Windows Analysis Report
github_softwares_v1.18.exe

Overview

General Information

Sample name: github_softwares_v1.18.exe
Analysis ID: 1483201
MD5: 444cf08b351822e4bec5c4c1b9324942
SHA1: d5607171f7aa06682efed7ced3ddaff08e2b384b
SHA256: 17aad4db38649728ef0e666755351794d4de41d82a36608226d8656ea54233cb
Tags: exe
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: stimultaionsppzv.shop Avira URL Cloud: Label: malware
Source: bravedreacisopm.shop Avira URL Cloud: Label: phishing
Source: https://weaknessmznxo.shop/api Avira URL Cloud: Label: malware
Source: https://weaknessmznxo.shop:443/api Avira URL Cloud: Label: malware
Source: effectivedoxzj.shop Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.3.github_softwares_v1.18.exe.14a79900000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["bravedreacisopm.shop", "shellfyyousdjz.shop", "broccoltisop.shop", "grassytaisol.shop", "stimultaionsppzv.shop", "parntorpkxzlp.shop", "effectivedoxzj.shop", "horizonvxjis.shop", "weaknessmznxo.shop"], "Build id": "LPnhqo--@kolnausgb"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.3% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: bravedreacisopm.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: shellfyyousdjz.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: broccoltisop.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: grassytaisol.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: stimultaionsppzv.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: parntorpkxzlp.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: effectivedoxzj.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: horizonvxjis.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: weaknessmznxo.shop
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String decryptor: LPnhqo--@kolnausgb
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A16E50 CryptUnprotectData, 1_2_02A16E50
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: github_softwares_v1.18.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [eax], bl 1_2_02A0F290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_02A3C2D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 1_2_02A3A088
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02A3C020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esi+10h], 00000000h 1_2_02A12846
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 1_2_02A12846
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000094h] 1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], 0000002Bh 1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], dl 1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+3Ch] 1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esi+08h], ebx 1_2_02A29EF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+6Ch] 1_2_02A29EF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_02A29EF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h] 1_2_02A04E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h 1_2_02A16E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_02A09FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 077DEFCDh 1_2_02A3C7E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02A37F70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+60h] 1_2_02A17CBB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 1_2_02A21D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000880h] 1_2_02A21AAF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 11081610h 1_2_02A25AEA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 11081610h 1_2_02A25A01
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [esi+eax], 0000h 1_2_02A19212
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000080h] 1_2_02A18A72
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], B33E16A3h 1_2_02A15BA8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp dword ptr [02A42DE4h] 1_2_02A15BA8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_02A26BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 11081610h 1_2_02A25B83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp dword ptr [02A44B7Ch] 1_2_02A25B83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ecx 1_2_02A1F321
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, word ptr [edi+ecx*4] 1_2_02A08330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_02A3B300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp] 1_2_02A09890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edx], bl 1_2_02A09890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_02A3B090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx ecx, byte ptr [esi+eax] 1_2_02A0E0E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 1_2_02A120F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 1_2_02A2582B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_02A1E80E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_02A229FA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_02A3B1D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 3BEBD150h 1_2_02A3C1D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_02A3B920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_02A23909
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 1_2_02A27140
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_02A3AE80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, ebx 1_2_02A38EE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 1_2_02A03620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_02A3B630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h 1_2_02A1DFB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_02A15799
