Edit tour

Windows Analysis Report
furra.exe

Overview

General Information

Sample name:	furra.exe
Analysis ID:	1610179
MD5:	05f42a351356393179165a84086f8c07
SHA1:	71093fd05686d6202bf4144f94920deefe551f96
SHA256:	2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912
Tags:	CryptBotexeLummaStealeruser-aachum
Infos:

Detection

LummaC, Cryptbot, LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Cryptbot

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

furra.exe (PID: 1048 cmdline: "C:\Users\user\Desktop\furra.exe" MD5: 05F42A351356393179165A84086F8C07)

LummaC2.exe (PID: 500 cmdline: "C:\Users\user\AppData\Local\Temp\LummaC2.exe" MD5: 8DA89B163D506BE4A73B987517A1B9E4)

start-this-724.exe (PID: 6968 cmdline: "C:\Users\user\AppData\Local\Temp\start-this-724.exe" MD5: C411BEF822305589785B18BD83A3CB89)

WerFault.exe (PID: 2864 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 736 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "berserkyfir.click",
    "noisycuttej.shop",
    "rabidcowse.shop",
    "cloudewahsj.shop",
    "nearycrepso.shop",
    "wholersorie.shop",
    "abruptyopsn.shop",
    "tirepublicerj.shop",
    "framekgirus.shop"
  ],
  "Build id": "MeHdy4--pl14vs02"
}

Threatname: Cryptbot

{
  "C2 list": [
    ".1.1home.twelveff20pn.top",
    "ope.twelveff20pn.top",
    "a.zdnscloud.comn.top",
    "home.twelveff20pn.top",
    "indohome.twelveff20pn.top"
  ]
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
furra.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x800ce1:$s1: Runner 0x800e46:$s3: RunOnStartup 0x800cf5:$a1: Antis 0x800d22:$a2: antiVM 0x800d29:$a3: antiSandbox 0x800d35:$a4: antiDebug 0x800d3f:$a5: antiEmulator 0x800d4c:$a6: enablePersistence 0x800d5e:$a7: enableFakeError 0x800e6f:$a8: DetectVirtualMachine 0x800e94:$a9: DetectSandboxie 0x800ebf:$a10: DetectDebugger 0x800ece:$a11: CheckEmulator

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: start-this-724.exe PID: 6968	JoeSecurity_Cryptbot_1	Yara detected Cryptbot	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.furra.exe.910000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x800ce1:$s1: Runner 0x800e46:$s3: RunOnStartup 0x800cf5:$a1: Antis 0x800d22:$a2: antiVM 0x800d29:$a3: antiSandbox 0x800d35:$a4: antiDebug 0x800d3f:$a5: antiEmulator 0x800d4c:$a6: enablePersistence 0x800d5e:$a7: enableFakeError 0x800e6f:$a8: DetectVirtualMachine 0x800e94:$a9: DetectSandboxie 0x800ebf:$a10: DetectDebugger 0x800ece:$a11: CheckEmulator

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Software Vulnerabilities
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: furra.exe

Avira: detected

Antivirus detection for URL or domain

Source: ope.twelveff20pn.top	Avira URL Cloud: Label: malware
Source: indohome.twelveff20pn.top	Avira URL Cloud: Label: malware
Source: home.twelveff20pn.top	Avira URL Cloud: Label: malware
Source: http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805http://home.twelveff20pn.top/HfqvZFTxgmZz	Avira URL Cloud: Label: malware
Source: .1.1home.twelveff20pn.top	Avira URL Cloud: Label: malware
Source: http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805	Avira URL Cloud: Label: malware
Source: http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805sen	Avira URL Cloud: Label: malware
Source: berserkyfir.click	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["berserkyfir.click", "noisycuttej.shop", "rabidcowse.shop", "cloudewahsj.shop", "nearycrepso.shop", "wholersorie.shop", "abruptyopsn.shop", "tirepublicerj.shop", "framekgirus.shop"], "Build id": "MeHdy4--pl14vs02"}
Source: start-this-724.exe.6968.3.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": [".1.1home.twelveff20pn.top", "ope.twelveff20pn.top", "a.zdnscloud.comn.top", "home.twelveff20pn.top", "indohome.twelveff20pn.top"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: furra.exe	ReversingLabs: Detection: 76%
Source: furra.exe	Virustotal: Detection: 76%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: furra.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: berserkyfir.click
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String decryptor: MeHdy4--pl14vs02

Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: furra.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: furra.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+09h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then xor byte ptr [esp+eax+01h], al
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, esp
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, edi
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9B8995CDh
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [eax]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, word ptr [eax]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then test esi, esi
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [esi+ecx+02h], 0000h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [edi], cl
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [eax], cl
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [ebx], ax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [edi], cl
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, esp
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [edi], cl
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [eax], cx
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, dword ptr [esi+3Ch]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+000001F0h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, ebx
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], di
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [eax], cx
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, esi
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+23h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-5650DC85h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+50h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+03h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then inc eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [eax], cl
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ecx*8], F68AC6D1h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [edi], cl
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, ecx
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then inc eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-6282CB83h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [eax], cx
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-5650DC85h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-294BBCC4h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push 869608D1h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then inc eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, esp
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-72F9EF2Bh]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+38h]
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, ebp
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 27BE92A4h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53585096h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [ebx], ax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [edi], al
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then inc eax

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: berserkyfir.click
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: .1.1home.twelveff20pn.top
Source: Malware configuration extractor	URLs: ope.twelveff20pn.top
Source: Malware configuration extractor	URLs: a.zdnscloud.comn.top
Source: Malware configuration extractor	URLs: home.twelveff20pn.top
Source: Malware configuration extractor	URLs: indohome.twelveff20pn.top

Source: global traffic

HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*

Source: Joe Sandbox View

IP Address: 3.230.67.98 3.230.67.98

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.twelveff20pn.top

Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	String found in binary or memory: http://.css
Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	String found in binary or memory: http://.jpg
Source: start-this-724.exe.0.dr	String found in binary or memory: http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805
Source: start-this-724.exe, 00000003.00000002.2200786036.00000000009DF000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805http://home.twelveff20pn.top/HfqvZFTxgmZz
Source: start-this-724.exe, 00000003.00000002.2201273842.00000000010F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805sen
Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: furra.exe, 00000000.00000002.2135003829.0000000006AEC000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: start-this-724.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: start-this-724.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: start-this-724.exe, 00000003.00000003.2140872770.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A678A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A678A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A67A20 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

System Summary

Malicious sample detected (through community Yara rule)

Source: furra.exe, type: SAMPLE	Matched rule: Detects downloader / injector Author: ditekSHen
Source: 0.0.furra.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader / injector Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6C010
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A38730
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6C8A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A338B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A598B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A49880
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6D0E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6B8C5
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A570D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A74860
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5686D
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A49043
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6D9A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4C9F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6B1FB
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A651C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A46100
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A32910
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A61168
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A75150
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A46100
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A35A80
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A32AE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A362E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A392F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4DAF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5B2C3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A472C9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A42ACB
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A54ADF
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4E230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A34260
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A57261
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A38A70
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A42246
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A3DA4C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A71250
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5CB91
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A74BE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A3B330
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A3F330
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A48B3B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A58B70
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6EB40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A3EB5F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5C4A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4C4B6
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A50CB1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5BC9A
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A454C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6ECD9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A67420
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A59C30
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A59C10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A73C60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A65470
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A46444
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4B5A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A62DA3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A735AA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A3D5AD
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A34D80
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4A580
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5BD9A
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A61DE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A615EE
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6E5F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A73DC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A3ADD0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A53500
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4151F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A74560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5057D
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A37540
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A73EA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A32EB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6CE80
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A74E80
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A506EF
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4DE20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A56E20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A61607
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A42E60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A67640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5A648
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A397B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5EFB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A52FE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A587F7
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A58F30
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A47703
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A4E710
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A36770
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A5B770
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A35F40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A73F40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A64757

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\LummaC2.exe EA56E7F640355598346FA0B356699298314E25D809F3AA7CFCE1804A3D1964E5

