Edit tour
Windows
Analysis Report
PVUfopbGfc.exe
Overview
General Information
| Sample name: | PVUfopbGfc.exerenamed because original name is a hash value |
| Original sample name: | 402aacbb8dc07d96733eee2292f709d89d65efbe82d55e0dd4b7764cdde287b5.exe |
| Analysis ID: | 1524840 |
| MD5: | 249ed615e8b43896fffd3cb3755c7a0a |
| SHA1: | 1b28a72f6746ad76f7b25ab767ce7b775282fbeb |
| SHA256: | 402aacbb8dc07d96733eee2292f709d89d65efbe82d55e0dd4b7764cdde287b5 |
| Tags: | AciraConsultingIncexeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 52 |
| Range: | 0 - 100 |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
LummaC encrypted strings found
Maps a DLL or memory area into another process
Modifies the DNS server
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Queries sensitive system registry key value via command line tool
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Tap Installer Execution
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match
Classification
- System is w10x64
PVUfopbGfc.exe (PID: 6472 cmdline: "C:\Users\ user\Deskt op\PVUfopb Gfc.exe" MD5: 249ED615E8B43896FFFD3CB3755C7A0A) - PVUfopbGfc.tmp (PID: 6632 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-QNO JK.tmp\PVU fopbGfc.tm p" /SL5="$ 1046E,2038 2094,73574 4,C:\Users \user\Desk top\PVUfop bGfc.exe" MD5: 259E3EE4646FC251C3513EEF2683479F) 
cmd.exe (PID: 2448 cmdline: "C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\driver\ install_ta p.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5388 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
reg.exe (PID: 3356 cmdline: reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 5580 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 6276 cmdline:
C:\Windows \system32\ cmd.exe /c ver MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tapinstall.exe (PID: 5568 cmdline:
tapinstall .exe remov e tap0901 MD5: E313336C82EB265542664CC7A360C5FF) - tapinstall.exe (PID: 1560 cmdline:
tapinstall .exe insta ll OemVist a.inf tap0 901 MD5: E313336C82EB265542664CC7A360C5FF) - cmd.exe (PID: 6640 cmdline:
"C:\Window s\system32 \cmd.exe" /C ""C:\Pr ogram File s\FastestV PN\Resourc es\sp\inst all_sp.bat "" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6648 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 5596 cmdline:
sc stop fa stestvpndr iver MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 6608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 180 cmdline:
reg Query "HKLM\Hard ware\Descr iption\Sys tem\Centra lProcessor \0" MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 5528 cmdline:
find /i "x 86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - reg.exe (PID: 6512 cmdline:
reg QUERY "HKLM\SOFT WARE\Micro soft\Windo ws NT\Curr entVersion " MD5: 227F63E1D9008B36BDBCC4B397780BE4) - find.exe (PID: 5612 cmdline:
find /i "W indows 7" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - xcopy.exe (PID: 3224 cmdline:
xcopy /y d river\wind ows8\amd64 \fastestvp ndriver.sy s C:\Windo ws\system3 2\drivers MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - nfregdrv.exe (PID: 3116 cmdline:
release\nf regdrv.exe -u fastes tvpndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - nfregdrv.exe (PID: 1020 cmdline:
release\nf regdrv.exe fastestvp ndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2) - sc.exe (PID: 6108 cmdline:
"C:\Window s\system32 \sc.exe" s top Fastes tVPNServic e MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5380 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 6276 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- uninstall MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) 
WerFault.exe (PID: 6696 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 276 -s 107 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - sc.exe (PID: 6044 cmdline:
"C:\Window s\system32 \sc.exe" d elete Fast estVPNServ ice MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - FastestVPN.WindowsService.exe (PID: 1272 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" -- install MD5: 22D4E4267DFE093E5E23C2F3D7741AA4) - subinacl.exe (PID: 6824 cmdline:
"C:\Progra m Files\Fa stestVPN\s ubinacl.ex e" /servic e FastestV PNService /GRANT=eve ryone=TO MD5: 4798226EE22C513302EE57D3AA94398B) - conhost.exe (PID: 5684 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 5612 cmdline:
"C:\Window s\system32 \sc.exe" s tart Faste stVPNServi ce MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
ComDebug.exe (PID: 1220 cmdline: "C:\Progra m Files\Fa stestVPN\R esources\C omDebug.ex e" MD5: 850A43E323656B86AE665D8B4FD71369) - netsh.exe (PID: 1240 cmdline:
C:\Windows \SysWOW64\ netsh.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - conhost.exe (PID: 3556 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Launcher.exe (PID: 5328 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\Launche r.exe MD5: F43C6B629BAAAAEE1E7FE095A8821631) - FastestVPN.exe (PID: 1976 cmdline:
"C:\Progra m Files\Fa stestVPN\F astestVPN. exe" MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1)
- svchost.exe (PID: 5484 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s DeviceIn stall MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - drvinst.exe (PID: 2860 cmdline:
DrvInst.ex e "4" "0" "C:\Users\ user\AppDa ta\Local\T emp\{d561b 4bd-4963-9 34e-b2b1-0 e0727e3625 0}\oemvist a.inf" "9" "4d14a44f f" "000000 0000000160 " "WinSta0 \Default" "000000000 0000158" " 208" "c:\p rogram fil es\fastest vpn\resour ces\driver \windows10 \amd64" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9) - drvinst.exe (PID: 2672 cmdline:
DrvInst.ex e "2" "211 " "ROOT\NE T\0000" "C :\Windows\ INF\oem4.i nf" "oem4. inf:3beb73 aff103cc24 :tap0901.n di:9.24.2. 601:tap090 1," "4d14a 44ff" "000 0000000000 180" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- svchost.exe (PID: 1048 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s N etSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 1684 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 5576 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 452 -p 62 76 -ip 627 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - dllhost.exe (PID: 6276 cmdline:
C:\Windows \system32\ DllHost.ex e /Process id:{AB8902 B4-09CA-4B B6-B78D-A8 F59079A8D5 } MD5: 08EB78E5BE019DF044C26B14703BD1FA)
- svchost.exe (PID: 7032 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s w lidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- FastestVPN.exe (PID: 6020 cmdline:
"C:\Progra m Files\Fa stestVPN\F astestVPN. exe" -auto run MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1) 
powershell.exe (PID: 5836 cmdline: "powershel l" -window style hidd en get-wmi object Win 32_Compute rSystemPro duct | Sel ect-Object -ExpandPr operty UUI D MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 3856 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 1020 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- FastestVPN.WindowsService.exe (PID: 1408 cmdline:
"C:\Progra m Files\Fa stestVPN\S ervice\Fas testVPN.Wi ndowsServi ce.exe" MD5: 22D4E4267DFE093E5E23C2F3D7741AA4)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["bargainnykwo.shop", "benchillppwo.shop", "scatterdshsadyi.shop", "answerrsdo.shop", "bannngwko.shop", "affecthorsedpo.shop", "bouncedgowp.shop", "radiationnopp.shop", "publicitttyps.shop"], "Build id": "long--try"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Daniil Yugoslavskiy, Ian Davis, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
Exploits | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Compliance | |
|---|
| Source: | Static PE information: | ||
| Source: | Window detected: | ||