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 1_2_02A14F7A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_02A3C4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_02A2143B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [ebx] 1_2_02A03450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_02A1BD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 1_2_02A36590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+18h] 1_2_02A0FDE3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [esi], cx 1_2_02A0FDE3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+60h] 1_2_02A185D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then dec edi 1_2_02A3CDD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [edx] 1_2_02A3AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_02A3AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then inc ebx 1_2_02A16550

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: bravedreacisopm.shop
Source: Malware configuration extractor URLs: shellfyyousdjz.shop
Source: Malware configuration extractor URLs: broccoltisop.shop
Source: Malware configuration extractor URLs: grassytaisol.shop
Source: Malware configuration extractor URLs: stimultaionsppzv.shop
Source: Malware configuration extractor URLs: parntorpkxzlp.shop
Source: Malware configuration extractor URLs: effectivedoxzj.shop
Source: Malware configuration extractor URLs: horizonvxjis.shop
Source: Malware configuration extractor URLs: weaknessmznxo.shop
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: weaknessmznxo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: weaknessmznxo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: weaknessmznxo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: weaknessmznxo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: weaknessmznxo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1279Host: weaknessmznxo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550577Host: weaknessmznxo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: weaknessmznxo.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: weaknessmznxo.shop
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: weaknessmznxo.shop
Source: github_softwares_v1.18.exe String found in binary or memory: http://.css
Source: github_softwares_v1.18.exe String found in binary or memory: http://.jpg
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: github_softwares_v1.18.exe String found in binary or memory: http://html4/loose.dtd
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000001.00000003.1755112502.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: github_softwares_v1.18.exe String found in binary or memory: https://gorm.io/docs/hooks.htmlWarning:
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730889198.0000000004FFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000001.00000003.1730995668.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: BitLockerToGo.exe, 00000001.00000003.1743040571.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/((
Source: BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/22
Source: BitLockerToGo.exe, 00000001.00000003.1754529360.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1754816151.0000000002F02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/GHd
Source: BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/H
Source: BitLockerToGo.exe, 00000001.00000003.1730674997.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1743040571.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1846585558.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1800001882.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/api
Source: BitLockerToGo.exe, 00000001.00000003.1716565174.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/api-L
Source: BitLockerToGo.exe, 00000001.00000003.1743040571.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/api0fB?
Source: BitLockerToGo.exe, 00000001.00000003.1754529360.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1772726652.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/apiBU
Source: BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop/h
Source: BitLockerToGo.exe, 00000001.00000003.1830856779.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop:443/api
Source: BitLockerToGo.exe, 00000001.00000003.1730573797.0000000002E70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weaknessmznxo.shop:443/api6
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000001.00000003.1756837470.0000000002F02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: BitLockerToGo.exe, 00000001.00000003.1731546584.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1731597052.0000000002F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000001.00000003.1756527742.00000000050F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.159.243:443 -> 192.168.2.4:49738 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A2F370 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_02A2F370
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A2F370 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_02A2F370
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A2F570 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 1_2_02A2F570

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1708564024.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A0B260 1_2_02A0B260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A34340 1_2_02A34340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A23840 1_2_02A23840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A18184 1_2_02A18184