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 00A454B0 appears 110 times
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 00A37FE0 appears 45 times

Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 736

Source: furra.exe, 00000000.00000000.2120012709.0000000000F78000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefulfil.exe4 vs furra.exe
Source: furra.exe, 00000000.00000002.2128418571.00000000016AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs furra.exe
Source: furra.exe	Binary or memory string: OriginalFilenamefulfil.exe4 vs furra.exe

Source: furra.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: furra.exe, type: SAMPLE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 0.0.furra.exe.910000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: furra.exe, Program.cs

Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu'

Source: start-this-724.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: furra.exe

Binary or memory string: .SlN9

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/8@14/1

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A6D9A0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

Source: C:\Users\user\Desktop\furra.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\furra.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\furra.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6968
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\furra.exe

File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Jump to behavior

Source: furra.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: furra.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\furra.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\furra.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: furra.exe	ReversingLabs: Detection: 76%
Source: furra.exe	Virustotal: Detection: 76%

Source: furra.exe

String found in binary or memory: eS/AdD<

Source: unknown	Process created: C:\Users\user\Desktop\furra.exe "C:\Users\user\Desktop\furra.exe"
Source: C:\Users\user\Desktop\furra.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\furra.exe	Process created: C:\Users\user\AppData\Local\Temp\start-this-724.exe "C:\Users\user\AppData\Local\Temp\start-this-724.exe"
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 736
Source: C:\Users\user\Desktop\furra.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\furra.exe	Process created: C:\Users\user\AppData\Local\Temp\start-this-724.exe "C:\Users\user\AppData\Local\Temp\start-this-724.exe"

Source: C:\Users\user\Desktop\furra.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\furra.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Section loaded: winrnr.dll

Source: C:\Users\user\Desktop\furra.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\furra.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: furra.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: furra.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: furra.exe

Static file information: File size 8397824 > 1048576

Source: furra.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x801a00

Source: furra.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: start-this-724.exe.0.dr

Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A6616A push edx; ret

Source: C:\Users\user\Desktop\furra.exe	File created: C:\Users\user\AppData\Local\Temp\start-this-724.exe			Jump to dropped file
Source: C:\Users\user\Desktop\furra.exe	File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe			Jump to dropped file

Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\furra.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: furra.exe	Binary or memory string: SBIEDLL.DLL
Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: start-this-724.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\furra.exe	Memory allocated: 1980000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\furra.exe	Memory allocated: 3400000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\furra.exe	Memory allocated: 5400000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\furra.exe	Memory allocated: 6390000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\furra.exe	Memory allocated: 7390000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\furra.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

API coverage: 7.2 %

Source: C:\Users\user\Desktop\furra.exe TID: 6188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe TID: 828	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe TID: 828	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\furra.exe

Thread delayed: delay time: 922337203685477

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: start-this-724.exe, 00000003.00000002.2201551354.0000000003440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: furra.exe	Binary or memory string: DetectVirtualMachine
Source: start-this-724.exe, 00000003.00000003.2141260254.0000000000F47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: start-this-724.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: furra.exe	Binary or memory string: <Module>fulfil.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributefulfilEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticks0g5aq55quiu.resources
Source: start-this-724.exe, 00000003.00000003.2140872770.00000000010F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: start-this-724.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: furra.exe	Binary or memory string: vmware
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A723F0 LdrInitializeThunk,

Source: C:\Users\user\Desktop\furra.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: furra.exe, 00000000.00000002.2129550042.0000000004405000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: berserkyfir.click

Source: C:\Users\user\Desktop\furra.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\furra.exe	Process created: C:\Users\user\AppData\Local\Temp\start-this-724.exe "C:\Users\user\AppData\Local\Temp\start-this-724.exe"

