Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe

Overview

General Information

Sample name:17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe
Analysis ID:1540044
MD5:b11332db37d8837ecd2f6c8cfe09a930
SHA1:b3b8726aa85d91bd5db61424d959c2bb169edbb4
SHA256:d490e232e330a73d83414340d457b2ddc6c08e17a516f9ea9dbbebe66405a564
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
PE file contains section with special chars
Sample uses string decryption to hide its real strings
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Uses 32bit PE files

Classification

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["outpointsozp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "upknittsoappz.shop", "unseaffarignsk.shop", "qualitypxvoz.shop", "indexterityszcoxp.shop", "liernessfornicsa.shop", "shepherdlyopzc.shop"], "Build id": "RKiJ2s--mondey2"}
SourceRuleDescriptionAuthorStrings
17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    decrypted.binstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
      No Sigma rule has matched
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeAvira: detected
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeMalware Configuration Extractor: LummaC {"C2 url": ["outpointsozp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "upknittsoappz.shop", "unseaffarignsk.shop", "qualitypxvoz.shop", "indexterityszcoxp.shop", "liernessfornicsa.shop", "shepherdlyopzc.shop"], "Build id": "RKiJ2s--mondey2"}
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeReversingLabs: Detection: 23%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.5% probability
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: indexterityszcoxp.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: lariatedzugspd.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: callosallsaospz.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: outpointsozp.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: liernessfornicsa.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: upknittsoappz.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: shepherdlyopzc.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: unseaffarignsk.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: qualitypxvoz.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: lid=%s&j=%s&ver=4.0
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: TeslaBrowser/5.5
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: - Screen Resoluton:
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: - Physical Installed Memory:
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: Workgroup: -
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString decryptor: RKiJ2s--mondey2
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

      Networking

      barindex
      Source: Malware configuration extractorURLs: outpointsozp.shop
      Source: Malware configuration extractorURLs: lariatedzugspd.shop
      Source: Malware configuration extractorURLs: callosallsaospz.shop
      Source: Malware configuration extractorURLs: upknittsoappz.shop
      Source: Malware configuration extractorURLs: unseaffarignsk.shop
      Source: Malware configuration extractorURLs: qualitypxvoz.shop
      Source: Malware configuration extractorURLs: indexterityszcoxp.shop
      Source: Malware configuration extractorURLs: liernessfornicsa.shop
      Source: Malware configuration extractorURLs: shepherdlyopzc.shop

      System Summary

      barindex
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: section name: `.rdat
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: section name: @.data
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: No import functions for PE file found
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC size: 0xe8000500 address: 0x0
      Source: classification engineClassification label: mal100.troj.evad.winEXE@0/0@0/0
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeReversingLabs: Detection: 23%
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: real checksum: 0x4 should be: 0x4f47a
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: section name: `.rdat
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: section name: .relo
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeStatic PE information: section name: @.data

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: indexterityszcoxp.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: lariatedzugspd.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: callosallsaospz.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: outpointsozp.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: liernessfornicsa.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: upknittsoappz.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: shepherdlyopzc.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: unseaffarignsk.shop
      Source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exeString found in binary or memory: qualitypxvoz.shop

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
      Source: Yara matchFile source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe, type: SAMPLE