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A27970 1_2_02A27970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A29EF2 1_2_02A29EF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A04E70 1_2_02A04E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A16E50 1_2_02A16E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A22C10 1_2_02A22C10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3A59A 1_2_02A3A59A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A1154C 1_2_02A1154C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3CAB0 1_2_02A3CAB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A232B5 1_2_02A232B5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A01A08 1_2_02A01A08
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A1F321 1_2_02A1F321
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A08330 1_2_02A08330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3B300 1_2_02A3B300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A240B7 1_2_02A240B7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3B090 1_2_02A3B090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A1E80E 1_2_02A1E80E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A01051 1_2_02A01051
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A14188 1_2_02A14188
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A03990 1_2_02A03990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3B1D0 1_2_02A3B1D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A05920 1_2_02A05920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A0F110 1_2_02A0F110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A066B0 1_2_02A066B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A01EB0 1_2_02A01EB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3AE80 1_2_02A3AE80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3B630 1_2_02A3B630
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A2461E 1_2_02A2461E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A24643 1_2_02A24643
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A14F7A 1_2_02A14F7A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A06CA0 1_2_02A06CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A04480 1_2_02A04480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A2143B 1_2_02A2143B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A0BD80 1_2_02A0BD80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A275E0 1_2_02A275E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3CDD0 1_2_02A3CDD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A3AD00 1_2_02A3AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A01566 1_2_02A01566
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02A09600 appears 164 times
PE file contains more sections than normal
Source: github_softwares_v1.18.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Source: github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Source: github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Source: github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs github_softwares_v1.18.exe
Yara signature match
Source: 00000000.00000002.1708564024.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: github_softwares_v1.18.exe Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockx509: malformed validityexec: Stdout already setexec: Stderr already setjson: unsupported type: invalid ticket length %dsql: statement is closedMon Jan _2 15:04:05 2006result must be a pointertext/html; charset=utf-8zlib: invalid dictionaryinvalid pattern syntax: address string too shortresource length too longunpacking Question.Classunexpected mantissa baseunexpected exponent baseRat.Scan: invalid syntaxindent can only be space%s%s is unsupported typeunknown address protocolinvalid address checksumcould not decode: %v: %wsha2-256-trunc254-paddedunmarshaling t.Owner: %wRemoveExpiredAllocations302231454903657293676544ConfirmSectorProofsValidunmarshaling t.Quota: %wVerifyDealsForActivationunmarshaling t.Label: %wunmarshaling t.Value: %wunmarshaling t.Actor: %wSubmitPoRepForBulkVerifyunmarshaling t.Miner: %wChangeMultiaddrsExportedExtendClaimTermsExportedhttp2: canceling requestunexpected buffer len=%vinvalid pseudo-header %qinvalid request :path %qapplication/octet-streamRequest Entity Too Largehttp: nil Request.HeaderstreamSafe was not resetValue kind is %s, not %s_html_template_urlfilteron range loop re-entry: at range loop continue: application/x-ecmascriptapplication/x-javascript(\$)(\{?([A-Z0-9_]+)\}?)ErrorHandler should exitduplicate %TAG directiveread handler must be setexceeded max depth of %dwhile scanning an anchorerror decrypting messagecertificate unobtainableTLS_RSA_WITH_RC4_128_SHAexpected float; found %s%s (and %d other errors)tabwriter: panic during \Device\NamedPipe\cygwinNotNestedGreaterGreater;token used before issuedtoken has invalid issuertoken has invalid claimsunbounded valkey message%s
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A2B2EB CoCreateInstance, 1_2_02A2B2EB
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe File created: C:\Users\Public\Libraries\mhgkj.scif Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe File opened: C:\Windows\system32\65ebcc9f5b8418f2c8843172241992038cf06349e5b1f11b7c097dd1e98b7546AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: github_softwares_v1.18.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: github_softwares_v1.18.exe String found in binary or memory: depgithub.com/filecoin-project/go-addressv1.1.0h1:ofdtUtEsNxkIxkDw67ecSmvtzaVSdcea4boAmLbnHfE=
Source: github_softwares_v1.18.exe String found in binary or memory: depgithub.com/hashicorp/hc-installv0.7.1-0.20240607080111-03e0bd63529fh1:vRnx/KymAhdkO7+m1JgBWnf4B4C3Ex9AYXg3jOlll+8=
Source: github_softwares_v1.18.exe String found in binary or memory: depgithub.com/ipfs/go-ipfs-ds-helpv1.1.0h1:yLE2w9RAsl31LtfMt91tRZcrx+e61O5mDxFRR994w4Q=
