Windows Analysis Report
0Subtitle Edit.exe

Overview

General Information

Sample name: 0Subtitle Edit.exe
Analysis ID: 1501216
MD5: c304e6d97f3a59f101484c104132c434
SHA1: 02eefa0d5e5578406c37d9088be34c844349df01
SHA256: 2380b9a91c92ba2ab097f7237294d9235970ea3054bd16c7b5aabcbec9c44322
Tags: exelummalummarcLummaStealerWingo
Infos:

Detection

LummaC
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://locatedblsoqp.shop/api Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/ Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/api Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/0z Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/8 Avira URL Cloud: Label: malware
Source: https://separateedmsqj.shop/api Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/W Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: 0Subtitle Edit.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: 0Subtitle Edit.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: 0Subtitle Edit.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: 0Subtitle Edit.exe, 00000000.00000002.2283833733.0000000002EE4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: 0Subtitle Edit.exe, 00000000.00000002.2283833733.0000000002EE4000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 2_2_00433DD2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov al, 01h 2_2_00435E33
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 2_2_00435E33
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov al, 01h 2_2_00435EF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 2_2_00435EF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov al, 01h 2_2_004367B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 2_2_004367B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ecx], 625B6034h 2_2_00412054
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 2_2_00421030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 2_2_00438830
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 2_2_004110C7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 2_2_0040F11C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 2_2_0040F11C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ebx 2_2_004071F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_00419A40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+20h] 2_2_0041DA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0041DA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 2_2_0040F20D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 2_2_00414AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 2_2_00414AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], dl 2_2_004272F1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_00420A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 2_2_00437280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 2_2_00438280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp dword ptr [0043FE64h] 2_2_0041EA8C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0041AA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx esi, byte ptr [ebp+00h] 2_2_00437AA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push edi 2_2_00420333
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 2_2_0040EBD3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 2_2_004133F7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edx], 77A9E0C4h 2_2_00438430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 2_2_004214E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [ebp-7Ch] 2_2_0041B4F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 2_2_0041049E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp al, 2Eh 2_2_0041DCB7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0040AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_0042AD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 2_2_00434650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 2_2_00432650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 2_2_00413600
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0041D620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 2_2_00436622
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp] 2_2_00437690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ecx], 625B6034h 2_2_004127CF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 2_2_004197E0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.6:50099 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.6:49209 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49716 -> 188.114.96.3:443
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: separateedmsqj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=XRu95sVNoGkSeHaTLKe6ecZVkq6cnlTXtPLV4r8Wmas-1724938823-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 76Host: traineiwnqo.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: separateedmsqj.shop
Source: global traffic DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic DNS traffic detected: DNS query: traineiwnqo.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: separateedmsqj.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.0
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.1
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://earth.google.com/kml/2.2
Source: 0Subtitle Edit.exe String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.00000000028F4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml/3.2
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/gml/3.3/exr
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.opengis.net/kml/2.2
