Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1546129
MD5: 65c7267dc7781fd73cf0d2853b644c06
SHA1: 268066fdf53016bb5597e7546d5ba6eac8ac5bc0
SHA256: fefbaac187ade4ae3876145add937e6df6e1874496c4fe8c2d7dd923b694f92e
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: Setup.exe Malware Configuration Extractor: LummaC {"C2 url": ["servicedny.site", "faulteyotk.site", "drinkyresule.cyou", "authorisev.site", "contemteny.site", "goalyfeastz.site", "opposezmny.site", "seallysl.site", "dilemmadu.site"], "Build id": "c2CoW0--2source"}
Multi AV Scanner detection for submitted file
Source: Setup.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 82.0% probability
Machine Learning detection for sample
Source: Setup.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: Setup.exe String decryptor: servicedny.site
Source: Setup.exe String decryptor: authorisev.site
Source: Setup.exe String decryptor: faulteyotk.site
Source: Setup.exe String decryptor: dilemmadu.site
Source: Setup.exe String decryptor: contemteny.site
Source: Setup.exe String decryptor: goalyfeastz.site
Source: Setup.exe String decryptor: opposezmny.site
Source: Setup.exe String decryptor: seallysl.site
Source: Setup.exe String decryptor: drinkyresule.cyou
Source: Setup.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: Setup.exe String decryptor: TeslaBrowser/5.5
Source: Setup.exe String decryptor: - Screen Resoluton:
Source: Setup.exe String decryptor: - Physical Installed Memory:
Source: Setup.exe String decryptor: Workgroup: -
Source: Setup.exe String decryptor: c2CoW0--2source
Uses 32bit PE files
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx esi, byte ptr [eax] 0_2_005741F0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, ecx 0_2_0057137E
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, ecx 0_2_005713D5
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 0_2_0055E870
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ecx, byte ptr [edi+ebx] 0_2_00535820
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov ecx, eax 0_2_0053E8D6
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0054C8CE
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h 0_2_0056B170
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, eax 0_2_0056A97E
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [eax+ebx*8], 7CDE1E50h 0_2_0056A97E
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h 0_2_0056A97E
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ebx, byte ptr [edx+esi] 0_2_0053C960
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 0_2_00540118
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [ebx], dl 0_2_00540118
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 0_2_00540118
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, ecx 0_2_00540118
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, ecx 0_2_00540118
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 0_2_00540130
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [ebx], dl 0_2_00540130
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 0_2_00540130
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, ecx 0_2_00540130
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, ecx 0_2_00540130
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp edx 0_2_005731D0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_005731D0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h] 0_2_005541E0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov ecx, eax 0_2_0053E996
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp edx 0_2_00572EB0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_00572EB0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp eax 0_2_0055AA40
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0055CA72
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0055CA72
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch] 0_2_0055AA60
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh] 0_2_0056FAD0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h 0_2_005312D5
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp edx 0_2_005732C0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_005732C0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edi, edx 0_2_00551B40
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [ebx], cl 0_2_0055EB60
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov ecx, eax 0_2_0055EB60
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then lea edx, dword ptr [eax-80h] 0_2_0055EB60
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch] 0_2_0055EB60
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh] 0_2_0055EB60
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 0_2_0055EB60
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_0055EB60
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov ecx, ebx 0_2_00551333
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx esi, byte ptr [eax] 0_2_00574380
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp edx 0_2_005733B0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_005733B0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp al, 2Eh 0_2_0055AC04
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 0_2_0055E400
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edi, esi 0_2_0054ECDE
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00567CA0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov word ptr [ebx], ax 0_2_0054F510
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_0054F510
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov ebx, eax 0_2_0053D500
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp eax 0_2_0054D5AF
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-67BC38F0h] 0_2_00571648
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_0055DE70
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov dword ptr [esp+3Ch], 595A5B84h 0_2_00570E3A
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_0056C6D0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edi, dword ptr [esp+54h] 0_2_0055CEDA
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_0054C6E0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp edx 0_2_00572EB0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_00572EB0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00555F00
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edi, word ptr [edx] 0_2_00558F00
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_00573720
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+52B71DE2h] 0_2_00571720
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h] 0_2_0056F7E0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: servicedny.site
Source: Malware configuration extractor URLs: faulteyotk.site
Source: Malware configuration extractor URLs: drinkyresule.cyou
Source: Malware configuration extractor URLs: authorisev.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: opposezmny.site
Source: Malware configuration extractor URLs: seallysl.site
Source: Malware configuration extractor URLs: dilemmadu.site
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49736
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49730
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00565210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00565210
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00565210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00565210
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005659B7 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 0_2_005659B7
Detected potential crypto function
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005686FE 0_2_005686FE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00572850 0_2_00572850
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00531000 0_2_00531000
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00556800 0_2_00556800
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0054482A 0_2_0054482A
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005400C5 0_2_005400C5
