Windows Analysis Report
injector V2.5.exe

Overview

General Information

Sample name:	injector V2.5.exe
Analysis ID:	1560308
MD5:	96f89e1cb2a8789acee8720d872b4cc5
SHA1:	03e6c31a56329ac737de81a43c9b8b9266fd31a3
SHA256:	313d44650a5c5c542bbbcae9d17c03cc0981642b1450a092bfa95956bbead114
Tags:	exeuser-4k95m
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: injector V2.5.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://librari-night.sbs/apir	Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/t?	Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/api~	Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/OT	Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/r	Avira URL Cloud: Label: malware
Source: https://revirepart.biz/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["processhol.sbs", "p10tgrace.sbs", "3xp3cts1aim.sbs", "p3ar11fter.sbs", "revirepart.biz", "peepburry828.sbs"]}

Multi AV Scanner detection for submitted file

Source: injector V2.5.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.5% probability

Machine Learning detection for sample

Source: injector V2.5.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: p3ar11fter.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 3xp3cts1aim.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: peepburry828.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: p10tgrace.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: processhol.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: revirepart.biz
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Uses 32bit PE files

Source: injector V2.5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.43.198:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: injector V2.5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4F680 FindFirstFileExW,	0_2_00B4F680
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4F731 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B4F731
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B4F680 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00B4F680

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 877F203Ah	2_2_00442140
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp eax	2_2_0040C916
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx ebx, byte ptr [edi]	2_2_0040DD2B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004251E0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004251E0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov ecx, eax	2_2_00409D80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3174E150h	2_2_00440E40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000001A4h]	2_2_0040A210
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx ebx, ax	2_2_00439B70
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0040CF82
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h	2_2_00441460
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F6E92F34h	2_2_00440C90
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov eax, dword ptr [esi+4Ch]	2_2_0040D4B9
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+09h]	2_2_00409940
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+08h]	2_2_00409940
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov byte ptr [edx], bl	2_2_00409940
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp byte ptr [edx+ecx+01h], 00000000h	2_2_0042BD40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp eax	2_2_0040CD42
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov ebx, edi	2_2_0043A5D0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp eax	2_2_0040C991
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov edi, ecx	2_2_0040E59B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 9C142CDAh	2_2_004411B0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp eax	2_2_0040CA52
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then inc eax	2_2_004202F0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 484CE391h	2_2_00441A90
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov esi, eax	2_2_00440300
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00401F10
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	2_2_0043A720
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp ecx	2_2_0043FF20
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov esi, eax	2_2_0043FF20

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057658 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) : 192.168.2.4:61931 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49734 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057646 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz) : 192.168.2.4:65437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49735 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057668 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) : 192.168.2.4:58217 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49737 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057647 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI) : 192.168.2.4:49733 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49738 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057697 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) : 192.168.2.4:58217 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49740 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49744 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49746 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49736 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49735 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 172.67.206.172:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: processhol.sbs
Source: Malware configuration extractor	URLs: p10tgrace.sbs
Source: Malware configuration extractor	URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor	URLs: p3ar11fter.sbs
Source: Malware configuration extractor	URLs: revirepart.biz
Source: Malware configuration extractor	URLs: peepburry828.sbs

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 172.67.206.172 172.67.206.172

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.206.172:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revirepart.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RVW4WPQQS5P19VGZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LQFB2BLOIFOQ0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8761Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NPY4APXRH68ZC8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20420Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GNHDNTX4N2FH4O1BSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1258Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6J2TM4YGL5Q2TFMP95User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1136Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: librari-night.sbs

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: revirepart.biz
Source: global traffic	DNS traffic detected: DNS query: processhol.sbs
Source: global traffic	DNS traffic detected: DNS query: librari-night.sbs

