Edit tour
Windows
Analysis Report
AutoUpdate.exe
Overview
General Information
| Sample name: | AutoUpdate.exe |
| Analysis ID: | 1580115 |
| MD5: | 2edfb2e821cc4822c1ac9d6d52591048 |
| SHA1: | 37241f65670dfeb7154469a9a51cbf5b577b1fd3 |
| SHA256: | 00cf2aae19b9ac81ac5c6322ae56f65373c8cc05568ed6a35379077ca221fc5a |
| Tags: | exeuser-aachum |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation Via Stdin
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
AutoUpdate.exe (PID: 6332 cmdline: "C:\Users\ user\Deskt op\AutoUpd ate.exe" MD5: 2EDFB2E821CC4822C1AC9D6D52591048) 
powershell.exe (PID: 5324 cmdline: powershell -exec byp ass error code: 523 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 3104 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1432 cmdline:
powershell -exec byp ass <!DOCT YPE html> <!--[if lt IE 7]> <h tml class= "no-js ie6 oldie" la ng="en-US" > <![endif ]--> <!--[ if IE 7]> <html cla ss="no-js ie7 oldie" lang="en- US"> <![en dif]--> <! --[if IE 8 ]> <html class="no- js ie8 old ie" lang=" en-US"> <! [endif]--> <!--[if g t IE 8]><! --> <html class="no- js" lang=" en-US"> <! --<![endif ]--> <head > <title>S uspected p hishing si te | Cloud flare</tit le> <meta charset="U TF-8" /> < meta http- equiv="Con tent-Type" content=" text/html; charset=U TF-8" /> < meta http- equiv="X-U A-Compatib le" conten t="IE=Edge " /> <meta name="rob ots" conte nt="noinde x, nofollo w" /> <met a name="vi ewport" co ntent="wid th=device- width,init ial-scale= 1" /> <lin k rel="sty lesheet" i d="cf_styl es-css" hr ef="/cdn-c gi/styles/ cf.errors. css" /> <! --[if lt I E 9]><link rel="styl esheet" id ='cf_style s-ie-css' href="/cdn -cgi/style s/cf.error s.ie.css" /><![endif ]--> <styl e>body{mar gin:0;padd ing:0}</st yle> <!-- [if gte IE 10]><!--> <script> if (!navi gator.cook ieEnabled) { windo w.addEvent Listener(' DOMContent Loaded', f unction () { var cookieEl = document. getElement ById('cook ie-alert') ; cooki eEl.style. display = 'block'; }) } </s cript> <!- -<![endif] --> </hea d> <body> <div id=" cf-wrapper "> <div class="cf- alert cf-a lert-error cf-cookie -error" id ="cookie-a lert" data -translate ="enable_c ookies">Pl ease enabl e cookies. </div> < div id="cf -error-det ails" clas s="cf-erro r-details- wrapper"> <div cl ass="cf-se ction cf-w rapper" st yle="margi n-top: 100 px;margin- bottom:200 px;"> <div class ="cf-colum ns one"> <div c lass="cf-c olumn"> <h4 cl ass="cf-te xt-error"> <i class=" cf-icon-ex clamation- sign" styl e="backgro und-size: 18px; height: 18px; width: 18px; margin -bottom: 2 px;"></i> Warning</h 4> <h2 style="ma rgin: 16px 0;">Suspe cted Phish ing</h2> <str ong>This w ebsite has been repo rted for p otential p hishing.</ strong> <p>Ph ishing is when a sit e attempts to steal sensitive informatio n by false ly present ing as a s afe source .</p> <d iv style=" display: f lex; align -items: ce nter;"> <p> <a href="http s://www.cl oudflare.c om/learnin g/access-m anagement/ phishing-a ttack/" cl ass="cf-bt n" style=" background -color: #4 04040; col or: #fff; border: 0; ">Learn Mo re</a> <form action="/ cdn-cgi/ph ish-bypass " method=" GET" encty pe="text/p lain"> <i nput type= "hidden" n ame="atok" value="Uw KlRWOOvWBt YJ.FwDwDmX sQcmgI5ndC _Cc6FOD4bo Y-17349966