Windows Analysis Report
l5u4ezxr.u51.exe

Overview

General Information

Sample name: l5u4ezxr.u51.exe
Analysis ID: 1502257
MD5: 5bd0ec56270d24c40aa16d7fa73f2538
SHA1: 43f9fd5ae32c851b806f501e20e2747b9f831bbe
SHA256: 7dae9ea6af1af34b4f423f1fb3e3004f35cfd00781a05fcad1b2714160eb0ac8
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: locatedblsoqp.shop URL Reputation: Label: phishing
Source: locatedblsoqp.shop URL Reputation: Label: phishing
Source: traineiwnqo.shop URL Reputation: Label: malware
Source: traineiwnqo.shop URL Reputation: Label: malware
Source: condedqpwqm.shop URL Reputation: Label: phishing
Source: caffegclasiqwp.shop URL Reputation: Label: malware
Source: millyscroqwp.shop URL Reputation: Label: malware
Source: stagedchheiqwo.shop URL Reputation: Label: phishing
Source: https://locatedblsoqp.shop/api URL Reputation: Label: malware
Source: stamppreewntnq.shop URL Reputation: Label: phishing
Source: https://tenseddrywsqio.shop/api Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/api_ Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/6 Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/api Avira URL Cloud: Label: malware
Source: https://locatedblsoqp.shop/ Avira URL Cloud: Label: phishing
Source: https://traineiwnqo.shop/apibul Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/fXx Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/apiK Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/. Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop:443/apii Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 1.2.BitLockerToGo.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["stamppreewntnq.shop", "stagedchheiqwo.shop", "locatedblsoqp.shop", "tenseddrywsqio.shop", "millyscroqwp.shop", "traineiwnqo.shop", "condedqpwqm.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop"], "Build id": "LPnhqo--nlczjrpfwadf"}
Multi AV Scanner detection for domain / URL
Source: tenseddrywsqio.shop Virustotal: Detection: 14% Perma Link
Source: tenseddrywsqio.shop Virustotal: Detection: 14% Perma Link
Source: https://tenseddrywsqio.shop/api Virustotal: Detection: 16% Perma Link
Source: https://traineiwnqo.shop/api Virustotal: Detection: 21% Perma Link
Source: https://locatedblsoqp.shop/ Virustotal: Detection: 16% Perma Link
Source: https://traineiwnqo.shop:443/apii Virustotal: Detection: 11% Perma Link
Source: https://traineiwnqo.shop/ Virustotal: Detection: 19% Perma Link
Source: https://traineiwnqo.shop/. Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for submitted file
Source: l5u4ezxr.u51.exe Virustotal: Detection: 21% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: caffegclasiqwp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: stamppreewntnq.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: stagedchheiqwo.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: millyscroqwp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: evoliutwoqm.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: condedqpwqm.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: traineiwnqo.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: locatedblsoqp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: tenseddrywsqio.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: caffegclasiqwp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: stamppreewntnq.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: stagedchheiqwo.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: millyscroqwp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: evoliutwoqm.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: condedqpwqm.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: traineiwnqo.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: locatedblsoqp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: tenseddrywsqio.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: caffegclasiqwp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: stamppreewntnq.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: stagedchheiqwo.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: millyscroqwp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: evoliutwoqm.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: condedqpwqm.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: traineiwnqo.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: locatedblsoqp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: tenseddrywsqio.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: caffegclasiqwp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: stamppreewntnq.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: stagedchheiqwo.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: millyscroqwp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: evoliutwoqm.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: condedqpwqm.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: traineiwnqo.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: locatedblsoqp.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: tenseddrywsqio.shop
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String decryptor: LPnhqo--nlczjrpfwadf
Uses 32bit PE files
Source: l5u4ezxr.u51.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.69.149:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: l5u4ezxr.u51.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1755794344.00000000027CD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1755794344.00000000027CD000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_004321F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_004323E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00419040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [ecx+esi*2] 1_2_0042D070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 1_2_00434030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000280h] 1_2_0040D0D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_004208E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [eax], dl 1_2_0040D978
