Windows Analysis Report
17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe

Overview

General Information

Sample name: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe
Analysis ID: 1540039
MD5: b992d0f96d8bdd24dde3af6063153d5c
SHA1: 1402dc34a53a0aeabc29114df26e7afc2618b045
SHA256: 63629d920cce134d2db14888cd49f4c1ea88e5b2cdf2cd5a0473d62a1379bf70
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Avira: detected
Found malware configuration
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Malware Configuration Extractor: LummaC {"C2 url": ["negotationpxczp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "liernessfornicsa.shop", "unseaffarignsk.shop", "outpointsozp.shop", "upknittsoappz.shop", "indexterityszcoxp.shop", "shepherdlyopzc.shop"], "Build id": "RKiJ2s--mondeytraff"}
Multi AV Scanner detection for submitted file
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.5% probability
Machine Learning detection for sample
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: indexterityszcoxp.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: lariatedzugspd.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: callosallsaospz.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: outpointsozp.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: liernessfornicsa.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: upknittsoappz.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: shepherdlyopzc.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: unseaffarignsk.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: negotationpxczp.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: TeslaBrowser/5.5
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: - Screen Resoluton:
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: - Physical Installed Memory:
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: Workgroup: -
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String decryptor: RKiJ2s--mondeytraff
Uses 32bit PE files
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: negotationpxczp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop

System Summary
barindex
PE file contains section with special chars
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: section name: `.rdat
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: section name: @.data
PE file does not import any functions
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC size: 0xe8000500 address: 0x0
Source: classification engine Classification label: mal100.troj.evad.winEXE@0/0@0/0
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe ReversingLabs: Detection: 23%
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: Virtual size of .text is bigger than: 0x100000
PE file contains an invalid checksum
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: real checksum: 0x4 should be: 0x4ed88
PE file contains sections with non-standard names
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: section name: `.rdat
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: section name: .relo
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe Static PE information: section name: @.data

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: indexterityszcoxp.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: lariatedzugspd.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: callosallsaospz.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: outpointsozp.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: liernessfornicsa.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: upknittsoappz.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: shepherdlyopzc.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: unseaffarignsk.shop
Source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe String found in binary or memory: negotationpxczp.shop

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match File source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match File source: 17296648072623f4a0a7a8993b24c9944db2d8a4b5cb8181b271031f3cc3e1ec5d4594da6f490.dat-decoded.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1540039 Sample: 17296648072623f4a0a7a8993b2... Startdate: 23/10/2024 Architecture: WINDOWS Score: 100 5 Found malware configuration 2->5 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 7 other signatures 2->11
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.fb-t-msedge.net 13.107.253.45 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
unseaffarignsk.shop true
    		unknown
    shepherdlyopzc.shop true
      		unknown
      outpointsozp.shop true
        		unknown
        lariatedzugspd.shop true
          		unknown
          liernessfornicsa.shop true
            		unknown
            upknittsoappz.shop true
              		unknown
              negotationpxczp.shop true
                		unknown
                callosallsaospz.shop true
                  		unknown