Source: github_softwares_v1.18.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: github_softwares_v1.18.exe String found in binary or memory: &github.com/filecoin-project/go-address
Source: github_softwares_v1.18.exe String found in binary or memory: asn1:"tag:0,optional"&*func(*x509.CertPool, time.Time) error&*map.bucket[context.canceler]struct {}&github.com/filecoin-project/go-address&*map.bucket[cid.Cid]*builtin.actorInfo
Source: github_softwares_v1.18.exe String found in binary or memory: invalid escape code %q in stringgoogle/protobuf/descriptor.protoexceeded maximum recursion depthweak message %v is not linked in%v already implements proto.Enumfield %v has invalid nil pointercould not parse value for %v: %qcrypto/aes: output not full blockreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %s(\\)?(\$)(\()?\{?([A-Z0-9_]+)?\}?too many levels of symbolic links142108547152020037174224853515625710542735760100185871124267578125GODEBUG: no value specified for "bytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangesync: RUnlock of unlocked RWMutexcrypto: requested hash function #go package net: confVal.netCgo = skip everything and stop the walkwaiting for unsupported file typeencoding: missing byte order markx509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesx509: no DEK-Info header in blockindefinite length found (not DER)struct contains unexported fieldssql: connection is already closedapplication/x-www-form-urlencodedtoo many Answers to pack (>65535)Float.GobDecode: buffer too smallSigEd25519 no Ed25519 collisions
Source: github_softwares_v1.18.exe String found in binary or memory: invalid escape code %q in stringgoogle/protobuf/descriptor.protoexceeded maximum recursion depthweak message %v is not linked in%v already implements proto.Enumfield %v has invalid nil pointercould not parse value for %v: %qcrypto/aes: output not full blockreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length CryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWImage base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %s(\\)?(\$)(\()?\{?([A-Z0-9_]+)?\}?too many levels of symbolic links142108547152020037174224853515625710542735760100185871124267578125GODEBUG: no value specified for "bytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangesync: RUnlock of unlocked RWMutexcrypto: requested hash function #go package net: confVal.netCgo = skip everything and stop the walkwaiting for unsupported file typeencoding: missing byte order markx509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesx509: no DEK-Info header in blockindefinite length found (not DER)struct contains unexported fieldssql: connection is already closedapplication/x-www-form-urlencodedtoo many Answers to pack (>65535)Float.GobDecode: buffer too smallSigEd25519 no Ed25519 collisions
Source: github_softwares_v1.18.exe String found in binary or memory: google.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{delimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagecrypto/cipher: input not full blocksmethod ABI and value ABI don't alignreflect.Value.Equal: values of type Time.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionsyntax error scanning complex numberlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: github_softwares_v1.18.exe String found in binary or memory: google.protobuf.FieldOptions_JSTypegoogle.protobuf.FileDescriptorProtogoogle.protobuf.EnumDescriptorProtogoogle.protobuf.UninterpretedOption&descriptor.ServiceDescriptorProto{delimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messagecrypto/cipher: input not full blocksmethod ABI and value ABI don't alignreflect.Value.Equal: values of type Time.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionsyntax error scanning complex numberlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.init
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.init.func1
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Bytes
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.init.func2
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.init.0
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Protocol
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Payload
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.String
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Empty
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Unmarshal
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Marshal
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalJSON
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalJSON
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Scan
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.NewIDAddress
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.NewActorAddress
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.addressHash
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.NewFromBytes
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.newAddress
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.encode
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Checksum
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.base32decode
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.decode
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.ValidateChecksum
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.hash
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalBinary
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalBinary
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalCBOR
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalCBOR
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.init.1