Source: C:\Users\user\Desktop\furra.exe	Queries volume information: C:\Users\user\Desktop\furra.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\start-this-724.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	Binary or memory string: procmon.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	Binary or memory string: wireshark.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: start-this-724.exe PID: 6968, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: start-this-724.exe PID: 6968, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
furra.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
furra.exe	76%	Virustotal		Browse
furra.exe	100%	Avira	HEUR/AGEN.1357339
furra.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LummaC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\LummaC2.exe	96%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\start-this-724.exe	71%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
ope.twelveff20pn.top	100%	Avira URL Cloud	malware
indohome.twelveff20pn.top	100%	Avira URL Cloud	malware
home.twelveff20pn.top	100%	Avira URL Cloud	malware
http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805http://home.twelveff20pn.top/HfqvZFTxgmZz	100%	Avira URL Cloud	malware
.1.1home.twelveff20pn.top	100%	Avira URL Cloud	malware
http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805	100%	Avira URL Cloud	malware
http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805sen	100%	Avira URL Cloud	malware
a.zdnscloud.comn.top	0%	Avira URL Cloud	safe
berserkyfir.click	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
httpbin.org	3.230.67.98	true	false		high
home.twelveff20pn.top	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
a.zdnscloud.comn.top	true	Avira URL Cloud: safe	unknown
rabidcowse.shop	false		high
indohome.twelveff20pn.top	true	Avira URL Cloud: malware	unknown
wholersorie.shop	false		high
https://httpbin.org/ip	false		high
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
berserkyfir.click	true	Avira URL Cloud: malware	unknown
nearycrepso.shop	false		high
ope.twelveff20pn.top	true	Avira URL Cloud: malware	unknown
home.twelveff20pn.top	true	Avira URL Cloud: malware	unknown
.1.1home.twelveff20pn.top	true	Avira URL Cloud: malware	unknown
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	false		high
https://curl.se/docs/http-cookies.html	furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	false		high
http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805http://home.twelveff20pn.top/HfqvZFTxgmZz	start-this-724.exe, 00000003.00000002.2200786036.00000000009DF000.00000004.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://curl.se/docs/alt-svc.html	start-this-724.exe.0.dr	false		high
http://.css	furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	false		high
https://curl.se/docs/hsts.html	start-this-724.exe.0.dr	false		high
https://httpbin.org/ipbefore	furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	false		high
http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805sen	start-this-724.exe, 00000003.00000002.2201273842.00000000010F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://.jpg	furra.exe, 00000000.00000002.2135003829.00000000069A7000.00000004.00000800.00020000.00000000.sdmp, start-this-724.exe, 00000003.00000000.2127581160.00000000009E2000.00000002.00000001.01000000.00000007.sdmp, start-this-724.exe.0.dr	false		high
http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805	start-this-724.exe.0.dr	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.230.67.98	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1610179
Start date and time:	2025-02-08 18:09:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	furra.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/8@14/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.190.159.0, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target furra.exe, PID 1048 because it is empty