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002886000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.topografix.com/GPX/1/1
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://locatedblsoqp.shop/
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://locatedblsoqp.shop/0z
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://locatedblsoqp.shop/W
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://locatedblsoqp.shop/api
Source: 0Subtitle Edit.exe String found in binary or memory: https://login.microsoftonline.us/crypto/aes:
Source: BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://separateedmsqj.shop/api
Source: BitLockerToGo.exe, 00000002.00000002.2319746932.000000000285E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://separateedmsqj.shop/x86
Source: BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/
Source: BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/8
Source: BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/api
Source: BitLockerToGo.exe, 00000002.00000003.2308315335.000000000287F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.000000000285E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308293210.00000000028D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000002.00000003.2308315335.000000000287F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308293210.00000000028D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/ddos/glossary/malware/
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042AAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_0042AAD0
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042AAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_0042AAD0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2283833733.0000000002F1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040C926 2_2_0040C926
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00435EF8 2_2_00435EF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041F840 2_2_0041F840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00407870 2_2_00407870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040F02D 2_2_0040F02D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00421030 2_2_00421030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042F940 2_2_0042F940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00437130 2_2_00437130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004041D0 2_2_004041D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004059E0 2_2_004059E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004071F0 2_2_004071F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041DA50 2_2_0041DA50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00425A69 2_2_00425A69
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040F20D 2_2_0040F20D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00402A20 2_2_00402A20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00436AED 2_2_00436AED
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00414AF0 2_2_00414AF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00437280 2_2_00437280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040D286 2_2_0040D286
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041AA90 2_2_0041AA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00437AA2 2_2_00437AA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00426343 2_2_00426343
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00430BD0 2_2_00430BD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00438C40 2_2_00438C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00426C28 2_2_00426C28
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004304D0 2_2_004304D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041B4F6 2_2_0041B4F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004064A0 2_2_004064A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041DCB7 2_2_0041DCB7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041CD59 2_2_0041CD59
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00404570 2_2_00404570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041F5DB 2_2_0041F5DB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00437590 2_2_00437590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004245A0 2_2_004245A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040DDAC 2_2_0040DDAC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040D620 2_2_0040D620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041D620 2_2_0041D620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00401E3A 2_2_00401E3A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00401EE5 2_2_00401EE5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041EEFB 2_2_0041EEFB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00437690 2_2_00437690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00413EA7 2_2_00413EA7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00408F70 2_2_00408F70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00438F30 2_2_00438F30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00404FD0 2_2_00404FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00419FFF 2_2_00419FFF
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 00409A30 appears 49 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 00417E90 appears 136 times
Sample file is different than original file name gathered from version info
Source: 0Subtitle Edit.exe, 00000000.00000002.2281871181.0000000001BBD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs 0Subtitle Edit.exe
Source: 0Subtitle Edit.exe, 00000000.00000002.2283833733.0000000002EE4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs 0Subtitle Edit.exe