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Bytes
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Empty
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Marshal
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalBinary
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalJSON
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Payload
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Protocol
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).String
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Unmarshal
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address.NewFromString
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install/internal/build.init
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install/product.init
Source: github_softwares_v1.18.exe String found in binary or memory: 1type:.eq.[3]github.com/valkey-io/valkey-go/internal/cmds.Completedtype:.eq.[4]github.com/valkey-io/valkey-go/internal/cmds.Completedtype:.eq.[5]github.com/valkey-io/valkey-go/internal/cmds.Completedgithub.com/airforce270/airbot/permission.initgolang.org/x/exp/rand.initgolang.org/x/exp/rand.NewSourcegolang.org/x/exp/rand.(*PCGSource).Seedgolang.org/x/exp/rand.Newgolang.org/x/exp/rand.readgolang.org/x/exp/rand.(*PCGSource).Uint64golang.org/x/exp/rand.(*PCGSource).multiplygolang.org/x/exp/rand.(*PCGSource).addgolang.org/x/exp/rand.(*LockedSource).Uint64golang.org/x/exp/rand.(*LockedSource).Seedgolang.org/x/exp/rand.(*LockedSource).Readgolang.org/x/exp/rand.(*PCGSource).MarshalBinarygolang.org/x/exp/rand.(*PCGSource).UnmarshalBinarytype:.eq.golang.org/x/exp/rand.Randgithub.com/onsi/gomega/format.initgithub.com/petergtz/pegomock/v4.initgithub.com/hashicorp/go-version.init.0github.com/hashicorp/go-version.prereleaseCheckgithub.com/hashicorp/go-version.(*Version).Prereleasegithub.com/hashicorp/go-version.(*Version).equalSegmentsgithub.com/hashicorp/go-version.(*Version).Segments64github.com/hashicorp/go-version.constraintEqualgithub.com/hashicorp/go-version.(*Version).Equalgithub.com/hashicorp/go-version.constraintNotEqualgithub.com/hashicorp/go-version.constraintGreaterThangithub.com/hashicorp/go-version.constraintLessThangithub.com/hashicorp/go-version.constraintGreaterThanEqualgithub.com/hashicorp/go-version.constraintLessThanEqualgithub.com/hashicorp/go-version.constraintPessimisticgithub.com/hashicorp/go-version.(*Version).LessThangithub.com/hashicorp/go-version.init.1github.com/hashicorp/go-version.newVersiongithub.com/hashicorp/go-version.(*Version).Comparegithub.com/hashicorp/go-version.allZerogithub.com/hashicorp/go-version.comparePartgithub.com/hashicorp/go-version.comparePrereleasesgithub.com/hashicorp/go-version.(*Version).Stringgolang.org/x/mod/internal/lazyregexp.initgolang.org/x/mod/internal/lazyregexp.Newgolang.org/x/mod/internal/lazyregexp.(*Regexp).regolang.org/x/mod/internal/lazyregexp.(*Regexp).build-fmgolang.org/x/mod/internal/lazyregexp.(*Regexp).buildtype:.eq.golang.org/x/mod/internal/lazyregexp.Regexpgolang.org/x/mod/module.initgolang.org/x/mod/modfile.initgithub.com/hashicorp/hc-install/internal/build.initgithub.com/hashicorp/go-version.NewVersiongithub.com/hashicorp/go-version.Mustgithub.com/hashicorp/hc-install/product.initdebug/dwarf.initmain.initmain.DTmrIgCrphmain.Md5Encodemain.ytKayiJWPamain.VAWaNIGxhkmain.Memcpymain.Memsetmain.EUmYbmcUAGmain.ocwRCsCPHRio/ioutil.ReadFilemain.randSeqmain.pPUVgZVyOEmain.init.0main.mainmain.TerminateProcessmain.IsBadReadPtrmain.VirtualAllocmain.VirtualAllocExmain.cakJEcUUFAmain.ydalavksVTmain.CrgIsaShqomain.Is64Bitmain.emxWBxUpUdmain.JTHjHPuFMmmain.(*ApplyRelocCallback).processRelocFieldmain.FaFbjTwpAYmain.LEwTRJnGzVmain.(*BASE_RELOCATION_ENTRY).GetOffsetmain.(*BASE_RELOCATION_ENTRY).GetTypemain.ijGZAeCxnhmain.aRhdRNnUlAmain.BVhioCgrSVmain.bSVtHWyZxSmain.IeOSmicYkbmain.xSJjUNcndjmain.Virtual
Source: github_softwares_v1.18.exe String found in binary or memory: net/addrselect.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/constants.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/magiconair/properties@v1.8.7/load.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/internal/build/go_build.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/internal/build/install_go_version.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/internal/build/install_go_version.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/product/terraform.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/product/consul.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/product/nomad.go
Source: github_softwares_v1.18.exe String found in binary or memory: github.com/hashicorp/hc-install@v0.7.1-0.20240607080111-03e0bd63529f/product/vault.go
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe File read: C:\Users\user\Desktop\github_softwares_v1.18.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\github_softwares_v1.18.exe "C:\Users\user\Desktop\github_softwares_v1.18.exe"
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: github_softwares_v1.18.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: github_softwares_v1.18.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: github_softwares_v1.18.exe Static file information: File size 30190080 > 1048576
Source: github_softwares_v1.18.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xdee600
Source: github_softwares_v1.18.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xd33e00