Execution Graph export aborted for target start-this-724.exe, PID 6968 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:10:14	API Interceptor	6x Sleep call for process: start-this-724.exe modified
12:10:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_start-this-724.e_245f2eaf38eaf85c30a2655316b9977fa2110cc_29a692a1_08a799ef-260c-4fab-85f5-3641be7d2644\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9451726162141048
Encrypted:	false
SSDEEP:	192:6UNE8c+0BU/UVJj4ZrMso5wzuiF3Z24IO8RP:Hy8clBU/UVJjuzuiF3Y4IO8RP
MD5:	71F73FA7891D838EE9C5F2FFAB7F80B0
SHA1:	85BE23930A4DF0101705F716F842ED663BD93D17
SHA-256:	C97C083FF87DE321A82567D17FD8EAD370E2CB2DC82F9E518BF0E59BE0D68EE9
SHA-512:	81C5C37EDEE66B87A4A9E6AD58777B0AB1124D8169B78E0A4A4AA7830DD37B6CCED9D6450045B15E2E1814287F787926BF31BCA19674F527C9E504FFCF63615C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.3.5.0.8.2.1.6.7.9.1.3.8.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.3.5.0.8.2.1.7.2.2.8.8.9.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.a.7.9.9.e.f.-.2.6.0.c.-.4.f.a.b.-.8.5.f.5.-.3.6.4.1.b.e.7.d.2.6.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.6.0.7.6.a.5.-.b.0.b.6.-.4.b.0.2.-.b.5.b.4.-.b.8.a.3.7.b.f.5.8.4.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.t.a.r.t.-.t.h.i.s.-.7.2.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.8.-.0.0.0.1.-.0.0.1.5.-.0.1.8.4.-.6.1.5.0.4.c.7.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.6.c.e.0.1.8.8.0.1.8.f.5.8.6.8.7.4.e.f.4.1.2.1.5.f.9.9.1.0.1.b.0.0.0.0.f.f.f.f.!.0.0.0.0.8.9.0.b.2.b.d.d.6.e.8.8.a.4.5.1.9.2.d.3.5.5.2.8.7.9.a.f.b.e.d.9.9.5.5.e.9.b.8.c.!.s.t.a.r.t.-.t.h.i.s.-.7.2.4...e.x.e.....T.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE0E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Feb 8 17:10:16 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	50566
Entropy (8bit):	2.189166324444524
Encrypted:	false
SSDEEP:	192:gTL8LYyLPc0pOQdw6g6BrHClfun+2OSGWGkIg8ALuNYqwgtcR1xl6dA34+YwefC:CYcyLPqQ2tungSAkr8YPUcRMAtnj
MD5:	A466D250D967A4D483E9FC5B9E5F2D18
SHA1:	57D5B9A80D85E1519CCF285701F7DD8952B30271
SHA-256:	1CED8813F70BF6B42484C850D94E51F4B92F3A352D0AF6D031FC5E75F7B5F9D4
SHA-512:	FE37C5EBC94D395B59E61F349B3B107CBF13DA6BC84A089CA05CA956B077834839DBF674CE0F2EE75774851915F90D73E511BE430019FDC5B976F397F951AEC3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g................................................4..../..........`.......8...........T............$.........................................................................................................eJ..............GenuineIntel............T.......8....g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEE9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8304
Entropy (8bit):	3.6883964093160237
Encrypted:	false
SSDEEP:	192:R6l7wVeJ3r6In5he6YEOD6ngmf2bMprp89bUKsfVicm:R6lXJ76I546YEK6ngmf2bnUpfVY
MD5:	45C6D444A9733739DD879364162BF846
SHA1:	3F282A72C7B8B88FE36FB7FBD691E815B3270A21
SHA-256:	37FF350EEDC6D83BF5029A6F5DBDDAEBF77BD71C27A5CB3744ACE79B87E436A7
SHA-512:	60DC21337265C93B6AAD44592FB3A11EF8570BDA4DD408A435F46DDC437CE24D7F39D4CE57EC3290AB00B10B53FDE9DD5B1BB66B59798FFF3CFF5F0EF4870544
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF29.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.459152857574298
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg77aI9KlWpW8VYCYm8M4JxIA5FK+q8Yh1PA3YLdd:uIjfyI74U7VWJxIhhjPA3YLdd
MD5:	D69BD8918973F42C6006F5DD959DA293
SHA1:	FC3230055BC9C22FBA337F636459EBC5EBFC95C3
SHA-256:	41F7DD7F39CBFFB209E73DE57435EC2DDAB268BB0DB94B715AFA34054E142938
SHA-512:	9D0F51B7011DEF25DA4F73CC8FF5C5B7899A10CD854E41FB3B8EAE2A2B6BB394E0ECB97F02C37FF8BECF7D58E24789DC17BD0EDBA6EFA8C82448F19B67DD2E3D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="711852" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\furra.exe.log

