Windows Analysis Report
LummaC2.exe

Overview

General Information

Sample name: LummaC2.exe
Analysis ID: 1599859
MD5: 3c6b5b5a88657576daf07897736d21cf
SHA1: c661592798c2a081f41dd6ab6a1b47f142ec5289
SHA256: 31b8f3be19bb8880fe18105872b9ba7d470a39ba9fd02127c20d350a684e8480
Tags: exeuser-Lars
Infos:

Detection

LummaC
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: clockersspic.click Avira URL Cloud: Label: malware
Source: LummaC2.exe Malware Configuration Extractor: LummaC {"C2 url": ["bashfulacid.lat", "clockersspic.click", "shapestickyr.lat", "wordyfindy.lat", "slipperyloo.lat", "tentabatte.lat", "curverpluch.lat", "talkynicer.lat", "manyrestro.lat"], "Build id": "yau6Na--1779986370"}
Source: LummaC2.exe Virustotal: Detection: 47% Perma Link
Source: LummaC2.exe ReversingLabs: Detection: 52%
Source: LummaC2.exe Joe Sandbox ML: detected
Source: LummaC2.exe String decryptor: bashfulacid.lat
Source: LummaC2.exe String decryptor: tentabatte.lat
Source: LummaC2.exe String decryptor: curverpluch.lat
Source: LummaC2.exe String decryptor: talkynicer.lat
Source: LummaC2.exe String decryptor: shapestickyr.lat
Source: LummaC2.exe String decryptor: manyrestro.lat
Source: LummaC2.exe String decryptor: slipperyloo.lat
Source: LummaC2.exe String decryptor: wordyfindy.lat
Source: LummaC2.exe String decryptor: clockersspic.click
Source: LummaC2.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: LummaC2.exe String decryptor: TeslaBrowser/5.5
Source: LummaC2.exe String decryptor: - Screen Resoluton:
Source: LummaC2.exe String decryptor: - Physical Installed Memory:
Source: LummaC2.exe String decryptor: Workgroup: -
Source: LummaC2.exe String decryptor: yau6Na--1779986370
Source: LummaC2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LummaC2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx edx, byte ptr [esp+edi-246C2ADAh] 0_2_00EEF898
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 17265850h 0_2_00EF1B90
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], F718F839h 0_2_00EEF30B
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 37A3DD63h 0_2_00EEF485
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h 0_2_00EF1F90
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov edi, edx 0_2_00EB8740
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ebx, eax 0_2_00EB58F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ebp, eax 0_2_00EB58F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h 0_2_00EF20F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+10B93D1Ah] 0_2_00ECE8A3
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00EDD0B9
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-1F5DFF91h] 0_2_00EB9090
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+10B93D1Ah] 0_2_00ECE890
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov dword ptr [esp+04h], eax 0_2_00ECA840
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then jmp eax 0_2_00ED69E0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ecx, eax 0_2_00EDA9C0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx eax, byte ptr [esp+ecx+01h] 0_2_00EDA9C0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h 0_2_00EF19C0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then jmp dword ptr [00EF75CCh] 0_2_00ECA1DF
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx edx, byte ptr [ebx+eax-7Fh] 0_2_00ED99D9
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then push eax 0_2_00ED99D9
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+0000011Fh] 0_2_00EBE9D5
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_00EDE9BA
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00EDE9BA
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov edx, ecx 0_2_00ED5932
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then jmp eax 0_2_00ED5932
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00EE6AF0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00EC5AD0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ebx, eax 0_2_00EBCA8D
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ebx, eax 0_2_00EBCA8D
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx edi, byte ptr [esp+ebx+000000C0h] 0_2_00EDCA97
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ecx, eax 0_2_00ED7A60
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+5B5A8FBFh] 0_2_00EBAA30