Source: 0Subtitle Edit.exe Binary or memory string: OriginalFileName vs 0Subtitle Edit.exe
Uses 32bit PE files
Source: 0Subtitle Edit.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2283833733.0000000002F1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0Subtitle Edit.exe Binary string: expected '/' for commentinvalid field number: %dmismatching enum lengths\Device\NamedPipe\cygwinunknown compression typecould not resolve %q: %vgoogle.protobuf.DurationMESSAGE_ENCODING_UNKNOWNSouth Sudan Standard TimeUS Mountain Standard TimeMiddle East Standard TimeTransbaikal Standard TimeW. Mongolia Standard TimeAfghanistan Standard TimeNorth Korea Standard TimeUlaanbaatar Standard TimeVladivostok Standard TimeAUS Central Standard TimeAUS Eastern Standard TimeKaliningrad Standard TimeNew Zealand Standard Time2006-01-02T15:04:05Z07:00number of sections is 10+LPSAFEARRAY_UserUnmarshalGetRecordInfoFromTypeInfoarray index out of bounds!#$%&'()-@^_`{}~+,.;=[]\/ARM Thumb-2 little endianMIPS little-endian WCE v2Chinese (Simplified) (zh)Mongolian (Cyrillic) (mn)Bangla Bangladesh (bn-BD)Bosnian (Latin) (bs-Latn)Central Kurdish (ku-Arab)Dari Afghanistan (prs-AF)Dutch Netherlands (nl-NL)English Australia (en-AU)English Hong Kong (en-HK)English Singapore (en-SG)French Caribbean (fr-029)French Congo, Drc (fr-CD)French Luxembourg (fr-LU)German Luxembourg (de-LU)Hungarian Hungary (hu-HU)Icelandic Iceland (is-IS)Kazakh Kazakhstan (kk-KZ)Kyrgyz Kyrgyzstan (ky-KG)Maori New Zealand (mi-NZ)Mapudungun Chile (arn-CL)Portuguese Brazil (pt-BR)Serbian (Latin) (sr-Latn)Setswana Botswana (tn-BW)Sinhala Sri Lanka (si-LK)Spanish Argentina (es-AR)Spanish Guatemala (es-GT)Spanish Nicaragua (es-NI)Tigrinya Ethiopia (ti-ET)Ukrainian Ukraine (uk-UA)Zulu South Africa (zu-ZA)` Contents are null-bytesresource deadlock avoidedoperation now in progressno buffer space availableno such device or addresssocket type not supportedinvalid cross-device linkGetFinalPathNameByHandleWGetQueuedCompletionStatusUpdateProcThreadAttributegoroutine profile cleanupchansend: spurious wakeupruntime
Source: classification engine Classification label: mal92.evad.winEXE@3/0@3/1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00428637 CoCreateInstance, 2_2_00428637
Source: 0Subtitle Edit.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 0Subtitle Edit.exe ReversingLabs: Detection: 34%
Source: 0Subtitle Edit.exe String found in binary or memory: [38;5;%dmconsistsofconsistsOfissubsetofisSubsetOfBeforeEachAfterSuiteNode (End) for type but have impossibleUser-AgentConnectionlocal-addrimage/webpimage/jpegaudio/aiffaudio/mpegaudio/midiaudio/wavevideo/webmfont/woff2RST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookieuser-agentkeep-aliveconnectionequivalentHost: %s
Source: 0Subtitle Edit.exe String found in binary or memory: ... omitting .WithDeadline(\.+*?()|[]{}^$X-User-DefinedCLICOLOR_FORCE~/.bash_logout~/.kube/configJustBeforeEach> closed by </RequestTimeoutRequestExpiredContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=Laxaccept-charsetcontent-length{$} not at endempty wildcardparsing %q: %wNot Acceptable.in-addr.arpa.unknown mode: bad record MACControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWprefix length not an ip:portinvalid Prefixmime/multipartzero parameterformnovalidate$htmltemplate_ /* %s */null missing quotesObjectItem: %s%04d-%02d-%02d%02d:%02d:%02ddocument startsequence startlen of type %sInstEmptyWidth" out of rangeApplyFunction;DifferentialD;DoubleLeftTee;DoubleUpArrow;LeftTeeVector;LeftVectorBar;LessFullEqual;LongLeftArrow;Longleftarrow;NotTildeEqual;NotTildeTilde;Poincareplane;PrecedesEqual;PrecedesTilde;RightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SucceedsEqual;SucceedsTilde;SupersetEqual;UpEquilibrium;VerticalTilde;VeryThinSpace;bigtriangleup;blacktriangle;divideontimes;fallingdotseq;hookleftarrow;leftarrowtail;leftharpoonup;longleftarrow;looparrowleft;measuredangle;ntriangleleft;shortparallel;smallsetminus;triangleright;upharpoonleft;NotEqualTilde;varsubsetneqq;varsupsetneqq;^[a-zA-Z0-9]+$^[0-9a-f]{32}$^[0-9a-f]{64}$^[0-9a-f]{96}$^[0-9a-f]{40}$^[0-9a-f]{48}$eq_ignore_casene_ignore_caseEC PRIVATE KEYSubConn(id:%d)grpc-go/1.65.0"OUT_OF_RANGE"ALREADY_EXISTSAccept-CharsetDkim-Signatureneed more dataREQUEST_METHODRCodeNameErrorResourceHeaderunknown node: expected 'inf'expected 'nan'reserved_rangefield_presenceimage/x-ms-bmpaudio/musepackaudio/vnd.wavevideo/x-ms-asfvideo/x-ms-wmvimage/vnd.djvuplugin startedunknown ID: %vhealth_service%s Channel #%dgrpc-trace-bintoo_many_pingsAuthInfo: '%s'show_sensitivecloud.adc-e.ukcsp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4Europe (Milan)Europe (Spain)Europe (Paris)US East (Ohio)fips-ca-west-1fips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2ca-west-1-fipsus-east-1-fipsus-east-2-fipsus-west-1-fipsus-west-2-fipsamplifybackendapi.ecr-publicbackup-gatewayclouddirectorycloudformationlocalhost:8000edge.sagemakerfips-ap-east-1fips-eu-west-1fips-eu-west-2fips-eu-west-3fips-sa-east-1emr-containersemr-serverlessprod-ca-west-1prod-us-east-1prod-us-east-2prod-us-west-1prod-us-west-2identity-chimeiotthingsgraphapi-ap-south-1data-eu-west-1data-us-east-1data-us-west-2kendra-rankingap-east-1-fipseu-west-1-fipseu-west-2-fipseu-west-3-fipssa-east-1-fipslookoutmetricsmediapackagev2meetings-chimenetworkmanagerroute53domainsruntime-v2-lexsecretsmanagerserverlessreposervicecatalogsimspaceweaverstoragegatewayworkspaces-webcn-northwest-1api-cn-north-1aws-iso-globalus-isob-east-1eu-isoe-west-1^cn\-