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 1_2_00434110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 1_2_00434110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [edx+eax-01h] 1_2_004089F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [ebx], 00000022h 1_2_00420980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [ebx] 1_2_00435990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00413A4A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add edi, 02h 1_2_00413A4A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 1_2_0041FACE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_0041FACE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 1_2_00435280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 1_2_00403290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp] 1_2_004312A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+1Ch] 1_2_0040B310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [esi], cx 1_2_0041BB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [ecx] 1_2_0041BB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, dword ptr [esp+40h] 1_2_0041BB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, 00008000h 1_2_004043C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 84AA3BD1h 1_2_004353C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_0043238A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [ebp-1Ch] 1_2_00433BA8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 1_2_00433C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 1_2_00434450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 1_2_004324BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 1_2_00429540
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [ebp-1Ch] 1_2_004335D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 1_2_00418DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_0040FDEB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebp, eax 1_2_0041EDFE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 1_2_00433D90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esi+08h], eax 1_2_004235B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_004235B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], dl 1_2_004235B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 1_2_0042F6F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [eax+edx] 1_2_00431E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 1_2_00433F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 1_2_00412F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp cl, 0000002Eh 1_2_0041D752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 1_2_00414770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 1_2_00412FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000000B0h] 1_2_0040F7AA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea ebx, dword ptr [esp+08h] 1_2_0041F7B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 1_2_004197B7

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:65410 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:64510 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49732 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.69.149:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.69.149:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: stamppreewntnq.shop
Source: Malware configuration extractor URLs: stagedchheiqwo.shop
Source: Malware configuration extractor URLs: locatedblsoqp.shop
Source: Malware configuration extractor URLs: tenseddrywsqio.shop
Source: Malware configuration extractor URLs: millyscroqwp.shop
Source: Malware configuration extractor URLs: traineiwnqo.shop
Source: Malware configuration extractor URLs: condedqpwqm.shop
Source: Malware configuration extractor URLs: caffegclasiqwp.shop
Source: Malware configuration extractor URLs: evoliutwoqm.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tenseddrywsqio.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=3xk4E.2nDymKStRO43vRDjy22JgE06_vJkNrLPyvrcg-1725131410-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: traineiwnqo.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: tenseddrywsqio.shop
Source: global traffic DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic DNS traffic detected: DNS query: traineiwnqo.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tenseddrywsqio.shop
Source: l5u4ezxr.u51.exe String found in binary or memory: https://api.loganalytics.iohttps://api.loganalytics.usencountered
Source: l5u4ezxr.u51.exe String found in binary or memory: https://datalake.azure.net/https://graph.microsoft.us/servicebus.chinacloudapi.cndocuments.microsoft
Source: l5u4ezxr.u51.exe String found in binary or memory: https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.n
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://locatedblsoqp.shop/
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://locatedblsoqp.shop/6
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://locatedblsoqp.shop/api
Source: l5u4ezxr.u51.exe String found in binary or memory: https://login.microsoftonline.com/METRIC_AZURERM_API_REQUEST_BUCKETSlabel
Source: l5u4ezxr.u51.exe String found in binary or memory: https://management.azure.comfailed
Source: l5u4ezxr.u51.exe String found in binary or memory: https://ossrdbms-aad.database.chinacloudapi.cned25519:
Source: BitLockerToGo.exe, 00000001.00000003.1768083504.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tenseddrywsqio.shop/M
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/.
