Windows Analysis Report
1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe

Overview

General Information

Sample name: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe
Analysis ID: 1543231
MD5: e011877d616ad130de4a55dcac6f2b35
SHA1: 2db89a42e9b29ca2f356581934d7efc3b92fd772
SHA256: e86bff1f4a71cb3629da4267744f3552830837e778d914e4f59a267123dbb2f9
Tags: base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected potential crypto function
One or more processes crash
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Malware Configuration Extractor: LummaC {"C2 url": ["elaboretib.sbs", "mediavelk.sbs", "offybirhtdi.sbs", "strikebripm.sbs", "definitib.sbs", "activedomest.sbs", "ostracizez.sbs", "arenbootk.sbs"]}
Multi AV Scanner detection for submitted file
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for sample
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: offybirhtdi.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: activedomest.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: arenbootk.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: mediavelk.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: definitib.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: elaboretib.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: strikebripm.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: ostracizez.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: strikebripm.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: TeslaBrowser/5.5
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: - Screen Resoluton:
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: - Physical Installed Memory:
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe String decryptor: Workgroup: -
Uses 32bit PE files
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: elaboretib.sbs
Source: Malware configuration extractor URLs: mediavelk.sbs
Source: Malware configuration extractor URLs: offybirhtdi.sbs
Source: Malware configuration extractor URLs: strikebripm.sbs
Source: Malware configuration extractor URLs: definitib.sbs
Source: Malware configuration extractor URLs: activedomest.sbs
Source: Malware configuration extractor URLs: ostracizez.sbs
Source: Malware configuration extractor URLs: arenbootk.sbs
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Detected potential crypto function
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Code function: 0_2_004072DD 0_2_004072DD
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Code function: 0_2_00407306 0_2_00407306
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Code function: 0_2_0040C90C 0_2_0040C90C
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Code function: 0_2_00407315 0_2_00407315
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Code function: 0_2_0040B189 0_2_0040B189
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Code function: 0_2_0040D3A7 0_2_0040D3A7
One or more processes crash
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 224
PE file does not import any functions
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.evad.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7676
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4ecc62ea-8e22-4ed6-8094-7755dafa7247 Jump to behavior
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe "C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe"
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 224
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Code function: 0_2_004114E4 push ebx; retf 0_2_004114E5
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Code function: 0_2_00401525 push dword ptr [edx+eax-77h]; ret 0_2_0040152A
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe, 00000000.00000000.1359394471.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: offybirhtdi.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe, 00000000.00000000.1359394471.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: activedomest.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe, 00000000.00000000.1359394471.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: arenbootk.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe, 00000000.00000000.1359394471.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: mediavelk.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe, 00000000.00000000.1359394471.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: definitib.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe, 00000000.00000000.1359394471.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: elaboretib.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe, 00000000.00000000.1359394471.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: strikebripm.sbs
Source: 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe, 00000000.00000000.1359394471.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: ostracizez.sbs
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543231 Sample: 1730032627d2195391cad2819cf... Startdate: 27/10/2024 Architecture: WINDOWS Score: 84 11 Found malware configuration 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected LummaC Stealer 2->15 17 4 other signatures 2->17 6 1730032627d2195391cad2819cfdf751f1bb2b885277f672880c302ebc6dacb60d311cdcc8842.dat-decoded.exe 2->6         started        process3 signatures4 19 LummaC encrypted strings found 6->19 9 WerFault.exe 19 16 6->9         started        process5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
mediavelk.sbs true
    		unknown
    activedomest.sbs true
      		unknown
      ostracizez.sbs true
        		unknown
        definitib.sbs true
          		unknown
          strikebripm.sbs true
            		unknown
            offybirhtdi.sbs true
              		unknown
              arenbootk.sbs true
                		unknown
                elaboretib.sbs true
                  		unknown