Download File

Process:	C:\Users\user\Desktop\furra.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\LummaC2.exe

Download File

Process:	C:\Users\user\Desktop\furra.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328192
Entropy (8bit):	6.7838215637977495
Encrypted:	false
SSDEEP:	6144:a3VUD8LkbASEQJYMm+l0s0UddmR6ZPcF3tVOTjoBwS0vEA:auDYkbAtQJ30udEyPq3iTjo2Lr
MD5:	8DA89B163D506BE4A73B987517A1B9E4
SHA1:	2E110CF5160C511FA3D5843E890B8E9316754F34
SHA-256:	EA56E7F640355598346FA0B356699298314E25D809F3AA7CFCE1804A3D1964E5
SHA-512:	A85969BCDA0B31CAF0CEC79F45BEC068A498C7AC190FE17D7B7C03F88F5C91F5F6221FCC4FCB46604695D5B95E9047DFC1D2CF31207540C23E929FCCA08D14F5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....vg.................L..........0.............@.......................................@..................................~...............................p...<..................................................D................................text....K.......L.................. ..`.rdata...#...`...$...P..............@..@.data...\|........R...t..............@....reloc...<...p...<..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\start-this-724.exe

Download File

Process:	C:\Users\user\Desktop\furra.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8059016
Entropy (8bit):	5.8486070310145415
Encrypted:	false
SSDEEP:	49152:Bm1ddnDl/UOLUhzPvta13s564P0RmwcMsWLMUVIz1pPRif8QWchshbioKxbMhPyJ:Bm9DEzPIsA4ycTWIUuzXv1KMyz8+
MD5:	C411BEF822305589785B18BD83A3CB89
SHA1:	890B2BDD6E88A45192D3552879AFBED9955E9B8C
SHA-256:	B60B783764D2C193EEC80661E43A512FAD2FFC56A56EE1A190B6AAC0CAD33B8E
SHA-512:	B2503B11B0FFC28118C45490B6C7C148EA034D3FA82805FE4AA3F986DDD9C473DD1CC323AFA19CEA39319F75DEC5BF6E39BDC97FED4D9F4C7CEF48A55363D1A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(..M...z..2............M...@...........................{.....a.z...@... ...............................w..-....................z......0x..I..........................`.v.......................w. ............................text.....M.......M.................`..`.data....A....M..B....M.............@....rdata...!... b.."....b.............@..@.eh_framdM...Pw..N...(w.............@..@.bss.....1....w..........................idata...-....w......vw.............@....CRT....0.....x.......w.............@....tls......... x.......w.............@....reloc...I...0x..J....w.............@..B........................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468659351931986
Encrypted:	false
SSDEEP:	6144:1zZfpi6ceLPx9skLmb0fdZWSP3aJG8nAgeiJRMMhA2zX4WABluuN9jDH5S:NZHtdZWOKnMM6bFpXj4
MD5:	B86AD4447ABA04A25492988C760B9A66
SHA1:	BA20D5AD0B1203211EF077A10B7DA2C3D74A3B85
SHA-256:	A49964D33478C22B8F3B5D24E9CA4EAF17E71CF8B4362057320140932C082D92
SHA-512:	A5C1162A5A2358461FF8BE5F98D24CBECB7A7F3834CB4B4BBA6CD28056AEF0F3E4192CD52B6AE444A7E3EC93E36E885D9B9DF674155B385E530BC8930920E61E
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.u.SLz..............................................................................................................................................................................................................................................................................................................................................\e.g........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.913779677924732
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	furra.exe
File size:	8'397'824 bytes
MD5:	05f42a351356393179165a84086f8c07
SHA1:	71093fd05686d6202bf4144f94920deefe551f96
SHA256:	2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912
SHA512:	b6fe9334bbd7dcd55f9b997e502839dd8c26d058ada49a3b804d7e41ee335abb2ab4e5ab0974da5fed3532a0beb8ca9e57b1cb5e416a94803a52a5f4ba9d4c08
SSDEEP:	98304:s4IeiLEkjp/ABP9X6OmtVtNjgpiM+txC1xcTP8cY1JusPWBGu7oBCN7c4J+Rt+x9:s4tCpwJcY1JufL7oBH2IQxLLiU6
TLSH:	C086592D63326C9AF3D20764D564B5A597240B2A7C27CFF58A93056D8D20E39D0B83BF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.g.............................8... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xc038ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x678973C2 [Thu Jan 16 21:01:54 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x803894	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x804000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x806000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8018f4	0x801a00	6abe53f1352924e414c30c6a219633d5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x804000	0x4d8	0x600	067076876ab129a192c55e8517284108	False	0.3743489583333333	data	3.7174563596210497	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x806000	0xc	0x200	479d8ba52c1674b22eed7a9b6b0407ad	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\200"	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8040a0	0x244	data			0.4706896551724138
RT_MANIFEST	0x8042e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
FileDescription
FileVersion	1.0.0.0
InternalName	fulfil.exe
LegalCopyright
OriginalFilename	fulfil.exe
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Network Port Distribution