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revirepart.biz

Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: injector V2.5.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: injector V2.5.exe, 00000002.00000002.1929912011.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902650994.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1720545360.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1923653498.00000000033B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: injector V2.5.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: injector V2.5.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: injector V2.5.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: injector V2.5.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: injector V2.5.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: injector V2.5.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: injector V2.5.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: injector V2.5.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: injector V2.5.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: injector V2.5.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: injector V2.5.exe, 00000002.00000002.1930206544.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1924998682.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1924998682.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799048884.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1925547199.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902129361.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1872564200.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799214621.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1930155911.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902620677.00000000033D7000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799241711.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799418781.0000000005AED000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1926539223.00000000033DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/
Source: injector V2.5.exe, 00000002.00000003.1799214621.00000000033D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/OT
Source: injector V2.5.exe, 00000002.00000003.1923653498.0000000003361000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1873674145.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902129361.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902650994.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1929912011.0000000003361000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902597448.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799214621.00000000033D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/api
Source: injector V2.5.exe, 00000002.00000003.1923653498.000000000337E000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1929912011.000000000337E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/apir
Source: injector V2.5.exe, 00000002.00000003.1902012825.00000000033E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/api~
Source: injector V2.5.exe, 00000002.00000003.1798953231.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776244127.00000000033EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/r
Source: injector V2.5.exe, 00000002.00000003.1902620677.00000000033D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/t?
Source: injector V2.5.exe, 00000002.00000003.1923653498.000000000337E000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902597448.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902012825.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1929912011.000000000337E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs:443/api
Source: injector V2.5.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: injector V2.5.exe, 00000002.00000003.1776917061.0000000005B85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: injector V2.5.exe, 00000002.00000003.1799004611.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799257320.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1798838778.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776917061.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1777081480.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: injector V2.5.exe, 00000002.00000003.1777081480.0000000005B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: injector V2.5.exe, 00000002.00000003.1799004611.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799257320.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1798838778.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776917061.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1777081480.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: injector V2.5.exe, 00000002.00000003.1777081480.0000000005B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.43.198:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49746 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 2_2_00434B70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00434B70

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 2_2_00434B70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00434B70

Detected potential crypto function

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B3D4A0	0_2_00B3D4A0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B44CD0	0_2_00B44CD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B46CD0	0_2_00B46CD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B34CC0	0_2_00B34CC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B46800	0_2_00B46800
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B33440	0_2_00B33440
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B47840	0_2_00B47840
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B355F0	0_2_00B355F0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B25930	0_2_00B25930
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B41D30	0_2_00B41D30
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B38129	0_2_00B38129
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B34910	0_2_00B34910
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B3DD00	0_2_00B3DD00
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B44170	0_2_00B44170
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2B964	0_2_00B2B964
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32AE7	0_2_00B32AE7
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B55E22	0_2_00B55E22
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B39B80	0_2_00B39B80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B33F80	0_2_00B33F80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B36330	0_2_00B36330
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B47330	0_2_00B47330
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B35F60	0_2_00B35F60
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B41367	0_2_00B41367
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2A36B	0_2_00B2A36B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B37F54	0_2_00B37F54
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B3F340	0_2_00B3F340
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040A467	2_2_0040A467
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004280D0	2_2_004280D0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0043C490	2_2_0043C490
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00442140	2_2_00442140
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040DD2B	2_2_0040DD2B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004251E0	2_2_004251E0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00409D80	2_2_00409D80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00421230	2_2_00421230
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00439B70	2_2_00439B70
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040DB17	2_2_0040DB17
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00408FA0	2_2_00408FA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004233B0	2_2_004233B0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00405036	2_2_00405036
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040B080	2_2_0040B080
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00420090	2_2_00420090
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004064B0	2_2_004064B0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040D4B9	2_2_0040D4B9
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00409940	2_2_00409940
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00425D40	2_2_00425D40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040B550	2_2_0040B550
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0043C910	2_2_0043C910
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00428530	2_2_00428530
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004091D0	2_2_004091D0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00403980	2_2_00403980
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00439190	2_2_00439190
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00407AE0	2_2_00407AE0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004052E9	2_2_004052E9
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004202F0	2_2_004202F0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00441A90	2_2_00441A90
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00406B40	2_2_00406B40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0041F740	2_2_0041F740
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00440300	2_2_00440300
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0043A720	2_2_0043A720
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0043FF20	2_2_0043FF20
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00438F30	2_2_00438F30
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00406FD0	2_2_00406FD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00405FF0	2_2_00405FF0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00402F80	2_2_00402F80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B3C0A0	2_2_00B3C0A0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B21000	2_2_00B21000
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B46800	2_2_00B46800
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B47840	2_2_00B47840
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B30190	2_2_00B30190
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2A180	2_2_00B2A180
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B25930	2_2_00B25930
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B34910	2_2_00B34910
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B44170	2_2_00B44170
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B39B80	2_2_00B39B80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B37BD0	2_2_00B37BD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B36330	2_2_00B36330
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B47330	2_2_00B47330
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B3F340	2_2_00B3F340
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B3D4A0	2_2_00B3D4A0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B44CD0	2_2_00B44CD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B46CD0	2_2_00B46CD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B33440	2_2_00B33440
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B355F0	2_2_00B355F0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B25540	2_2_00B25540
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B55E22	2_2_00B55E22
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B3DE70	2_2_00B3DE70
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B23E60	2_2_00B23E60
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B33F80	2_2_00B33F80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B35F60	2_2_00B35F60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: String function: 00B4CAF8 appears 35 times
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: String function: 00B49890 appears 63 times