Source: 0Subtitle Edit.exe String found in binary or memory: [0m[%04d]%s %-44s GetConsoleScreenBufferInfoFillConsoleOutputAttributeencountered a cycle via %snet/http: request canceledhttp: invalid cookie valueduplicate pseudo-header %qhttp2: Framer %p: wrote %vframe_windowupdate_bad_lenframe_priority_zero_streamduplicate wildcard name %qliterals differ: %q and %qmalformed HTTP status codeHTTP Version Not Supportedcannot marshal DNS messageunexpected type in connecttoo many colons in addressAs4 called on IPv6 addressSRV header name is invalidunclosed criterion bracketcriterion lacks equal signbad certificate hash valueECDSA verification failureGetSecurityDescriptorGroupGetSecurityDescriptorOwnerNotifyServiceStatusChangeWSetSecurityDescriptorGroupSetSecurityDescriptorOwnerCertFindCertificateInStoreFindFirstVolumeMountPointWFindNextChangeNotificationGetProcessWorkingSetSizeExGetSystemWindowsDirectoryWQueryFullProcessImageNameWSetProcessWorkingSetSizeExRtlNtStatusToDosErrorNoTebSetupDiBuildDriverInfoListprefix length out of rangeecdsa: invalid private keyed25519: bad seed length: invalid port %q after hostcryptobyte: internal error_html_template_attrescaper_html_template_htmlescapertemplate escaped correctlyno templates in name spaceinvalid date-time timezoneunknown line break settingfound undefined tag handlewhile parsing a block nodeinvalid character sequencewhile scanning a directiveinvalid value; expected %sexpected integer; found %sexpected complex; found %stoo many slice indexes: %dnon-function %s of type %snon-comparable type %s: %vgob: local interface type hexcolor|rgb|rgba|hsl|hsla^[-+]?[0-9]+(?:\.[0-9]+)?$^(9694[1-4])([ \-]\d{4})?$iso3166_1_alpha_numeric_euBad field name provided %stimeout waiting for acceptccBalancerWrapper: closingparsed dial target is: %#vHealth checking failed: %vid (%v) <= evictCount (%v)malformed chunked encodingsegment prefix is reservedchacha20: wrong nonce sizechacha20: counter overflowunterminated quoted stringunexpected . after term %qinline table is incompleteapplication/x-ms-installerapplication/vnd.ms-outlookapplication/x-unix-archiveapplication/vnd.adobe.xfdfurn:ietf:params:scim:%s:%sduplicate stream initiatedthe connection is drainingtransport closed by clientmalformed grpc-timeout: %vrequest is done processingDrain() is not implementedgrpc-previous-rpc-attemptsGRPC_GO_LOG_SEVERITY_LEVEL2006/01/02 15:04:05.000000appmesh.af-south-1.api.awsappmesh.ap-south-1.api.awsappmesh.eu-north-1.api.awsappmesh.eu-south-1.api.awsappmesh.me-south-1.api.awsbedrock-runtime-ap-south-1ce.us-east-1.amazonaws.comdatazone.ap-east-1.api.awsdatazone.ca-west-1.api.awsdatazone.eu-west-1.api.awsdatazone.eu-west-2.api.awsdatazone.eu-west-3.api.awsdatazone.sa-east-1.api.awsdatazone.us-east-1.api.awsdatazone.us-east-2.api.awsdatazone.us-west-1.api.awsdatazone.us-west-2.api.awseks-auth.ap-east-1.api.awseks-auth.ca-west-1.api.awseks-auth.eu-west-1.api.awseks-auth.eu-west-2.api.awseks-auth.eu-west-3.api.awseks-auth.sa-east-1.api.awseks-auth.us-east-1.api.awseks-auth.us-east-2.api.awseks-auth.us-west-1
Source: 0Subtitle Edit.exe String found in binary or memory: google/protobuf/field_mask.prototimestamp (%v) before 0001-01-01timeseries: bad level argument: could not parse value for %v: %qinvalid escape code %q in stringrelease of handle with refcount 0Image base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %sbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListhttps://login.microsoftonline.us/crypto/aes: output not full blockskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangesync: RUnlock of unlocked RWMutexwaiting for unsupported file type142108547152020037174224853515625710542735760100185871124267578125encoding: missing byte order markreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length crypto: requested hash function #x509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesindefinite length found (not DER)struct contains unexported fieldsError: Logrus exit handler error:pseudo header field after regularhttp: invalid Read on closed Bodyapplication/x-www-form-urlencodedinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vhttp: multiple registrations for unsupported transfer encoding: %qgo package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: invalid client finished hashtls: unexpected ServerKeyExchangetls: unknown public key algorithmCryptAcquireCertificatePrivateKeySetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWGODEBUG: no value specified for "unaligned 64-bit atomic operationSigEd25519 no Ed25519 collisions
Source: 0Subtitle Edit.exe String found in binary or memory: google/protobuf/field_mask.prototimestamp (%v) before 0001-01-01timeseries: bad level argument: could not parse value for %v: %qinvalid escape code %q in stringrelease of handle with refcount 0Image base beyond allowed addressThunk AddressOfData beyond limitsCentral Kurdish Iraq (ku-Arab-IQ)Norwegian (Bokmal) Norway (nb-NO)could not find signer certificateinvalid VS_VERSION_INFO block. %sbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whencetoo many levels of symbolic linksInitializeProcThreadAttributeListhttps://login.microsoftonline.us/crypto/aes: output not full blockskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]runtime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangesync: RUnlock of unlocked RWMutexwaiting for unsupported file type142108547152020037174224853515625710542735760100185871124267578125encoding: missing byte order markreflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length crypto: requested hash function #x509: invalid RSA public exponentx509: SAN rfc822Name is malformedx509: invalid extended key usagesindefinite length found (not DER)struct contains unexported fieldsError: Logrus exit handler error:pseudo header field after regularhttp: invalid Read on closed Bodyapplication/x-www-form-urlencodedinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vhttp: multiple registrations for unsupported transfer encoding: %qgo package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: invalid client finished hashtls: unexpected ServerKeyExchangetls: unknown public key algorithmCryptAcquireCertificatePrivateKeySetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWGODEBUG: no value specified for "unaligned 64-bit atomic operationSigEd25519 no Ed25519 collisions