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/api
Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/apiK
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/api_
Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/apibul
Source: BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/fXx
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop:443/apii
Source: l5u4ezxr.u51.exe String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comNtQuerySystemInformationAllo
Source: l5u4ezxr.u51.exe String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: BitLockerToGo.exe, 00000001.00000003.1785814274.0000000002871000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.0000000002850000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.0000000002870000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.21.69.149:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004292F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_004292F0
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004292F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_004292F0
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00421460 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 1_2_00421460

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1761754559.0000000002786000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: Process Memory Space: l5u4ezxr.u51.exe PID: 6528, type: MEMORYSTR Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004321F0 1_2_004321F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040C223 1_2_0040C223
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004323E3 1_2_004323E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042D702 1_2_0042D702
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00404000 1_2_00404000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041F011 1_2_0041F011
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00434030 1_2_00434030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042C890 1_2_0042C890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040D978 1_2_0040D978
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040B900 1_2_0040B900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00434110 1_2_00434110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004061F0 1_2_004061F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004089F0 1_2_004089F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00420980 1_2_00420980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00435990 1_2_00435990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00413A4A 1_2_00413A4A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040E20B 1_2_0040E20B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041CA10 1_2_0041CA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00419A1F 1_2_00419A1F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00407A30 1_2_00407A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00401AD5 1_2_00401AD5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041D290 1_2_0041D290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041BB22 1_2_0041BB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041A330 1_2_0041A330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004043C0 1_2_004043C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004353C0 1_2_004353C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043238A 1_2_0043238A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00433BA8 1_2_00433BA8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00433C40 1_2_00433C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00434450 1_2_00434450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00402410 1_2_00402410
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00414420 1_2_00414420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00411CDA 1_2_00411CDA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004324BC 1_2_004324BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041AD70 1_2_0041AD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004335D2 1_2_004335D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00404DE0 1_2_00404DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041EDFE 1_2_0041EDFE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00433D90 1_2_00433D90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004235B0 1_2_004235B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00420E60 1_2_00420E60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040FE01 1_2_0040FE01
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00401618 1_2_00401618
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00406ED0 1_2_00406ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00407EE0 1_2_00407EE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00431E80 1_2_00431E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004096A0 1_2_004096A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004356B0 1_2_004356B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00433F40 1_2_00433F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041D752 1_2_0041D752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040CF60 1_2_0040CF60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00414770 1_2_00414770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00431710 1_2_00431710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00405780 1_2_00405780
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 00409CD0 appears 87 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 004093E0 appears 38 times
Sample file is different than original file name gathered from version info
Source: l5u4ezxr.u51.exe, 00000000.00000002.1759379021.00000000015E4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameLauncher!.exe pP vs l5u4ezxr.u51.exe
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs l5u4ezxr.u51.exe
Source: l5u4ezxr.u51.exe Binary or memory string: OriginalFilenameLauncher!.exe pP vs l5u4ezxr.u51.exe
Uses 32bit PE files
Source: l5u4ezxr.u51.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1761754559.0000000002786000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: Process Memory Space: l5u4ezxr.u51.exe PID: 6528, type: MEMORYSTR Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@3/2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042D5B9 CoCreateInstance,SysAllocString, 1_2_0042D5B9
