Source: miracledzmnqwui.shop |
Avira URL Cloud: Label: phishing |
Source: stamppreewntnq.shop |
Avira URL Cloud: Label: phishing |
Source: https://traineiwnqo.shop/.% |
Avira URL Cloud: Label: malware |
Source: condedqpwqm.shop |
Avira URL Cloud: Label: phishing |
Source: https://traineiwnqo.shop/apim |
Avira URL Cloud: Label: malware |
Source: https://locatedblsoqp.shop/api |
Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop/api |
Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop/&% |
Avira URL Cloud: Label: malware |
Source: locatedblsoqp.shop |
Avira URL Cloud: Label: phishing |
Source: millyscroqwp.shop |
Avira URL Cloud: Label: malware |
Source: https://miracledzmnqwui.shop/api |
Avira URL Cloud: Label: malware |
Source: caffegclasiqwp.shop |
Avira URL Cloud: Label: malware |
Source: https://traineiwnqo.shop/ |
Avira URL Cloud: Label: malware |
Source: stagedchheiqwo.shop |
Avira URL Cloud: Label: phishing |
Source: traineiwnqo.shop |
Avira URL Cloud: Label: malware |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
Malware Configuration Extractor: LummaC {"C2 url": ["condedqpwqm.shop", "stagedchheiqwo.shop", "stamppreewntnq.shop", "traineiwnqo.shop", "evoliutwoqm.shop", "locatedblsoqp.shop", "miracledzmnqwui.shop", "caffegclasiqwp.shop", "millyscroqwp.shop"], "Build id": "WpM2Co--SUSELL"} |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: caffegclasiqwp.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: stamppreewntnq.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: stagedchheiqwo.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: millyscroqwp.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: evoliutwoqm.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: condedqpwqm.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: traineiwnqo.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: locatedblsoqp.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: miracledzmnqwui.shop |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: lid=%s&j=%s&ver=4.0 |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: TeslaBrowser/5.5 |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: - Screen Resoluton: |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: - Physical Installed Memory: |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: Workgroup: - |
Source: 3.2.RegAsm.exe.400000.0.raw.unpack |
String decryptor: WpM2Co--SUSELL |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov word ptr [esi], ax |
3_2_0043406B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [ebp-14h] |
3_2_0043406B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
3_2_0040B000 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
3_2_004100CB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [eax+02h], 00000000h |
3_2_00432080 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
3_2_00414160 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [ecx], al |
3_2_00414160 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then push 00000000h |
3_2_00414160 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ebx, dword ptr [edi+04h] |
3_2_00420120 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h |
3_2_0041C1E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then movzx eax, word ptr [esi+ecx] |
3_2_004309A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
3_2_00436250 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then jmp edx |
3_2_00419A55 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, dword ptr [esp] |
3_2_00419A55 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov word ptr [eax], cx |
3_2_0041FA7F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
3_2_0041C219 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then movzx ebx, byte ptr [edx] |
3_2_00429A30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, dword ptr [esp+04h] |
3_2_0040A2A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov edx, dword ptr [ebp-10h] |
3_2_0041EB5F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov dword ptr [esi+04h], ecx |
3_2_00423300 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [ebx], al |
3_2_00423300 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [eax], cl |
3_2_00423300 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov dword ptr [esp], 00000000h |
3_2_00412BC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [edi], al |
3_2_00423BC9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, ebp |
3_2_00406B80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, ebp |
3_2_00406B80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esi] |
3_2_004123AD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [ecx], al |
3_2_00423C24 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp+18h] |
3_2_00413555 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp byte ptr [edi], 00000000h |
3_2_0040EDDF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h |
3_2_00418580 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [ecx], al |
3_2_00424D86 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, dword ptr [esp+08h] |
3_2_0041E594 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov word ptr [ebx], cx |
3_2_00412D9D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then lea eax, dword ptr [esp+20h] |
3_2_0041CE70 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then movzx eax, word ptr [ebx] |
3_2_00436E10 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov byte ptr [edi], dl |
3_2_00423E16 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h |
3_2_004366B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [ebp-10h] |
3_2_0041AEBD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h |
3_2_00420710 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov word ptr [esi], cx |
3_2_0041A7D8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [ebp-10h] |
3_2_0041A7D8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp byte ptr [esi], 00000000h |
3_2_0040EFE0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp+48h] |
3_2_0040EFE0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov word ptr [eax], cx |
3_2_004187E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov eax, dword ptr [esp] |
3_2_00418F9A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then cmp byte ptr [edi], 00000000h |
3_2_00418F9A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then jmp edx |
3_2_00418F9A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4x nop then mov ecx, dword ptr [esp] |
3_2_00418F9A |
Source: Network traffic |
Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.7:50347 -> 1.1.1.1:53 |
Source: Network traffic |
Suricata IDS: 2055377 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miracledzmnqwui .shop) : 192.168.2.7:57267 -> 1.1.1.1:53 |
Source: Network traffic |
Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.7:64418 -> 1.1.1.1:53 |
Source: Network traffic |
Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.7:49707 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.7:49704 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2055378 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (miracledzmnqwui .shop in TLS SNI) : 192.168.2.7:49703 -> 188.114.96.3:443 |
Source: Network traffic |
Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.7:49705 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49705 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49703 -> 188.114.96.3:443 |
Source: Network traffic |
Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49703 -> 188.114.96.3:443 |
Source: Malware configuration extractor |
URLs: condedqpwqm.shop |
Source: Malware configuration extractor |
URLs: stagedchheiqwo.shop |
Source: Malware configuration extractor |
URLs: stamppreewntnq.shop |
Source: Malware configuration extractor |
URLs: traineiwnqo.shop |
Source: Malware configuration extractor |
URLs: evoliutwoqm.shop |
Source: Malware configuration extractor |
URLs: locatedblsoqp.shop |
Source: Malware configuration extractor |
URLs: miracledzmnqwui.shop |
Source: Malware configuration extractor |
URLs: caffegclasiqwp.shop |
Source: Malware configuration extractor |
URLs: millyscroqwp.shop |