Source: github_softwares_v1.18.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000580000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708247125.000000C000400000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701551736.0000014A798F0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000003.1701601425.0000014A798B0000.00000004.00001000.00020000.00000000.sdmp, github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C0006A1000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: github_softwares_v1.18.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A43710 push ecx; ret 1_2_02A43711
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A43718 push ecx; ret 1_2_02A43719
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe System information queried: FirmwareTableInformation Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7148 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7132 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000001.00000003.1794021894.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E5B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1846072628.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1844557480.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730573797.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1730674997.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: github_softwares_v1.18.exe, 00000000.00000002.1708816779.0000014A54234000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_02A39870 LdrInitializeThunk, 1_2_02A39870

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: bravedreacisopm.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: shellfyyousdjz.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: broccoltisop.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: grassytaisol.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stimultaionsppzv.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: parntorpkxzlp.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: effectivedoxzj.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: horizonvxjis.shop
Source: github_softwares_v1.18.exe, 00000000.00000002.1708564024.000000C000618000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: weaknessmznxo.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2A00000 Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29F6008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Queries volume information: C:\Users\user\Desktop\github_softwares_v1.18.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\github_softwares_v1.18.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: github_softwares_v1.18.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1663970758.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1711084287.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: github_softwares_v1.18.exe PID: 6632, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 7056, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: BitLockerToGo.exe, 00000001.00000003.1754529360.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Libertynyb9B|
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000001.00000003.1777769387.0000000002E70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Exodus
Source: BitLockerToGo.exe, 00000001.00000003.1794021894.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: BitLockerToGo.exe, 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000001.00000003.1777769387.0000000002E70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000003.1777410523.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1777480522.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 7056, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: github_softwares_v1.18.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1663970758.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1711084287.00007FF764F18000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: github_softwares_v1.18.exe PID: 6632, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 7056, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483201 Sample: github_softwares_v1.18.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 14 weaknessmznxo.shop 2->14 16 18.31.95.13.in-addr.arpa 2->16 20 Found malware configuration 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus detection for URL or domain 2->24 26 5 other signatures 2->26 7 github_softwares_v1.18.exe 2 2->7         started        signatures3 process4 signatures5 28 Writes to foreign memory regions 7->28 30 Allocates memory in foreign processes 7->30 32 Injects a PE file into a foreign processes 7->32 34 LummaC encrypted strings found 7->34 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 18 weaknessmznxo.shop 172.67.159.243, 443, 49731, 49732 CLOUDFLARENETUS United States 10->18 36 Query firmware table information (likely to detect VMs) 10->36 38 Found many strings related to Crypto-Wallets (likely being stolen) 10->38 40 Tries to harvest and steal ftp login credentials 10->40 42 2 other signatures 10->42 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.159.243
 weaknessmznxo.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
weaknessmznxo.shop 172.67.159.243 true
18.31.95.13.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
bravedreacisopm.shop true
  • Avira URL Cloud: phishing
 unknown
stimultaionsppzv.shop true
  • Avira URL Cloud: malware
 unknown
https://weaknessmznxo.shop/api false
  • Avira URL Cloud: malware
 unknown
horizonvxjis.shop true
  • Avira URL Cloud: safe
 unknown
weaknessmznxo.shop true
  • Avira URL Cloud: safe
 unknown
broccoltisop.shop true
  • Avira URL Cloud: safe
 unknown
grassytaisol.shop true
  • Avira URL Cloud: safe
 unknown
parntorpkxzlp.shop true
  • Avira URL Cloud: safe
 unknown
effectivedoxzj.shop true
  • Avira URL Cloud: malware
 unknown
shellfyyousdjz.shop true
  • Avira URL Cloud: safe
 unknown