Source: 0Subtitle Edit.exe String found in binary or memory: net/addrselect.go
Source: 0Subtitle Edit.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: 0Subtitle Edit.exe String found in binary or memory: github.com/magiconair/properties@v1.8.7/load.go
Source: 0Subtitle Edit.exe String found in binary or memory: google.golang.org/grpc@v1.65.0/internal/balancerload/load.go
Source: 0Subtitle Edit.exe String found in binary or memory: github.com/hashicorp/go-plugin@v1.6.1/internal/cmdrunner/addr_translator.go
Source: 0Subtitle Edit.exe String found in binary or memory: github.com/hashicorp/yamux@v0.1.1/addr.go
Source: C:\Users\user\Desktop\0Subtitle Edit.exe File read: C:\Users\user\Desktop\0Subtitle Edit.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0Subtitle Edit.exe "C:\Users\user\Desktop\0Subtitle Edit.exe"
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: 0Subtitle Edit.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 0Subtitle Edit.exe Static file information: File size 18028032 > 1048576
Source: 0Subtitle Edit.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x795000
Source: 0Subtitle Edit.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x8aa000
Source: 0Subtitle Edit.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: 0Subtitle Edit.exe, 00000000.00000002.2283833733.0000000002EE4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: 0Subtitle Edit.exe, 00000000.00000002.2283833733.0000000002EE4000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: 0Subtitle Edit.exe Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043D928 push cs; retn 0040h 2_2_0043D929
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004226DE push ebp; ret 2_2_004226E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043F790 push edx; iretd 2_2_0043F791
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043F7A0 pushad ; iretd 2_2_0043F7A9
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4036 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000002.00000003.2301570044.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002847000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2319746932.0000000002883000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2308315335.0000000002883000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 0Subtitle Edit.exe, 00000000.00000002.2282162764.000000000228D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00435DA0 LdrInitializeThunk, 2_2_00435DA0

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: caffegclasiqwp.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stamppreewntnq.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stagedchheiqwo.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: millyscroqwp.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: evoliutwoqm.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: condedqpwqm.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: traineiwnqo.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: locatedblsoqp.shop
Source: 0Subtitle Edit.exe, 00000000.00000002.2282605862.0000000002B96000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: separateedmsqj.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 24F008 Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43D000 Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44D000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Queries volume information: C:\Users\user\Desktop\0Subtitle Edit.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0Subtitle Edit.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501216 Sample: 0Subtitle Edit.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 92 13 traineiwnqo.shop 2->13 15 separateedmsqj.shop 2->15 17 locatedblsoqp.shop 2->17 21 Suricata IDS alerts for network traffic 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus detection for URL or domain 2->25 27 2 other signatures 2->27 7 0Subtitle Edit.exe 2->7         started        signatures3 process4 signatures5 29 Writes to foreign memory regions 7->29 31 Allocates memory in foreign processes 7->31 33 Injects a PE file into a foreign processes 7->33 35 LummaC encrypted strings found 7->35 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 19 traineiwnqo.shop 188.114.96.3, 443, 49713, 49714 CLOUDFLARENETUS European Union 10->19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 separateedmsqj.shop European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
separateedmsqj.shop 188.114.96.3 true
locatedblsoqp.shop 188.114.96.3 true
traineiwnqo.shop 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://locatedblsoqp.shop/api true
  • Avira URL Cloud: malware
 unknown
https://traineiwnqo.shop/api true
  • Avira URL Cloud: malware
 unknown
https://separateedmsqj.shop/api true
  • Avira URL Cloud: malware
 unknown