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414D10 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00414D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041EDB2 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041EDB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00418E50 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00418E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041CF46 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041CF46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00420F04 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00420F04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00430F80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00430F80
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436060 3_2_00436060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00401000 3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00403240 3_2_00403240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00405274 3_2_00405274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00423216 3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004212E2 3_2_004212E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041F3FD 3_2_0041F3FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00422382 3_2_00422382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436400 3_2_00436400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00404640 3_2_00404640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041960A 3_2_0041960A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00423216 3_2_00423216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00401700 3_2_00401700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041D860 3_2_0041D860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00413A27 3_2_00413A27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00417A8C 3_2_00417A8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00407B20 3_2_00407B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419C41 3_2_00419C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00403C60 3_2_00403C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00426D8E 3_2_00426D8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040FDB0 3_2_0040FDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00402E70 3_2_00402E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041CF46 3_2_0041CF46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00412F77 3_2_00412F77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00420F04 3_2_00420F04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00405F30 3_2_00405F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042EF80 3_2_0042EF80
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040FF60 appears 154 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00408560 appears 44 times
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1649094618.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_96.exe
Source: LisectAVT_2403002A_96.exe, 00000000.00000000.1646583317.00000000007A2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCasis.exe8 vs LisectAVT_2403002A_96.exe
Source: LisectAVT_2403002A_96.exe Binary or memory string: OriginalFilenameCasis.exe8 vs LisectAVT_2403002A_96.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_96.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: LisectAVT_2403002A_96.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/1@9/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00428009 CoCreateInstance, 3_2_00428009
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_96.exe.log Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: LisectAVT_2403002A_96.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LisectAVT_2403002A_96.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe "C:\Users\user\Desktop\LisectAVT_2403002A_96.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: LisectAVT_2403002A_96.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LisectAVT_2403002A_96.exe Static file information: File size 4066498 > 1048576
Source: LisectAVT_2403002A_96.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: LisectAVT_2403002A_96.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Casis.pdb source: LisectAVT_2403002A_96.exe
Source: Binary string: Casis.pdbx source: LisectAVT_2403002A_96.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043B016 push 980044CBh; retf 0044h 3_2_0043B021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043AF42 push esp; retf 0044h 3_2_0043AF95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043AF7C push esp; retf 0044h 3_2_0043AF95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043AFF2 push esp; retf 0044h 3_2_0043AF95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043AFF2 push 680044CBh; retf 3_2_0043B015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043AFA9 push 680044CBh; retf 3_2_0043B015
Source: LisectAVT_2403002A_96.exe Static PE information: section name: .text entropy: 7.946120539555088
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory allocated: 1010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory allocated: 2AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory allocated: 2920000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe TID: 6936 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5676 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5676 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000003.00000002.1651633572.00000000014DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Code function: 0_2_02AD5429 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 0_2_02AD5429
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: associationokeo.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: turkeyunlikelyofw.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: pooreveningfuseor.pw
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: edurestunningcrackyow.fun
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: detectordiscusser.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: relevantvoicelesskw.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: colorfulequalugliess.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: wisemassiveharmonious.shop
Source: LisectAVT_2403002A_96.exe, 00000000.00000002.1651239125.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sailsystemeyeusjw.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 437000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1091008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_96.exe VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482133 Sample: LisectAVT_2403002A_96.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 19 wisemassiveharmonious.shop 2->19 21 turkeyunlikelyofw.shop 2->21 23 7 other IPs or domains 2->23 25 Found malware configuration 2->25 27 Antivirus detection for URL or domain 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 5 other signatures 2->31 7 LisectAVT_2403002A_96.exe 2 2->7         started        signatures3 process4 file5 17 C:\Users\...\LisectAVT_2403002A_96.exe.log, ASCII 7->17 dropped 33 Contains functionality to inject code into remote processes 7->33 35 Writes to foreign memory regions 7->35 37 Allocates memory in foreign processes 7->37 39 2 other signatures 7->39 11 conhost.exe 7->11         started        13 RegAsm.exe 7->13         started        15 RegAsm.exe 7->15         started        signatures6 process7
No contacted IP infos

Contacted Domains

Name IP Active
edurestunningcrackyow.fun unknown unknown
turkeyunlikelyofw.shop unknown unknown
detectordiscusser.shop unknown unknown
relevantvoicelesskw.shop unknown unknown
pooreveningfuseor.pw unknown unknown
wisemassiveharmonious.shop unknown unknown
associationokeo.shop unknown unknown
sailsystemeyeusjw.shop unknown unknown
colorfulequalugliess.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
edurestunningcrackyow.fun true
  • Avira URL Cloud: safe
 unknown
pooreveningfuseor.pw true
  • Avira URL Cloud: safe
 unknown
associationokeo.shop true
  • Avira URL Cloud: malware
 unknown
colorfulequalugliess.shop true
  • Avira URL Cloud: phishing
 unknown
turkeyunlikelyofw.shop true
  • Avira URL Cloud: malware
 unknown
detectordiscusser.shop true
  • Avira URL Cloud: malware
 unknown
relevantvoicelesskw.shop true
  • Avira URL Cloud: phishing
 unknown
wisemassiveharmonious.shop true
  • Avira URL Cloud: safe
 unknown
sailsystemeyeusjw.shop true
  • Avira URL Cloud: safe
 unknown