Windows Analysis Report
17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Overview

General Information

Sample name:	17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe
Analysis ID:	1543223
MD5:	41eb06f85e275528a2142cf18db54a72
SHA1:	04323cbc574d9e0c59c3bf8a66a3d56ce560a0a5
SHA256:	28ebd01d6b6e06f3eee9fff5807523db8d0d5e37f30a520c10e862cabc6c3553
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Found malware configuration

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Malware Configuration Extractor: LummaC {"C2 url": ["presticitpo.store", "founpiuer.store", "fadehairucw.store", "withdrwblon.cyou", "crisiwarny.store", "thumbystriw.store", "necklacedmny.store", "scriptyprefej.store", "navygenerayk.store"], "Build id": "HpOoIh--@topgcr"}

Multi AV Scanner detection for submitted file

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for sample

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: scriptyprefej.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: navygenerayk.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: founpiuer.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: necklacedmny.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: thumbystriw.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: fadehairucw.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: crisiwarny.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: presticitpo.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: withdrwblon.cyou
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: TeslaBrowser/5.5
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: - Screen Resoluton:
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: - Physical Installed Memory:
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: Workgroup: -
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	String decryptor: HpOoIh--@topgcr

Uses 32bit PE files

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: withdrwblon.cyou
Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	URLs: thumbystriw.store
Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: scriptyprefej.store
Source: Malware configuration extractor	URLs: navygenerayk.store

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Detected potential crypto function

Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Code function: 0_2_004072DD	0_2_004072DD
Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Code function: 0_2_00407306	0_2_00407306
Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Code function: 0_2_0040C90C	0_2_0040C90C
Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Code function: 0_2_00407315	0_2_00407315
Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Code function: 0_2_0040B189	0_2_0040B189
Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Code function: 0_2_0040D3A7	0_2_0040D3A7

One or more processes crash

Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 224

PE file does not import any functions

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3500

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8eeaae2e-5d5b-4e00-a439-2bcbfb9a07c1

Jump to behavior

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe "C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe"
Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 224

Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Section loaded: apphelp.dll

Jump to behavior

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Code function: 0_2_004114E4 push ebx; retf		0_2_004114E5
Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Code function: 0_2_00401525 push dword ptr [edx+eax-77h]; ret		0_2_0040152A

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: scriptyprefej.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: navygenerayk.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: founpiuer.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: necklacedmny.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: thumbystriw.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: fadehairucw.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: crisiwarny.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: presticitpo.store
Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: withdrwblon.cyou

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Reputation
presticitpo.store	true	unknown
founpiuer.store	true	unknown
scriptyprefej.store	true	unknown
thumbystriw.store	true	unknown
withdrwblon.cyou	true	unknown
necklacedmny.store	true	unknown
fadehairucw.store	true	unknown
crisiwarny.store	true	unknown
navygenerayk.store	true	unknown

ID:	1543223
Product:	CloudBasic
Start time:	13:38:14
Start date:	27.10.2024
Sample:	17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	41eb06f85e275528a2142cf18db54a72
SHA1:	04323cbc574d9e0c59c3bf8a66a3d56ce560a0a5
SHA256:	28ebd01d6b6e06f3eee9fff5807523db8d0d5e37f30a520c10e862cabc6c3553
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_17300326286fc6e1_9c17626045119e4db7ef6b6a89c127892c86282e_b2fb50dc_e1af0300-b3b6-4015-946d-1c64423a659c\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	CAF4835BFA63BD5BDD7EA844DD4CEEF3	F4D2361752648AB6E9747FC9BFC005B33C71C787	4782D75897E200F0FF9A13A303401DF237B275C31FE38F950A752B6497BC39F5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER40A8.tmp.dmp	Mini DuMP crash report, 14 streams, Sun Oct 27 12:39:35 2024, 0x1205a4 type	DA1F9CAEEC89C48FB6A3A745CCD3DF2F	6BB3E4E72801DCD4FECD47424CDD026B04056209	C23DEE4FD17B1E4598E1102144046189FB450B461A8D13369C9D42ED17C5B693
C:\ProgramData\Microsoft\Windows\WER\Temp\WER40E7.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	33F88C4C6E330C20F510E561E92EAB60	2B5B8D04DF438401CCF15E68B695AB94C085152D	1AF1EEAC66E33605125A51B4EEE25C2116B443D01F304EFA56BD5653E5A4907A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4136.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	72D116A1176FA838DD4A8F9EC5E479D7	16D7C3DBA424FD851EDECD5F88C60F7AF96EA934	798F41DB10A251F0FA6BBD267462DF0F9DEF3680A4D64DC5791AEA5578DF0440
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	EFF1F727858469674866F8E907EEC12D	6EB1781185122DA6563AC05CF5D2F9DEE41AF051	DA7DCD32DF37EF2B95C2EA6A3658561602775746DA575F1ADD81DD070907AD14

Windows Analysis Report
17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Malware Threat Intel
Provided by