Source: l5u4ezxr.u51.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: l5u4ezxr.u51.exe Virustotal: Detection: 21%
Source: l5u4ezxr.u51.exe String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine unixpacket(BADINDEX)%!(NOVERB)complex128ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtra12207031256103515625ParseFloatt.Kind == RIPEMD-160SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1IP addressPOSTALCODEexecerrdotSYSTEMROOTChannel %spick_first:authoritygrpc.Recv.grpc.Sent."INTERNAL"OutOfRangeConnectionlocal-addrRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%dset-cookieuser-agentkeep-aliveconnectionequivalentHost: %s
Source: l5u4ezxr.u51.exe String found in binary or memory: ... omitting SubConn(id:%d)"OUT_OF_RANGE"ALREADY_EXISTSContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eof{$} not at endempty wildcardparsing %q: %wunknown error unknown code: Not Acceptable.WithoutCancel.WithDeadline(reserved_rangefield_presence> closed by </\.+*?()|[]{}^$bad record MAC.in-addr.arpa.unknown mode: key is invalidheap_sys_bytesRequestTimeoutRequestExpiredzero parametervault.azure.cnGetSystemTimesControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWnot a PNG filemime/multipart%s Channel #%dgrpc-trace-bintoo_many_pingsunknown ID: %vAuthInfo: '%s'show_sensitiveAccept-CharsetDkim-Signatureneed more dataREQUEST_METHODNOT_ENOUGH_FOOprotobuf errorInstEmptyWidthprefix length not an ip:portinvalid PrefixRCodeNameErrorResourceHeaderresourceGroups" out of rangeadd_dir_headerStaticProvidercloud.adc-e.ukcsp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4Europe (Milan)Europe (Spain)Europe (Paris)US East (Ohio)fips-ca-west-1fips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2ca-west-1-fipsus-east-1-fipsus-east-2-fipsus-west-1-fipsus-west-2-fipsamplifybackendapi.ecr-publicbackup-gatewayclouddirectorycloudformationlocalhost:8000edge.sagemakerfips-ap-east-1fips-eu-west-1fips-eu-west-2fips-eu-west-3fips-sa-east-1emr-containersemr-serverlessprod-ca-west-1prod-us-east-1prod-us-east-2prod-us-west-1prod-us-west-2identity-chimeiotthingsgraphapi-ap-south-1data-eu-west-1data-us-east-1data-us-west-2kendra-rankingap-east-1-fipseu-west-1-fipseu-west-2-fipseu-west-3-fipssa-east-1-fipslookoutmetricsmediapackagev2meetings-chimenetworkmanagerroute53domainsruntime-v2-lexsecretsmanagerserverlessreposervicecatalogsimspaceweaverstoragegatewayworkspaces-webcn-northwest-1api-cn-north-1aws-iso-globalus-isob-east-1eu-isoe-west-1^cn\-\w+\-\d+$dtls fatal: %vRecordOverflowBadCertificateCLICOLOR_FORCEinvalid kind: formnovalidate$htmltemplate_ /* %s */null MessageOptionsServiceOptionsprotobuf_oneofXXX_OneofFuncsXXX_extensionsLOGGER_UNKNOWNReservedRangesfailed to castunknown node: ApplyFunction;DifferentialD;DoubleLeftTee;DoubleUpArrow;LeftTeeVector;LeftVectorBar;LessFullEqual;LongLeftArrow;Longleftarrow;NotTildeEqual;NotTildeTilde;Poincareplane;PrecedesEqual;PrecedesTilde;RightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SucceedsEqual;SucceedsTilde;SupersetEqual;UpEquilibrium;VerticalTilde;VeryThinSpace;bigtriangleup;blacktriangle;divideontimes;fallingdotseq;hookleftarrow;leftarrowtail;leftharpoonup;longleftarrow;looparrowleft;measuredangle;ntriangleleft;shortparallel;smallsetminus;triangleright;upharpoonleft;NotEqualTilde;varsubsetneqq;varsupsetneqq;len of type %soffline_accessdocument startseque
Source: l5u4ezxr.u51.exe String found in binary or memory: extension %v does not implement protoreflect.ExtensionTypeDescriptorexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vinvalid relocation information. Base Relocation SizeOfBlock too largereflect: embedded interface with unexported method(s) not implementedhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)%s matches more methods than %s, but has a more specific path pattern%s matches fewer methods than %s, but has a more general path patterntls: peer doesn't support the certificate custom signature algorithmstls: handshake message of length %d bytes exceeds maximum of %d bytes%w: %q has %d variable labels named %q but %d values %q were providedrpc.Register: method %q has %d input parameters; needs exactly three
Source: l5u4ezxr.u51.exe String found in binary or memory: Estimated total CPU time spent performing GC tasks on processors (as defined by GOMAXPROCS) dedicated to those tasks. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent running user Go code. This may also include some small amount of time spent in the Go runtime. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time goroutines spent performing GC tasks to assist the GC and prevent it from falling behind the application. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent returning unused memory to the underlying platform in response eagerly in response to memory pressure. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent performing tasks that return unused memory to the underlying platform. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes/scavenge.Count of small allocations that are packed together into blocks. These allocations are counted separately from other allocations because each individual allocation is not tracked by the runtime, only their block. Each block is already accounted for in allocs-by-size and frees-by-size.Approximate cumulative time goroutines have spent blocked on a sync.Mutex, sync.RWMutex, or runtime-internal lock. This metric is useful for identifying global changes in lock contention. Collect a mutex or block profile using the runtime/pprof package for more detailed contention data.Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subse