PE / OLE file has an invalid certificate

Source: injector V2.5.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: injector V2.5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: injector V2.5.exe

Static PE information: Section: .coS ZLIB complexity 1.0003350020226538

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@3/2

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 2_2_00439B70 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00439B70

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2108:120:WilError_03

Source: injector V2.5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\injector V2.5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: injector V2.5.exe, 00000002.00000003.1798884983.0000000005AF8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: injector V2.5.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\injector V2.5.exe

File read: C:\Users\user\Desktop\injector V2.5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\injector V2.5.exe "C:\Users\user\Desktop\injector V2.5.exe"
Source: C:\Users\user\Desktop\injector V2.5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\injector V2.5.exe	Process created: C:\Users\user\Desktop\injector V2.5.exe "C:\Users\user\Desktop\injector V2.5.exe"
Source: C:\Users\user\Desktop\injector V2.5.exe	Process created: C:\Users\user\Desktop\injector V2.5.exe "C:\Users\user\Desktop\injector V2.5.exe"	Jump to behavior

Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: injector V2.5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: injector V2.5.exe	Static PE information: section name: .00cfg
Source: injector V2.5.exe	Static PE information: section name: .coS

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B500FA push ecx; ret		0_2_00B5010D
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B500FA push ecx; ret		2_2_00B5010D

Source: injector V2.5.exe

Static PE information: section name: .text entropy: 6.9570693373870895

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\injector V2.5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\injector V2.5.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\injector V2.5.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\injector V2.5.exe

API coverage: 9.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\injector V2.5.exe TID: 5932

Thread sleep time: -270000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\injector V2.5.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4F680 FindFirstFileExW,	0_2_00B4F680
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4F731 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B4F731
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B4F680 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00B4F680

Source: injector V2.5.exe, 00000002.00000003.1923653498.000000000334C000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1923653498.000000000337E000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1929912011.000000000337E000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902650994.000000000337D000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1929912011.000000000334C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\injector V2.5.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 2_2_0043E730 LdrInitializeThunk,

2_2_0043E730

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B496AF

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B5D18D mov edi, dword ptr fs:[00000030h]	0_2_00B5D18D
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2D475 mov edi, dword ptr fs:[00000030h]	0_2_00B2D475
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2D07E mov edi, dword ptr fs:[00000030h]	0_2_00B2D07E
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32C40 mov eax, dword ptr fs:[00000030h]	0_2_00B32C40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32C40 mov eax, dword ptr fs:[00000030h]	0_2_00B32C40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2CD0A mov edi, dword ptr fs:[00000030h]	0_2_00B2CD0A
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2E93A mov edi, dword ptr fs:[00000030h]	0_2_00B2E93A
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2CD0A mov edi, dword ptr fs:[00000030h]	0_2_00B2CD0A
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2D6B8 mov edi, dword ptr fs:[00000030h]	0_2_00B2D6B8
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2D6B8 mov edi, dword ptr fs:[00000030h]	0_2_00B2D6B8
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2DA6C mov edi, dword ptr fs:[00000030h]	0_2_00B2DA6C
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32B9B mov eax, dword ptr fs:[00000030h]	0_2_00B32B9B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32B9B mov eax, dword ptr fs:[00000030h]	0_2_00B32B9B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2E350 mov edi, dword ptr fs:[00000030h]	0_2_00B2E350
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B4CB10 GetProcessHeap,