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx edx, byte ptr [esp+edi+26207671h] 0_2_00ECB200
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov dword ptr [esp+04h], ecx 0_2_00ECB200
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ecx, eax 0_2_00ED3BEF
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then jmp eax 0_2_00ED3BEF
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov eax, 00000001h 0_2_00EC93B4
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ebx, eax 0_2_00ED9390
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov edx, ecx 0_2_00ED5360
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then jmp eax 0_2_00ED5360
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 0_2_00EB2B50
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp word ptr [edi+eax], 0000h 0_2_00EC4B2A
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00EDB4F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then jmp eax 0_2_00ED4CF0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax-3Ah] 0_2_00ED4CF0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 385488F2h 0_2_00EC6CAE
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 0_2_00EDBCA0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E87DD67h 0_2_00EEA4A0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then add ecx, 02h 0_2_00EEA4A0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-0000009Fh] 0_2_00EEA4A0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 0_2_00EC6C82
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00EC6C82
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then lea edx, dword ptr [eax-5C8875C3h] 0_2_00ECE490
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00ED9C61
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+28h] 0_2_00EB7470
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h] 0_2_00EB7470
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then jmp eax 0_2_00EEF449
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then jmp eax 0_2_00ED6C2C
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_00EDEC2A
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00EDEC2A
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx esi, byte ptr [esp+ebx-5FD724E9h] 0_2_00EBDC38
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx eax, byte ptr [esp+esi-5FD724E9h] 0_2_00EBDC38
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov dword ptr [esp+04h], eax 0_2_00ECAC08
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx eax, byte ptr [esp+ecx+01h] 0_2_00EDAC13
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_00EDE5A4
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00EDE5A4
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ecx, eax 0_2_00ED3580
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h 0_2_00ED3580
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx eax, word ptr [edx+ecx+02h] 0_2_00EEAD43
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ebx, eax 0_2_00ED9512
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx edx, byte ptr [ebx+eax-7Fh] 0_2_00ED9512
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then push eax 0_2_00ED9512
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+4D18D713h] 0_2_00EDCECC
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_00EDCECC
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+4D18D713h] 0_2_00EDCE85
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_00EDCE85
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx eax, byte ptr [ebp+esi+00000090h] 0_2_00EB2E90
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6E87DD67h 0_2_00EECE40
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-46AF0E95h] 0_2_00EECE40
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 56ADC53Ah 0_2_00EF1650
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2158ED98h] 0_2_00EF1650
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 56ADC53Ah 0_2_00EF1650
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ecx, eax 0_2_00ED762C
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_00EDE60C
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00EDE60C
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 0_2_00EDB7F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov ecx, eax 0_2_00ECF740
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then mov edx, ecx 0_2_00EB9750
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1Dh] 0_2_00ED7750