Total Packets: 25
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2025 18:10:12.894427061 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:12.894474030 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:12.894536018 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:12.897497892 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:12.897511959 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.589061022 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.642899990 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:13.645565987 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:13.645574093 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.647274017 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.647289991 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.647345066 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:13.649821997 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:13.649903059 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.664679050 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:13.664697886 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.705399036 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:13.769620895 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.769721031 CET	443	49709	3.230.67.98	192.168.2.6
Feb 8, 2025 18:10:13.769798994 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:13.782196999 CET	49709	443	192.168.2.6	3.230.67.98
Feb 8, 2025 18:10:13.782217026 CET	443	49709	3.230.67.98	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2025 18:10:12.875533104 CET	52447	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:12.875756025 CET	52447	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:12.882889986 CET	53	52447	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:12.893241882 CET	53	52447	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:14.965868950 CET	52450	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:14.965903997 CET	52450	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:14.976577044 CET	53	52450	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.114005089 CET	53	52450	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.255815983 CET	52451	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:15.255871058 CET	52451	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:15.265638113 CET	53	52451	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.265918970 CET	53	52451	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.383496046 CET	52452	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:15.383543015 CET	52452	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:15.392632961 CET	53	52452	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.392661095 CET	53	52452	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.508399010 CET	51524	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:15.508480072 CET	51524	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:15.691864967 CET	53	51524	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.692231894 CET	53	51524	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.805768013 CET	51525	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:15.805818081 CET	51525	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:15.815924883 CET	53	51525	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:15.946170092 CET	53	51525	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:16.055516958 CET	51526	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:16.055592060 CET	51526	53	192.168.2.6	1.1.1.1
Feb 8, 2025 18:10:16.231532097 CET	53	51526	1.1.1.1	192.168.2.6
Feb 8, 2025 18:10:16.231538057 CET	53	51526	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 8, 2025 18:10:12.875533104 CET	192.168.2.6	1.1.1.1	0x7a45	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:12.875756025 CET	192.168.2.6	1.1.1.1	0xca51	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Feb 8, 2025 18:10:14.965868950 CET	192.168.2.6	1.1.1.1	0x638a	Standard query (0)	home.twelveff20pn.top	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:14.965903997 CET	192.168.2.6	1.1.1.1	0xe378	Standard query (0)	home.twelveff20pn.top	28	IN (0x0001)	false
Feb 8, 2025 18:10:15.255815983 CET	192.168.2.6	1.1.1.1	0xa529	Standard query (0)	home.twelveff20pn.top	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.255871058 CET	192.168.2.6	1.1.1.1	0x2dde	Standard query (0)	home.twelveff20pn.top	28	IN (0x0001)	false
Feb 8, 2025 18:10:15.383496046 CET	192.168.2.6	1.1.1.1	0xd1c7	Standard query (0)	home.twelveff20pn.top	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.383543015 CET	192.168.2.6	1.1.1.1	0x2ce2	Standard query (0)	home.twelveff20pn.top	28	IN (0x0001)	false
Feb 8, 2025 18:10:15.508399010 CET	192.168.2.6	1.1.1.1	0xa8cd	Standard query (0)	home.twelveff20pn.top	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.508480072 CET	192.168.2.6	1.1.1.1	0x1a33	Standard query (0)	home.twelveff20pn.top	28	IN (0x0001)	false
Feb 8, 2025 18:10:15.805768013 CET	192.168.2.6	1.1.1.1	0xb753	Standard query (0)	home.twelveff20pn.top	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.805818081 CET	192.168.2.6	1.1.1.1	0xff24	Standard query (0)	home.twelveff20pn.top	28	IN (0x0001)	false
Feb 8, 2025 18:10:16.055516958 CET	192.168.2.6	1.1.1.1	0xd541	Standard query (0)	home.twelveff20pn.top	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:16.055592060 CET	192.168.2.6	1.1.1.1	0xdd94	Standard query (0)	home.twelveff20pn.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 8, 2025 18:10:12.893241882 CET	1.1.1.1	192.168.2.6	0x7a45	No error (0)	httpbin.org		3.230.67.98	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:12.893241882 CET	1.1.1.1	192.168.2.6	0x7a45	No error (0)	httpbin.org		3.211.25.71	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:14.976577044 CET	1.1.1.1	192.168.2.6	0x638a	Name error (3)	home.twelveff20pn.top	none	none	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.114005089 CET	1.1.1.1	192.168.2.6	0xe378	Name error (3)	home.twelveff20pn.top	none	none	28	IN (0x0001)	false
Feb 8, 2025 18:10:15.265638113 CET	1.1.1.1	192.168.2.6	0xa529	Name error (3)	home.twelveff20pn.top	none	none	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.265918970 CET	1.1.1.1	192.168.2.6	0x2dde	Name error (3)	home.twelveff20pn.top	none	none	28	IN (0x0001)	false
Feb 8, 2025 18:10:15.392632961 CET	1.1.1.1	192.168.2.6	0xd1c7	Name error (3)	home.twelveff20pn.top	none	none	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.392661095 CET	1.1.1.1	192.168.2.6	0x2ce2	Name error (3)	home.twelveff20pn.top	none	none	28	IN (0x0001)	false
Feb 8, 2025 18:10:15.691864967 CET	1.1.1.1	192.168.2.6	0x1a33	Name error (3)	home.twelveff20pn.top	none	none	28	IN (0x0001)	false
Feb 8, 2025 18:10:15.692231894 CET	1.1.1.1	192.168.2.6	0xa8cd	Name error (3)	home.twelveff20pn.top	none	none	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.815924883 CET	1.1.1.1	192.168.2.6	0xb753	Name error (3)	home.twelveff20pn.top	none	none	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:15.946170092 CET	1.1.1.1	192.168.2.6	0xff24	Name error (3)	home.twelveff20pn.top	none	none	28	IN (0x0001)	false
Feb 8, 2025 18:10:16.231532097 CET	1.1.1.1	192.168.2.6	0xd541	Name error (3)	home.twelveff20pn.top	none	none	A (IP address)	IN (0x0001)	false
Feb 8, 2025 18:10:16.231538057 CET	1.1.1.1	192.168.2.6	0xdd94	Name error (3)	home.twelveff20pn.top	none	none	28	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