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005338E0 0_2_005338E0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055509D 0_2_0055509D
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00569940 0_2_00569940
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053F970 0_2_0053F970
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0056A97E 0_2_0056A97E
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00537960 0_2_00537960
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00540118 0_2_00540118
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00540130 0_2_00540130
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00574920 0_2_00574920
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005731D0 0_2_005731D0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005631DE 0_2_005631DE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005541E0 0_2_005541E0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005591E0 0_2_005591E0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00561980 0_2_00561980
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00572EB0 0_2_00572EB0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053F250 0_2_0053F250
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055AA40 0_2_0055AA40
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053A270 0_2_0053A270
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055CA72 0_2_0055CA72
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053B260 0_2_0053B260
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0056E230 0_2_0056E230
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00550A24 0_2_00550A24
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005312D5 0_2_005312D5
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005732C0 0_2_005732C0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0056A2E0 0_2_0056A2E0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0054E298 0_2_0054E298
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00551B40 0_2_00551B40
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055EB60 0_2_0055EB60
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053DB20 0_2_0053DB20
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053132D 0_2_0053132D
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00545BD8 0_2_00545BD8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055C3E0 0_2_0055C3E0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00572380 0_2_00572380
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005733B0 0_2_005733B0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00544BBF 0_2_00544BBF
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00569BA0 0_2_00569BA0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00574C50 0_2_00574C50
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00564C60 0_2_00564C60
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055AC04 0_2_0055AC04
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0056EC20 0_2_0056EC20
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00557CD2 0_2_00557CD2
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0054ECDE 0_2_0054ECDE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053ECC0 0_2_0053ECC0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00559494 0_2_00559494
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005394BF 0_2_005394BF
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053BD70 0_2_0053BD70
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0054F510 0_2_0054F510
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00559D00 0_2_00559D00
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053ADD0 0_2_0053ADD0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00562D80 0_2_00562D80
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005635B0 0_2_005635B0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005555A4 0_2_005555A4
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00538DA0 0_2_00538DA0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0054D5AF 0_2_0054D5AF
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00552E50 0_2_00552E50
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055D642 0_2_0055D642
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00546E10 0_2_00546E10
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055BE10 0_2_0055BE10
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00574620 0_2_00574620
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055762D 0_2_0055762D
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055A6D0 0_2_0055A6D0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00572EB0 0_2_00572EB0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_005526A0 0_2_005526A0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055762D 0_2_0055762D
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00536F60 0_2_00536F60
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0053D760 0_2_0053D760
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00558F00 0_2_00558F00
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00559494 0_2_00559494
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00573720 0_2_00573720
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00571720 0_2_00571720
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055B7D9 0_2_0055B7D9
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00538DA0 0_2_00538DA0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0055B7FE 0_2_0055B7FE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00539F9C 0_2_00539F9C
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00564F80 0_2_00564F80
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00571F80 0_2_00571F80
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00556F82 0_2_00556F82
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00534FA0 0_2_00534FA0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00539FA8 0_2_00539FA8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 0053C8C0 appears 71 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 0054C2A0 appears 176 times
Uses 32bit PE files
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00562088 CoCreateInstance, 0_2_00562088
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sfc_os.dll Jump to behavior
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Setup.exe API coverage: 4.9 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Setup.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00570D90 LdrInitializeThunk, 0_2_00570D90
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: servicedny.site
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: authorisev.site
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: faulteyotk.site
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: dilemmadu.site
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: contemteny.site
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: goalyfeastz.site
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: opposezmny.site
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seallysl.site
Source: Setup.exe, 00000000.00000002.2917865843.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: drinkyresule.cyou

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546129 Sample: Setup.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected LummaC Stealer 2->12 14 4 other signatures 2->14 5 Setup.exe 2->5         started        process3 signatures4 16 LummaC encrypted strings found 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
servicedny.site true
    		unknown
    goalyfeastz.site true
      		unknown
      contemteny.site true
        		unknown
        faulteyotk.site true
          		unknown
          drinkyresule.cyou true
            		unknown
            opposezmny.site true
              		unknown
              seallysl.site true
                		unknown
                dilemmadu.site true
                  		unknown
                  authorisev.site true
                    		unknown