Edit tour
Windows
Analysis Report
Set-up.exe
Overview
General Information
| Sample name: | Set-up.exe |
| Analysis ID: | 1545453 |
| MD5: | 8ea72d1dd14d5a570d5f5a595cfd1d5d |
| SHA1: | 95b3578c21adee532b48059d2e6d464676ac4768 |
| SHA256: | 642b22477ed760060155d8e6fc892590774ea57844694d22e47d23bb0473f10f |
| Tags: | exeuser-aachum |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Drops password protected ZIP file
Machine Learning detection for dropped file
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Copy From or To System Directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
Set-up.exe (PID: 3880 cmdline: "C:\Users\ user\Deskt op\Set-up. exe" MD5: 8EA72D1DD14D5A570D5F5A595CFD1D5D) 
cmd.exe (PID: 4800 cmdline: "C:\Window s\System32 \cmd.exe" /c copy Cr est Crest. bat & Cres t.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
tasklist.exe (PID: 5660 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 2308 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 3548 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6192 cmdline:
findstr -I "avastui avgui bdse rvicehost nswscsvc s ophoshealt h" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7112 cmdline:
cmd /c md 506033 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 6432 cmdline:
findstr /V "RubberBr illiantPol iceOperato r" Count MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 2924 cmdline:
cmd /c cop y /b ..\Li l + ..\Lab eled + ..\ Warren + . .\Current + ..\Endle ss + ..\To wers + ..\ Based W MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Limitations.pif (PID: 1832 cmdline: Limitation s.pif W MD5: 18CE19B57F43CE0A5AF149C96AECC685) 
X0JA3EDV7BU5B3IH21ST0OE852AR.exe (PID: 2884 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\X0JA3E DV7BU5B3IH 21ST0OE852 AR.exe" MD5: CE901A874C9D157E48F83B1BE3D32AA6) - cmd.exe (PID: 5688 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\main \main.bat" /S" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6996 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mode.com (PID: 6816 cmdline:
mode 65,10 MD5: BEA7464830980BF7C0490307DB4FC875) - 7z.exe (PID: 1176 cmdline:
7z.exe e f ile.zip -p 2958664431 9935208542 739921766 -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 3460 cmdline:
7z.exe e e xtracted/f ile_11.zip -oextract ed MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 4208 cmdline:
7z.exe e e xtracted/f ile_10.zip -oextract ed MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 6756 cmdline:
7z.exe e e xtracted/f ile_9.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 6880 cmdline:
7z.exe e e xtracted/f ile_8.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 884 cmdline:
7z.exe e e xtracted/f ile_7.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 6776 cmdline:
7z.exe e e xtracted/f ile_6.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 5192 cmdline:
7z.exe e e xtracted/f ile_5.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 880 cmdline:
7z.exe e e xtracted/f ile_4.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 1912 cmdline:
7z.exe e e xtracted/f ile_3.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 6896 cmdline:
7z.exe e e xtracted/f ile_2.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - 7z.exe (PID: 4232 cmdline:
7z.exe e e xtracted/f ile_1.zip -oextracte d MD5: 619F7135621B50FD1900FF24AADE1524) - attrib.exe (PID: 6844 cmdline:
attrib +H "Installer .exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) 
Installer.exe (PID: 3780 cmdline: "Installer .exe" MD5: 89A069871324D35E25922F6FB881D514) - choice.exe (PID: 4600 cmdline:
choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Max Altgelt (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:32.514446+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49985 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:33.660248+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49986 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:43.750650+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.6 | 49994 | 172.67.145.203 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:32.514446+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.6 | 49985 | 172.67.145.203 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:33.660248+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.6 | 49986 | 172.67.145.203 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:32.022745+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49985 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:33.190335+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49986 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:34.544726+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49987 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:35.708121+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49988 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:37.421979+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49989 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:38.811675+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49990 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:39.885987+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49991 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:41.096945+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49992 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:42.211836+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49993 | 172.67.145.203 | 443 | TCP |
| 2024-10-30T15:44:43.297089+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 49994 | 172.67.145.203 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:31.379405+0100 | 2057085 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 64602 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:31.363808+0100 | 2057089 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 57632 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:31.349697+0100 | 2057093 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 60640 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:31.098506+0100 | 2057095 | 1 | Domain Observed Used for C2 Detected | 192.168.2.6 | 50901 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T15:44:39.273137+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.6 | 49990 | 172.67.145.203 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Directory queried: | ||
| Source: | Code function: | 0_2_004062D5 | |
| Source: | Code function: | 0_2_00402E18 | |
| Source: | Code function: | 0_2_00406C9B | |
| Source: | Code function: | 16_2_0040367D | |
| Source: | Code function: | 16_2_004031DC | |
| Source: | Code function: | 20_2_00117978 | |
| Source: | Code function: | 33_2_00E4A151 | |
| Source: | Code function: | 20_2_0011881C | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Code function: | 33_2_00E41280 | |
| Source: | HTTP traffic detected: | ||