Statistics

Click to jump to process

Target ID:	0
Start time:	12:10:11
Start date:	08/02/2025
Path:	C:\Users\user\Desktop\furra.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\furra.exe"
Imagebase:	0x910000
File size:	8'397'824 bytes
MD5 hash:	05F42A351356393179165A84086F8C07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:10:11
Start date:	08/02/2025
Path:	C:\Users\user\AppData\Local\Temp\LummaC2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Imagebase:	0xa30000
File size:	328'192 bytes
MD5 hash:	8DA89B163D506BE4A73B987517A1B9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:10:12
Start date:	08/02/2025
Path:	C:\Users\user\AppData\Local\Temp\start-this-724.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\start-this-724.exe"
Imagebase:	0x3c0000
File size:	8'059'016 bytes
MD5 hash:	C411BEF822305589785B18BD83A3CB89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:10:16
Start date:	08/02/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 736
Imagebase:	0xf00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report furra.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Cryptbot

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_start-this-724.e_245f2eaf38eaf85c30a2655316b9977fa2110cc_29a692a1_08a799ef-260c-4fab-85f5-3641be7d2644\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE0E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEE9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF29.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\furra.exe.log

C:\Users\user\AppData\Local\Temp\LummaC2.exe

C:\Users\user\AppData\Local\Temp\start-this-724.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
furra.exe