0_2_00B4CB10

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4902F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B4902F
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B496A3 SetUnhandledExceptionFilter,	0_2_00B496A3
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B496AF
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4B79A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B4B79A
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B4902F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00B4902F
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B496A3 SetUnhandledExceptionFilter,	2_2_00B496A3
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B496AF
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B4B79A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B4B79A

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B5D18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00B5D18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\injector V2.5.exe

Memory written: C:\Users\user\Desktop\injector V2.5.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p3ar11fter.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 3xp3cts1aim.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: peepburry828.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p10tgrace.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: processhol.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: revirepart.biz

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\injector V2.5.exe

Process created: C:\Users\user\Desktop\injector V2.5.exe "C:\Users\user\Desktop\injector V2.5.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B498D5 cpuid

0_2_00B498D5

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\injector V2.5.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B49566 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B49566

Source: C:\Users\user\Desktop\injector V2.5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\injector V2.5.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: injector V2.5.exe PID: 4928, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: llets/ElectronCashK
Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000003.1799214621.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1849649478.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: injector V2.5.exe PID: 4928, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: injector V2.5.exe PID: 4928, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.206.172	librari-night.sbs	United States		13335	CLOUDFLARENETUS	false
104.21.43.198	revirepart.biz	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
librari-night.sbs	172.67.206.172	true
revirepart.biz	104.21.43.198	true
processhol.sbs	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://librari-night.sbs/api	false		high
p3ar11fter.sbs	false		high
peepburry828.sbs	false		high
https://revirepart.biz/api	true	Avira URL Cloud: malware	unknown
revirepart.biz	false		high
p10tgrace.sbs	false		high
processhol.sbs	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: injector V2.5.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://librari-night.sbs/apir	Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/t?	Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/api~	Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/OT	Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/r	Avira URL Cloud: Label: malware
Source: https://revirepart.biz/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["processhol.sbs", "p10tgrace.sbs", "3xp3cts1aim.sbs", "p3ar11fter.sbs", "revirepart.biz", "peepburry828.sbs"]}

Multi AV Scanner detection for submitted file

Source: injector V2.5.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.5% probability

Machine Learning detection for sample

Source: injector V2.5.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: p3ar11fter.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 3xp3cts1aim.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: peepburry828.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: p10tgrace.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: processhol.sbs
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: revirepart.biz
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1926787176.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Uses 32bit PE files

Source: injector V2.5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.43.198:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: injector V2.5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4F680 FindFirstFileExW,	0_2_00B4F680
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4F731 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B4F731
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B4F680 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00B4F680

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 877F203Ah	2_2_00442140
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp eax	2_2_0040C916
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx ebx, byte ptr [edi]	2_2_0040DD2B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004251E0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004251E0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov ecx, eax	2_2_00409D80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3174E150h	2_2_00440E40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000001A4h]	2_2_0040A210
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx ebx, ax	2_2_00439B70
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0040CF82
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h	2_2_00441460
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F6E92F34h	2_2_00440C90
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov eax, dword ptr [esi+4Ch]	2_2_0040D4B9
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+09h]	2_2_00409940
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+08h]	2_2_00409940
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov byte ptr [edx], bl	2_2_00409940
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp byte ptr [edx+ecx+01h], 00000000h	2_2_0042BD40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp eax	2_2_0040CD42
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov ebx, edi	2_2_0043A5D0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp eax	2_2_0040C991
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov edi, ecx	2_2_0040E59B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 9C142CDAh	2_2_004411B0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp eax	2_2_0040CA52
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then inc eax	2_2_004202F0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 484CE391h	2_2_00441A90
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov esi, eax	2_2_00440300
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00401F10
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	2_2_0043A720
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then jmp ecx	2_2_0043FF20
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 4x nop then mov esi, eax	2_2_0043FF20

