Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe

Overview

General Information

Sample name:17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe
Analysis ID:1540041
MD5:032c2903ea0d9c40a8fcb4d1c5b5df84
SHA1:ceab8cb392b4fb8185724876d0f744e5ef0303ae
SHA256:ba51abd4f461b582657dfd1f0d3fbe0e18ff178bc958ee182ca6d200dd0548e5
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
PE file contains section with special chars
Sample uses string decryption to hide its real strings
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Uses 32bit PE files

Classification

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["lariatedzugspd.shop", "shepherdlyopzc.shop", "indexterityszcoxp.shop", "callosallsaospz.shop", "handyxczos.shop", "unseaffarignsk.shop", "outpointsozp.shop", "upknittsoappz.shop", "liernessfornicsa.shop"], "Build id": "RKiJ2s--zz"}
SourceRuleDescriptionAuthorStrings
17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    decrypted.binstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      No Sigma rule has matched
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeAvira: detected
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeMalware Configuration Extractor: LummaC {"C2 url": ["lariatedzugspd.shop", "shepherdlyopzc.shop", "indexterityszcoxp.shop", "callosallsaospz.shop", "handyxczos.shop", "unseaffarignsk.shop", "outpointsozp.shop", "upknittsoappz.shop", "liernessfornicsa.shop"], "Build id": "RKiJ2s--zz"}
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeReversingLabs: Detection: 23%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.5% probability
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: indexterityszcoxp.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: lariatedzugspd.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: callosallsaospz.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: outpointsozp.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: liernessfornicsa.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: upknittsoappz.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: shepherdlyopzc.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: unseaffarignsk.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: handyxczos.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: lid=%s&j=%s&ver=4.0
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: TeslaBrowser/5.5
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: - Screen Resoluton:
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: - Physical Installed Memory:
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: Workgroup: -
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString decryptor: RKiJ2s--zz
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

      Networking

      barindex
      Source: Malware configuration extractorURLs: lariatedzugspd.shop
      Source: Malware configuration extractorURLs: shepherdlyopzc.shop
      Source: Malware configuration extractorURLs: indexterityszcoxp.shop
      Source: Malware configuration extractorURLs: callosallsaospz.shop
      Source: Malware configuration extractorURLs: handyxczos.shop
      Source: Malware configuration extractorURLs: unseaffarignsk.shop
      Source: Malware configuration extractorURLs: outpointsozp.shop
      Source: Malware configuration extractorURLs: upknittsoappz.shop
      Source: Malware configuration extractorURLs: liernessfornicsa.shop

      System Summary

      barindex
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: section name: `.rdat
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: section name: @.data
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: No import functions for PE file found
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC size: 0xe8000500 address: 0x0
      Source: classification engineClassification label: mal100.troj.evad.winEXE@0/0@0/0
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeReversingLabs: Detection: 23%
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: real checksum: 0x4 should be: 0x55f9f
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: section name: `.rdat
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: section name: .relo
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeStatic PE information: section name: @.data

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: indexterityszcoxp.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: lariatedzugspd.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: callosallsaospz.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: outpointsozp.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: liernessfornicsa.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: upknittsoappz.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: shepherdlyopzc.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: unseaffarignsk.shop
      Source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exeString found in binary or memory: handyxczos.shop

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
      Source: Yara matchFile source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe, type: SAMPLE

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
      Source: Yara matchFile source: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe, type: SAMPLE
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      PowerShell
      Path InterceptionPath Interception1
      Deobfuscate/Decode Files or Information
      OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
      Application Layer Protocol
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe24%ReversingLabsWin32.PUA.Lumma
      17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe100%AviraTR/Crypt.XPACK.Gen
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      NameMaliciousAntivirus DetectionReputation
      shepherdlyopzc.shoptrue
        unknown
        unseaffarignsk.shoptrue
          unknown
          handyxczos.shoptrue
            unknown
            outpointsozp.shoptrue
              unknown
              lariatedzugspd.shoptrue
                unknown
                liernessfornicsa.shoptrue
                  unknown
                  upknittsoappz.shoptrue
                    unknown
                    callosallsaospz.shoptrue
                      unknown
                      No contacted IP infos
                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1540041
                      Start date and time:2024-10-23 11:26:09 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 1m 44s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:1
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@0/0@0/0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Unable to launch sample, stop analysis
                      • No process behavior to analyse as no analysis process or sample was found
                      • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
                      • Exclude process from analysis (whitelisted): dllhost.exe
                      • VT rate limit hit for: 17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe
                      No simulations
                      No context
                      No context
                      No context
                      No context
                      No context
                      No created / dropped files found
                      File type:PE32 executable Intel 80386, for MS Windows
                      Entropy (8bit):6.637968730970428
                      TrID:
                      • Generic Win/DOS Executable (2004/3) 49.94%
                      • DOS Executable Generic (2002/1) 49.89%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
                      File name:17296647877973b4d9dacccd509287d19eb0a4cdb4da42c6375f710743c6efc85b741dd259582.dat-decoded.exe
                      File size:317'349 bytes
                      MD5:032c2903ea0d9c40a8fcb4d1c5b5df84
                      SHA1:ceab8cb392b4fb8185724876d0f744e5ef0303ae
                      SHA256:ba51abd4f461b582657dfd1f0d3fbe0e18ff178bc958ee182ca6d200dd0548e5
                      SHA512:8aade2a6a35e6e5ca76dccf03b63c225e37dc2f908c501f0713f0861b745393332ca46ede6defdf4aa03f2421cff0b44258ca66d7a87876a857c31c89b8d525b
                      SSDEEP:6144:F4JNOM2m2dTBjc8EVxKTP9hYD6iSHIrbyhcayyD86liA+6RYjVNtUhu1MazH0:uJrJ2fcB0/iNrusnI+w
                      TLSH:24645B02D73750A1EC8B0A7630AB723BA6372B0743284DCBDF5CDBB47563AA16476D46
                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...r..f...................:.........................@..........................P............@.....................................
                      Icon Hash:00928e8e8686b000
                      Entrypoint:0x90000000
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x0
                      Subsystem:unknown
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:NO_ISOLATION
                      Time Stamp:0x669A8072 [Fri Jul 19 15:04:18 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:2
                      OS Version Minor:1536
                      File Version Major:2
                      File Version Minor:1536
                      Subsystem Version Major:2
                      Subsystem Version Minor:1536
                      Import Hash:
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xf20000000x780003f6
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00xe8000500
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x490x0`.rdat
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x80000000x9c0003f8`.rdat
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      `.rdat0x2a0xdb0000610x3d0b106cd9de68ea354160f0e5d93577bacunknownunknownunknownunknownIMAGE_SCN_MEM_READ
                      .relo0x490xe80000630x500e0130d5ad16430a3c0a586b4dd9e6ce2unknownunknownunknownunknownIMAGE_SCN_MEM_READ
                      @.data0xf70x940000000x400f286e046efd49393ef630472ce838b71unknownunknownunknownunknownIMAGE_SCN_MEM_READ
                      .text0x3bc0xb20000000x104ae71336e44bf9bf79d2752e234818a5unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE
                      No network behavior found
                      No statistics
                      No system behavior
                      No disassembly