Source: l5u4ezxr.u51.exe String found in binary or memory: Estimated total CPU time spent performing GC tasks on processors (as defined by GOMAXPROCS) dedicated to those tasks. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent running user Go code. This may also include some small amount of time spent in the Go runtime. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time goroutines spent performing GC tasks to assist the GC and prevent it from falling behind the application. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent returning unused memory to the underlying platform in response eagerly in response to memory pressure. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent performing tasks that return unused memory to the underlying platform. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes/scavenge.Count of small allocations that are packed together into blocks. These allocations are counted separately from other allocations because each individual allocation is not tracked by the runtime, only their block. Each block is already accounted for in allocs-by-size and frees-by-size.Approximate cumulative time goroutines have spent blocked on a sync.Mutex, sync.RWMutex, or runtime-internal lock. This metric is useful for identifying global changes in lock contention. Collect a mutex or block profile using the runtime/pprof package for more detailed contention data.Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subse
Source: l5u4ezxr.u51.exe String found in binary or memory: net/addrselect.go
Source: l5u4ezxr.u51.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: l5u4ezxr.u51.exe String found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe File read: C:\Users\user\Desktop\l5u4ezxr.u51.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\l5u4ezxr.u51.exe "C:\Users\user\Desktop\l5u4ezxr.u51.exe"
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: l5u4ezxr.u51.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: l5u4ezxr.u51.exe Static file information: File size 17182720 > 1048576
Source: l5u4ezxr.u51.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x71b200
Source: l5u4ezxr.u51.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x852800
Source: l5u4ezxr.u51.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1755794344.00000000027CD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.000000000274C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1755794344.00000000027CD000.00000004.00000020.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: l5u4ezxr.u51.exe Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00439B1C push edx; retf 0040h 1_2_00439B1D
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6892 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1768083504.00000000027FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: l5u4ezxr.u51.exe, 00000000.00000002.1759588608.0000000001C2C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: BitLockerToGo.exe, 00000001.00000003.1786075321.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1768083504.00000000027FD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1797722828.00000000027CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042E070 LdrInitializeThunk, 1_2_0042E070

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: caffegclasiqwp.shop
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stamppreewntnq.shop
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stagedchheiqwo.shop
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: millyscroqwp.shop
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: evoliutwoqm.shop
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: condedqpwqm.shop
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: traineiwnqo.shop
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: locatedblsoqp.shop
Source: l5u4ezxr.u51.exe, 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tenseddrywsqio.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 225008 Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 436000 Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 439000 Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 448000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Queries volume information: C:\Users\user\Desktop\l5u4ezxr.u51.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\l5u4ezxr.u51.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1759655913.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1759655913.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1797583721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1761754559.0000000002496000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502257 Sample: l5u4ezxr.u51.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 13 traineiwnqo.shop 2->13 15 tenseddrywsqio.shop 2->15 17 locatedblsoqp.shop 2->17 23 Multi AV Scanner detection for domain / URL 2->23 25 Suricata IDS alerts for network traffic 2->25 27 Found malware configuration 2->27 29 7 other signatures 2->29 7 l5u4ezxr.u51.exe 2->7         started        signatures3 process4 signatures5 31 Writes to foreign memory regions 7->31 33 Allocates memory in foreign processes 7->33 35 Injects a PE file into a foreign processes 7->35 37 LummaC encrypted strings found 7->37 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 19 tenseddrywsqio.shop 104.21.69.149, 443, 49730 CLOUDFLARENETUS United States 10->19 21 traineiwnqo.shop 188.114.96.3, 443, 49731, 49732 CLOUDFLARENETUS European Union 10->21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 locatedblsoqp.shop European Union
13335 CLOUDFLARENETUS true
104.21.69.149
 tenseddrywsqio.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
locatedblsoqp.shop 188.114.96.3 true
tenseddrywsqio.shop 104.21.69.149 true
traineiwnqo.shop 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
tenseddrywsqio.shop true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
condedqpwqm.shop true
  • URL Reputation: phishing
 unknown
https://tenseddrywsqio.shop/api true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
locatedblsoqp.shop true
    		unknown
    caffegclasiqwp.shop true
    • URL Reputation: malware
    		 unknown
    millyscroqwp.shop true
    • URL Reputation: malware
    		 unknown
    stagedchheiqwo.shop true
    • URL Reputation: phishing
    		 unknown
    https://locatedblsoqp.shop/api true
    • URL Reputation: malware
    		 unknown
    https://traineiwnqo.shop/api true
    • 22%, Virustotal, Browse
    • Avira URL Cloud: malware
    		 unknown
    stamppreewntnq.shop true
    • URL Reputation: phishing
    		 unknown
    evoliutwoqm.shop true
    • URL Reputation: safe
    		 unknown
    traineiwnqo.shop true
      		unknown