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
      Source: Yara matchFile source: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe, type: SAMPLE
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      PowerShell
      Path InterceptionPath Interception1
      Deobfuscate/Decode Files or Information
      OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
      Application Layer Protocol
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      SourceDetectionScannerLabelLink
      17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe24%ReversingLabsWin32.PUA.Lumma
      17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe100%AviraTR/Crypt.XPACK.Gen
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      NameIPActiveMaliciousAntivirus DetectionReputation
      s-part-0044.t-0009.fb-t-msedge.net
      13.107.253.72
      truefalse
        unknown
        NameMaliciousAntivirus DetectionReputation
        unseaffarignsk.shoptrue
          unknown
          shepherdlyopzc.shoptrue
            unknown
            outpointsozp.shoptrue
              unknown
              lariatedzugspd.shoptrue
                unknown
                qualitypxvoz.shoptrue
                  unknown
                  liernessfornicsa.shoptrue
                    unknown
                    upknittsoappz.shoptrue
                      unknown
                      callosallsaospz.shoptrue
                        unknown
                        No contacted IP infos
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1540044
                        Start date and time:2024-10-23 11:26:14 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 1m 43s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:1
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@0/0@0/0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Unable to launch sample, stop analysis
                        • No process behavior to analyse as no analysis process or sample was found
                        • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
                        • VT rate limit hit for: 17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe
                        No simulations
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        s-part-0044.t-0009.fb-t-msedge.netPedido urgente_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                        • 13.107.253.72
                        General terms and conditions of sale - Valid from 10202024 to 12312024.exeGet hashmaliciousFormBookBrowse
                        • 13.107.253.72
                        17296647675a227633e026f1e0b73c1235d63ba2c9f78fec358d3847a30422d034356fce77674.dat-decoded.exeGet hashmaliciousLummaCBrowse
                        • 13.107.253.72
                        17296647684b29b3aea851448b3aac50b4cc238cd35980f77f6403fc4a06041c87b4e38ac1893.dat-decoded.exeGet hashmaliciousLummaCBrowse
                        • 13.107.253.72
                        file.exeGet hashmaliciousLummaCBrowse
                        • 13.107.253.72
                        https://www.google.com/amp/s/jlxzy.app.link/zJOXskDTTNbGet hashmaliciousUnknownBrowse
                        • 13.107.253.72
                        17296647687b17ec1c98bbe07168efd30f5e36e537501b7d900158f130e470de1623eafe52699.dat-decoded.exeGet hashmaliciousRemcosBrowse
                        • 13.107.253.72
                        1729664791957de8a43e4df0df1378296ec80bffc7427661dcf6de1127ee1e7731f68bd9c2433.dat-decoded.exeGet hashmaliciousDCRatBrowse
                        • 13.107.253.72
                        1729664820ee0c5be8615cbbbeacc8fa21df458532076f6a637ab1959429984441fea207ce373.dat-decoded.exeGet hashmaliciousStealcBrowse
                        • 13.107.253.72
                        Iccusa_Receipt.zipGet hashmaliciousUnknownBrowse
                        • 13.107.253.72
                        No context
                        No context
                        No context
                        No created / dropped files found
                        File type:PE32 executable Intel 80386, for MS Windows
                        Entropy (8bit):6.637646293535655
                        TrID:
                        • Generic Win/DOS Executable (2004/3) 49.94%
                        • DOS Executable Generic (2002/1) 49.89%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.17%
                        File name:17296647828551b11aca9b151564721554cb3198cad41fe09df6ef699a89a6a1e471ca1e8b529.dat-decoded.exe
                        File size:317'343 bytes
                        MD5:b11332db37d8837ecd2f6c8cfe09a930
                        SHA1:b3b8726aa85d91bd5db61424d959c2bb169edbb4
                        SHA256:d490e232e330a73d83414340d457b2ddc6c08e17a516f9ea9dbbebe66405a564
                        SHA512:ab654e7ccc88b0a50fc634f7a30ec0c0a8861ea288d146484f7d506f083eba1071a69aaf95f82bf24ecf5b6ffc5ba605b817143f3516e152cc8ef08d0861e2ee
                        SSDEEP:6144:F4JNOM2m2dTBjc8EVxKTP9hYD6iSHIrbyhcayyD86liA+6RYjVNtUhu1MazHA:uJrJ2fcB0/iNrusnI+k
                        TLSH:2B645B03D73750A1EC8B0A7630AB723BA6372A0743284DCBDF5CDBB47563AA16476D46
                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...r..f...................:.........................@..........................P............@.....................................
                        Icon Hash:90cececece8e8eb0
                        Entrypoint:0x90000000
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x0
                        Subsystem:unknown
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:NO_ISOLATION
                        Time Stamp:0x669A8072 [Fri Jul 19 15:04:18 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:2
                        OS Version Minor:1536
                        File Version Major:2
                        File Version Minor:1536
                        Subsystem Version Major:2
                        Subsystem Version Minor:1536
                        Import Hash:
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xf20000000x780003f6
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00xe8000500
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x490x0`.rdat
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x80000000x9c0003f8`.rdat
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        `.rdat0x2a0xdb0000610x3d0b106cd9de68ea354160f0e5d93577bacunknownunknownunknownunknownIMAGE_SCN_MEM_READ
                        .relo0x490xe80000630x500e0130d5ad16430a3c0a586b4dd9e6ce2unknownunknownunknownunknownIMAGE_SCN_MEM_READ
                        @.data0xf70x940000000x400f286e046efd49393ef630472ce838b71unknownunknownunknownunknownIMAGE_SCN_MEM_READ
                        .text0x3bc0xb20000000x104ae71336e44bf9bf79d2752e234818a5unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 23, 2024 11:27:16.319839001 CEST1.1.1.1192.168.2.110x6aa1No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                        Oct 23, 2024 11:27:16.319839001 CEST1.1.1.1192.168.2.110x6aa1No error (0)dual.s-part-0044.t-0009.fb-t-msedge.nets-part-0044.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                        Oct 23, 2024 11:27:16.319839001 CEST1.1.1.1192.168.2.110x6aa1No error (0)s-part-0044.t-0009.fb-t-msedge.net13.107.253.72A (IP address)IN (0x0001)false
                        No statistics
                        No system behavior
                        No disassembly