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057658 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) : 192.168.2.4:61931 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49734 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057646 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz) : 192.168.2.4:65437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49735 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057668 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) : 192.168.2.4:58217 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49737 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057647 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI) : 192.168.2.4:49733 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49738 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057697 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) : 192.168.2.4:58217 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49740 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49744 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49746 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.4:49736 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49735 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 172.67.206.172:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: processhol.sbs
Source: Malware configuration extractor	URLs: p10tgrace.sbs
Source: Malware configuration extractor	URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor	URLs: p3ar11fter.sbs
Source: Malware configuration extractor	URLs: revirepart.biz
Source: Malware configuration extractor	URLs: peepburry828.sbs

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 172.67.206.172 172.67.206.172

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 172.67.206.172:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.206.172:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revirepart.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RVW4WPQQS5P19VGZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LQFB2BLOIFOQ0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8761Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NPY4APXRH68ZC8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20420Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GNHDNTX4N2FH4O1BSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1258Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6J2TM4YGL5Q2TFMP95User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1136Host: librari-night.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: librari-night.sbs

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: revirepart.biz
Source: global traffic	DNS traffic detected: DNS query: processhol.sbs
Source: global traffic	DNS traffic detected: DNS query: librari-night.sbs

Source: unknown

Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: injector V2.5.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: injector V2.5.exe, 00000002.00000002.1929912011.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902650994.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1720545360.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1923653498.00000000033B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: injector V2.5.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: injector V2.5.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: injector V2.5.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: injector V2.5.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: injector V2.5.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: injector V2.5.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: injector V2.5.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: injector V2.5.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: injector V2.5.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: injector V2.5.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: injector V2.5.exe, 00000002.00000003.1821148663.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: injector V2.5.exe, 00000002.00000002.1930206544.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1924998682.00000000033D8000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1924998682.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799048884.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1925547199.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902129361.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1872564200.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799214621.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1930155911.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902620677.00000000033D7000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799241711.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799418781.0000000005AED000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1926539223.00000000033DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/
Source: injector V2.5.exe, 00000002.00000003.1799214621.00000000033D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/OT
Source: injector V2.5.exe, 00000002.00000003.1923653498.0000000003361000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1873674145.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902129361.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902650994.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1929912011.0000000003361000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902597448.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799214621.00000000033D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/api
Source: injector V2.5.exe, 00000002.00000003.1923653498.000000000337E000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1929912011.000000000337E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/apir
Source: injector V2.5.exe, 00000002.00000003.1902012825.00000000033E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/api~
Source: injector V2.5.exe, 00000002.00000003.1798953231.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776244127.00000000033EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/r
Source: injector V2.5.exe, 00000002.00000003.1902620677.00000000033D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs/t?
Source: injector V2.5.exe, 00000002.00000003.1923653498.000000000337E000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902597448.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1902012825.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000002.1929912011.000000000337E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://librari-night.sbs:443/api
Source: injector V2.5.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: injector V2.5.exe, 00000002.00000003.1776917061.0000000005B85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: injector V2.5.exe, 00000002.00000003.1799004611.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799257320.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1798838778.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776917061.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1777081480.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: injector V2.5.exe, 00000002.00000003.1777081480.0000000005B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: injector V2.5.exe, 00000002.00000003.1799004611.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1799257320.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1798838778.0000000005B37000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776917061.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1777081480.0000000005B37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: injector V2.5.exe, 00000002.00000003.1777081480.0000000005B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: injector V2.5.exe, 00000002.00000003.1776561248.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, injector V2.5.exe, 00000002.00000003.1776480308.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: injector V2.5.exe, 00000002.00000003.1822505611.0000000005C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.43.198:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.4:49746 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 2_2_00434B70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00434B70

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 2_2_00434B70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00434B70