Networking

barindex
Source: Malware configuration extractor URLs: bashfulacid.lat
Source: Malware configuration extractor URLs: clockersspic.click
Source: Malware configuration extractor URLs: shapestickyr.lat
Source: Malware configuration extractor URLs: wordyfindy.lat
Source: Malware configuration extractor URLs: slipperyloo.lat
Source: Malware configuration extractor URLs: tentabatte.lat
Source: Malware configuration extractor URLs: curverpluch.lat
Source: Malware configuration extractor URLs: talkynicer.lat
Source: Malware configuration extractor URLs: manyrestro.lat
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE4450 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 0_2_00EE4450
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE4450 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 0_2_00EE4450
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE4C21 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 0_2_00EE4C21
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE76A6 0_2_00EE76A6
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB8740 0_2_00EB8740
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB38F0 0_2_00EB38F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB58F0 0_2_00EB58F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE90B0 0_2_00EE90B0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE109C 0_2_00EE109C
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED2870 0_2_00ED2870
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED7007 0_2_00ED7007
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE4010 0_2_00EE4010
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ECD1E9 0_2_00ECD1E9
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED99E7 0_2_00ED99E7
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED69E0 0_2_00ED69E0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDA9C0 0_2_00EDA9C0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED99D9 0_2_00ED99D9
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EBE9D5 0_2_00EBE9D5
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EC81AE 0_2_00EC81AE
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDE9BA 0_2_00EDE9BA
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ECC980 0_2_00ECC980
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ECF190 0_2_00ECF190
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EBF140 0_2_00EBF140
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE9950 0_2_00EE9950
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EC5AD0 0_2_00EC5AD0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB42A0 0_2_00EB42A0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EBCA8D 0_2_00EBCA8D
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED7A80 0_2_00ED7A80
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED7A60 0_2_00ED7A60
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDA27F 0_2_00EDA27F
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EC1A74 0_2_00EC1A74
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EEA240 0_2_00EEA240
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE8251 0_2_00EE8251
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EBAA30 0_2_00EBAA30
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB6200 0_2_00EB6200
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ECB200 0_2_00ECB200
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED3BEF 0_2_00ED3BEF
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDDBD5 0_2_00EDDBD5
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB4BD0 0_2_00EB4BD0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EC93B4 0_2_00EC93B4
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF0380 0_2_00EF0380
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED5360 0_2_00ED5360
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB9320 0_2_00EB9320
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED0B20 0_2_00ED0B20
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EBF33E 0_2_00EBF33E
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF1300 0_2_00EF1300
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED4CF0 0_2_00ED4CF0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EC6CAE 0_2_00EC6CAE
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EEA4A0 0_2_00EEA4A0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED84A2 0_2_00ED84A2
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ECECB0 0_2_00ECECB0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB7470 0_2_00EB7470
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF0470 0_2_00EF0470
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EC2450 0_2_00EC2450
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EBDC38 0_2_00EBDC38
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF05F0 0_2_00EF05F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ECDDC0 0_2_00ECDDC0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EED5C0 0_2_00EED5C0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDE5A4 0_2_00EDE5A4
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE0D88 0_2_00EE0D88
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED3580 0_2_00ED3580
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED8D60 0_2_00ED8D60
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF0560 0_2_00EF0560
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE2570 0_2_00EE2570
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EEAD43 0_2_00EEAD43
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF0D40 0_2_00EF0D40
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ECF550 0_2_00ECF550
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED9512 0_2_00ED9512
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE96F0 0_2_00EE96F0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDDEC3 0_2_00EDDEC3
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EC0EDD 0_2_00EC0EDD
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDDED9 0_2_00EDDED9
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EC7EA6 0_2_00EC7EA6
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF0680 0_2_00EF0680
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB2E90 0_2_00EB2E90
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB6690 0_2_00EB6690
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ED9E75 0_2_00ED9E75
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE8E50 0_2_00EE8E50
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF1650 0_2_00EF1650
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EEFE2D 0_2_00EEFE2D
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDE60C 0_2_00EDE60C
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF0FD0 0_2_00EF0FD0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EBFF93 0_2_00EBFF93
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00ECF740 0_2_00ECF740
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EB9750 0_2_00EB9750
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EBAF00 0_2_00EBAF00
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE8703 0_2_00EE8703
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EDEF10 0_2_00EDEF10
Source: C:\Users\user\Desktop\LummaC2.exe Code function: String function: 00EC4B00 appears 55 times
Source: C:\Users\user\Desktop\LummaC2.exe Code function: String function: 00EB8020 appears 41 times
Source: LummaC2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EE2890 CoCreateInstance, 0_2_00EE2890
Source: LummaC2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LummaC2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LummaC2.exe Virustotal: Detection: 47%
Source: LummaC2.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\LummaC2.exe File read: C:\Users\user\Desktop\LummaC2.exe Jump to behavior
Source: C:\Users\user\Desktop\LummaC2.exe Section loaded: apphelp.dll Jump to behavior
Source: LummaC2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EED200 push eax; mov dword ptr [esp], 9F9C9DA2h 0_2_00EED20F
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EF0340 push eax; mov dword ptr [esp], 46414073h 0_2_00EF0341
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\LummaC2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LummaC2.exe Code function: 0_2_00EEEB40 LdrInitializeThunk, 0_2_00EEEB40
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

barindex
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: bashfulacid.lat
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: tentabatte.lat
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: curverpluch.lat
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: talkynicer.lat
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: shapestickyr.lat
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: manyrestro.lat
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: slipperyloo.lat
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: wordyfindy.lat
Source: LummaC2.exe, 00000000.00000000.1712402515.0000000000EF3000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: clockersspic.click

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
No contacted IP infos