Edit tour
Windows
Analysis Report
OqAVRCkQ3T.exe
Overview
General Information
| Sample name: | OqAVRCkQ3T.exerenamed because original name is a hash value |
| Original sample name: | 649ec4858e572e0145e35a9faa712708949b7bb1bce1594154cda580d80a0ca9.exe |
| Analysis ID: | 1524835 |
| MD5: | 6d6a207d5513fa5ac6ead647f5d66a6a |
| SHA1: | 913e0d1aadbc1593b76f6442bb89070bc4a5e224 |
| SHA256: | 649ec4858e572e0145e35a9faa712708949b7bb1bce1594154cda580d80a0ca9 |
| Tags: | AciraConsultingIncexeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 64 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected LummaC Stealer
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
LummaC encrypted strings found
Maps a DLL or memory area into another process
Modifies the DNS server
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Queries sensitive system registry key value via command line tool
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Tap Installer Execution
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
OqAVRCkQ3T.exe (PID: 6184 cmdline: "C:\Users\ user\Deskt op\OqAVRCk Q3T.exe" MD5: 6D6A207D5513FA5AC6EAD647F5D66A6A) - OqAVRCkQ3T.tmp (PID: 5664 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-NCD 3D.tmp\OqA VRCkQ3T.tm p" /SL5="$ 20440,2983 2184,73574 4,C:\Users \user\Desk top\OqAVRC kQ3T.exe" MD5: 259E3EE4646FC251C3513EEF2683479F) - ComDebug.exe (PID: 7156 cmdline:
"C:\Progra m Files\Fa stestVPN\R esources\C omDebug.ex e" MD5: F892887D8532D19F74884CDC48B1AC8B) 
more.com (PID: 3772 cmdline: C:\Windows \SysWOW64\ more.com MD5: 03805AE7E8CBC07840108F5C80CF4973) 
conhost.exe (PID: 6496 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - SearchIndexer.exe (PID: 4820 cmdline:
C:\Windows \SysWOW64\ SearchInde xer.exe MD5: CF7BEFBA5E20F2F4C7851D016067B89C) 
WerFault.exe (PID: 4476 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 4 820 -s 384 MD5: C31336C1EFC2CCB44B4326EA793040F2) - cmd.exe (PID: 3788 cmdline:
"C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\driver\ install_ta p.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7064 cmdline:
reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 1576 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 3116 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tapinstall.exe (PID: 6532 cmdline:
tapinstall .exe remov e tap0901 MD5: E313336C82EB265542664CC7A360C5FF) - tapinstall.exe (PID: 5312 cmdline:
tapinstall .exe insta ll OemVist a.inf tap0 901 MD5: E313336C82EB265542664CC7A360C5FF) - cmd.exe (PID: 3348 cmdline:
"C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\sp\inst all_sp.bat "" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 5956 cmdline:
sc stop fa stestvpndr iver MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 1972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 1248 cmdline:
reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 2460 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - reg.exe (PID: 7116 cmdline:
reg QUERY "HKLM\SOFT WARE\Micro soft\Windo ws NT\Curr entVersion " MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 7060 cmdline:
find /i "W indows 7" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - xcopy.exe (PID: 5548 cmdline:
xcopy /y d river\wind ows8\amd64 \fastestvp ndriver.sy s C:\Windo ws\system3 2\drivers MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - nfregdrv.exe (PID: 6676 cmdline:
release\nf regdrv.exe -u fastes tvpndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - nfregdrv.exe (PID: 5552 cmdline:
release\nf regdrv.exe fastestvp ndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - sc.exe (PID: 5600 cmdline:
"C:\Window s\system32 \sc.exe" s top Fastes tVPNServic e MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 6768 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 7136 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- uninstall MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) - WerFault.exe (PID: 7044 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 136 -s 107 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - sc.exe (PID: 3376 cmdline:
"C:\Window s\system32 \sc.exe" d elete Fast estVPNServ ice MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 6404 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- install MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) - subinacl.exe (PID: 6504 cmdline:
"C:\Progra m Files\Fa stestVPN\s ubinacl.ex e" /servic e FastestV PNService /GRANT=eve ryone=TO MD5: 4798226EE22C513302EE57D3AA94398B) - conhost.exe (PID: 5856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 6052 cmdline:
"C:\Window s\system32 \sc.exe" s tart Faste stVPNServi ce MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 2576 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 5608 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s DeviceIn stall MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - drvinst.exe (PID: 2292 cmdline:
DrvInst.ex e "4" "0" "C:\Users\ user\AppDa ta\Local\T emp\{31188 e45-00ef-5 74a-b678-0 58228a97b2 3}\oemvist a.inf" "9" "4d14a44f f" "000000 0000000158 " "WinSta0 \Default" "000000000 0000168" " 208" "c:\p rogram fil es\fastest vpn\resour ces\driver \windows10 \amd64" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9) - drvinst.exe (PID: 1020 cmdline:
DrvInst.ex e "2" "211 " "ROOT\NE T\0000" "C :\Windows\ INF\oem4.i nf" "oem4. inf:3beb73 aff103cc24 :tap0901.n di:9.24.2. 601:tap090 1," "4d14a 44ff" "000 0000000000 158" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- svchost.exe (PID: 6660 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s N etSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- FastestVPN.exe (PID: 3292 cmdline:
"C:\Progra m Files\Fa stestVPN\F astestVPN. exe" -auto run MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1) 
powershell.exe (PID: 3792 cmdline: "powershel l" -window style hidd en get-wmi object Win 32_Compute rSystemPro duct | Sel ect-Object -ExpandPr operty UUI D MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6752 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 4456 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 7080 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 432 -p 71 36 -ip 713 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 760 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 468 -p 48 20 -ip 482 0 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- svchost.exe (PID: 6252 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 4612 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s w lidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["affecthorsedpo.shop", "bargainnykwo.shop", "publicitttyps.shop", "radiationnopp.shop", "bannngwko.shop", "bouncedgowp.shop", "benchillppwo.shop", "scatterdshsadyi.shop", "answerrsdo.shop"], "Build id": "long--try"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Daniil Yugoslavskiy, Ian Davis, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | Window detected: | ||