Detected potential crypto function

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B3D4A0	0_2_00B3D4A0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B44CD0	0_2_00B44CD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B46CD0	0_2_00B46CD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B34CC0	0_2_00B34CC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B46800	0_2_00B46800
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B33440	0_2_00B33440
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B47840	0_2_00B47840
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B355F0	0_2_00B355F0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B25930	0_2_00B25930
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B41D30	0_2_00B41D30
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B38129	0_2_00B38129
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B34910	0_2_00B34910
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B3DD00	0_2_00B3DD00
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B44170	0_2_00B44170
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2B964	0_2_00B2B964
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32AE7	0_2_00B32AE7
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B55E22	0_2_00B55E22
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B39B80	0_2_00B39B80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B33F80	0_2_00B33F80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B36330	0_2_00B36330
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B47330	0_2_00B47330
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B35F60	0_2_00B35F60
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B41367	0_2_00B41367
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2A36B	0_2_00B2A36B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B37F54	0_2_00B37F54
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B3F340	0_2_00B3F340
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040A467	2_2_0040A467
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004280D0	2_2_004280D0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0043C490	2_2_0043C490
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00442140	2_2_00442140
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040DD2B	2_2_0040DD2B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004251E0	2_2_004251E0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00409D80	2_2_00409D80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00421230	2_2_00421230
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00439B70	2_2_00439B70
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040DB17	2_2_0040DB17
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00408FA0	2_2_00408FA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004233B0	2_2_004233B0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00405036	2_2_00405036
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040B080	2_2_0040B080
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00420090	2_2_00420090
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004064B0	2_2_004064B0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040D4B9	2_2_0040D4B9
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00409940	2_2_00409940
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00425D40	2_2_00425D40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0040B550	2_2_0040B550
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0043C910	2_2_0043C910
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00428530	2_2_00428530
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004091D0	2_2_004091D0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00403980	2_2_00403980
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00439190	2_2_00439190
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00407AE0	2_2_00407AE0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004052E9	2_2_004052E9
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_004202F0	2_2_004202F0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00441A90	2_2_00441A90
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00406B40	2_2_00406B40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0041F740	2_2_0041F740
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00440300	2_2_00440300
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0043A720	2_2_0043A720
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_0043FF20	2_2_0043FF20
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00438F30	2_2_00438F30
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00406FD0	2_2_00406FD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00405FF0	2_2_00405FF0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00402F80	2_2_00402F80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B3C0A0	2_2_00B3C0A0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B21000	2_2_00B21000
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B46800	2_2_00B46800
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B47840	2_2_00B47840
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B30190	2_2_00B30190
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2A180	2_2_00B2A180
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B25930	2_2_00B25930
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B34910	2_2_00B34910
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B44170	2_2_00B44170
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B39B80	2_2_00B39B80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B37BD0	2_2_00B37BD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B36330	2_2_00B36330
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B47330	2_2_00B47330
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B3F340	2_2_00B3F340
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B3D4A0	2_2_00B3D4A0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B44CD0	2_2_00B44CD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B46CD0	2_2_00B46CD0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B33440	2_2_00B33440
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B355F0	2_2_00B355F0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B25540	2_2_00B25540
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B55E22	2_2_00B55E22
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B3DE70	2_2_00B3DE70
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B23E60	2_2_00B23E60
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B33F80	2_2_00B33F80
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B35F60	2_2_00B35F60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: String function: 00B4CAF8 appears 35 times
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: String function: 00B49890 appears 63 times

PE / OLE file has an invalid certificate

Source: injector V2.5.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: injector V2.5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: injector V2.5.exe

Static PE information: Section: .coS ZLIB complexity 1.0003350020226538

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@3/2

Source: C:\Users\user\Desktop\injector V2.5.exe

2_2_00439B70

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2108:120:WilError_03

Source: injector V2.5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\injector V2.5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: injector V2.5.exe, 00000002.00000003.1798884983.0000000005AF8000.00000004.00000800.00020000.00000000.sdmp

Source: injector V2.5.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\injector V2.5.exe

File read: C:\Users\user\Desktop\injector V2.5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\injector V2.5.exe "C:\Users\user\Desktop\injector V2.5.exe"
Source: C:\Users\user\Desktop\injector V2.5.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\injector V2.5.exe	Process created: C:\Users\user\Desktop\injector V2.5.exe "C:\Users\user\Desktop\injector V2.5.exe"
Source: C:\Users\user\Desktop\injector V2.5.exe	Process created: C:\Users\user\Desktop\injector V2.5.exe "C:\Users\user\Desktop\injector V2.5.exe"	Jump to behavior

Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: injector V2.5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: injector V2.5.exe	Static PE information: section name: .00cfg
Source: injector V2.5.exe	Static PE information: section name: .coS

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B500FA push ecx; ret		0_2_00B5010D
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B500FA push ecx; ret		2_2_00B5010D

Source: injector V2.5.exe

Static PE information: section name: .text entropy: 6.9570693373870895

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\injector V2.5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\injector V2.5.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\injector V2.5.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\injector V2.5.exe

API coverage: 9.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\injector V2.5.exe TID: 5932

Thread sleep time: -270000s >= -30000s

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\injector V2.5.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4F680 FindFirstFileExW,	0_2_00B4F680
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4F731 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B4F731
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B4F680 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00B4F680

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\injector V2.5.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 2_2_0043E730 LdrInitializeThunk,

2_2_0043E730

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B496AF

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B5D18D mov edi, dword ptr fs:[00000030h]	0_2_00B5D18D
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2D475 mov edi, dword ptr fs:[00000030h]	0_2_00B2D475
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2D07E mov edi, dword ptr fs:[00000030h]	0_2_00B2D07E
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32C40 mov eax, dword ptr fs:[00000030h]	0_2_00B32C40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32C40 mov eax, dword ptr fs:[00000030h]	0_2_00B32C40
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2CD0A mov edi, dword ptr fs:[00000030h]	0_2_00B2CD0A
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2E93A mov edi, dword ptr fs:[00000030h]	0_2_00B2E93A
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2CD0A mov edi, dword ptr fs:[00000030h]	0_2_00B2CD0A
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2D6B8 mov edi, dword ptr fs:[00000030h]	0_2_00B2D6B8
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2D6B8 mov edi, dword ptr fs:[00000030h]	0_2_00B2D6B8
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2DA6C mov edi, dword ptr fs:[00000030h]	0_2_00B2DA6C
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32B9B mov eax, dword ptr fs:[00000030h]	0_2_00B32B9B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B32B9B mov eax, dword ptr fs:[00000030h]	0_2_00B32B9B
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B2E350 mov edi, dword ptr fs:[00000030h]	0_2_00B2E350
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	2_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	2_2_00B2CCC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B4CB10 GetProcessHeap,

0_2_00B4CB10

Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4902F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B4902F
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B496A3 SetUnhandledExceptionFilter,	0_2_00B496A3
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B496AF
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 0_2_00B4B79A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B4B79A
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B4902F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00B4902F
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B496A3 SetUnhandledExceptionFilter,	2_2_00B496A3
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B496AF
Source: C:\Users\user\Desktop\injector V2.5.exe	Code function: 2_2_00B4B79A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B4B79A

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\injector V2.5.exe

0_2_00B5D18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\injector V2.5.exe

Memory written: C:\Users\user\Desktop\injector V2.5.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p3ar11fter.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 3xp3cts1aim.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: peepburry828.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p10tgrace.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: processhol.sbs
Source: injector V2.5.exe, 00000000.00000002.1695674213.000000000327A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: revirepart.biz

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\injector V2.5.exe

Process created: C:\Users\user\Desktop\injector V2.5.exe "C:\Users\user\Desktop\injector V2.5.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B498D5 cpuid

0_2_00B498D5

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\injector V2.5.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.5.exe

Code function: 0_2_00B49566 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B49566

Source: C:\Users\user\Desktop\injector V2.5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\injector V2.5.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: injector V2.5.exe PID: 4928, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: llets/ElectronCashK
Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: injector V2.5.exe, 00000002.00000003.1849885737.00000000033F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.5.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000003.1799214621.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1849649478.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: injector V2.5.exe PID: 4928, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: injector V2.5.exe PID: 4928, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

ID:	1560308
Product:	CloudBasic
Start time:	16:52:06
Start date:	21.11.2024
Sample:	injector V2.5.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	96f89e1cb2a8789acee8720d872b4cc5
SHA1:	03e6c31a56329ac737de81a43c9b8b9266fd31a3
SHA256:	313d44650a5c5c542bbbcae9d17c03cc0981642b1450a092bfa95956bbead114
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
injector V2.5.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report injector V2.5.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
injector V2.5.exe

Malware Threat Intel
Provided by