Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Analysis ID: 1502490
MD5: 4b85d1518b4edc2239da008e3a91a323
SHA1: bf33b8db7b6a40aff7f8a171e6d6169b2dac73fb
SHA256: 3266bf53273feea7374264865066f706462ea323d8c26cba051cfcbefc1fcb80
Tags: exe
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://interactiedovspm.shop/T Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/h Avira URL Cloud: Label: malware
Source: weiggheticulop.shop Avira URL Cloud: Label: malware
Source: https://drinnkysoapmzv.shop/p Avira URL Cloud: Label: phishing
Source: deicedosmzj.shop Avira URL Cloud: Label: malware
Source: cagedwifedsozm.shop Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/api) Avira URL Cloud: Label: malware
Source: consciousourwi.shop Avira URL Cloud: Label: malware
Source: potentioallykeos.shop Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/api Avira URL Cloud: Label: malware
Source: https://interactiedovspm.shop/api Avira URL Cloud: Label: malware
Source: https://potentioallykeos.shop/ Avira URL Cloud: Label: malware
Source: https://drinnkysoapmzv.shop/api Avira URL Cloud: Label: phishing
Source: southedhiscuso.shop Avira URL Cloud: Label: malware
Source: interactiedovspm.shop Avira URL Cloud: Label: malware
Source: https://interactiedovspm.shop/ Avira URL Cloud: Label: malware
Source: https://drinnkysoapmzv.shop/ Avira URL Cloud: Label: phishing
Source: drinnkysoapmzv.shop Avira URL Cloud: Label: phishing
Source: https://potentioallykeos.shop/api9 Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["consciousourwi.shop", "drinnkysoapmzv.shop", "cagedwifedsozm.shop", "weiggheticulop.shop", "interactiedovspm.shop", "potentioallykeos.shop", "charecteristicdxp.shop", "southedhiscuso.shop", "deicedosmzj.shop"], "Build id": "QWQBVm--Nueva1"}
Multi AV Scanner detection for domain / URL
Source: interactiedovspm.shop Virustotal: Detection: 20% Perma Link
Source: charecteristicdxp.shop Virustotal: Detection: 20% Perma Link
Source: drinnkysoapmzv.shop Virustotal: Detection: 19% Perma Link
Source: potentioallykeos.shop Virustotal: Detection: 20% Perma Link
Source: https://potentioallykeos.shop/h Virustotal: Detection: 11% Perma Link
Source: weiggheticulop.shop Virustotal: Detection: 19% Perma Link
Source: cagedwifedsozm.shop Virustotal: Detection: 21% Perma Link
Source: deicedosmzj.shop Virustotal: Detection: 21% Perma Link
Source: consciousourwi.shop Virustotal: Detection: 21% Perma Link
Source: https://interactiedovspm.shop/api Virustotal: Detection: 21% Perma Link
Source: potentioallykeos.shop Virustotal: Detection: 20% Perma Link
Source: https://drinnkysoapmzv.shop/api Virustotal: Detection: 15% Perma Link
Source: https://potentioallykeos.shop/api Virustotal: Detection: 21% Perma Link
Source: interactiedovspm.shop Virustotal: Detection: 20% Perma Link
Source: southedhiscuso.shop Virustotal: Detection: 20% Perma Link
Source: drinnkysoapmzv.shop Virustotal: Detection: 19% Perma Link
Source: https://drinnkysoapmzv.shop/ Virustotal: Detection: 16% Perma Link
Source: https://interactiedovspm.shop/ Virustotal: Detection: 20% Perma Link
Source: https://potentioallykeos.shop/ Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Virustotal: Detection: 67% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: weiggheticulop.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: consciousourwi.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: southedhiscuso.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: deicedosmzj.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: cagedwifedsozm.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: charecteristicdxp.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: interactiedovspm.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: potentioallykeos.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: drinnkysoapmzv.shop
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp String decryptor: QWQBVm--Nueva1
Source: unknown HTTPS traffic detected: 172.67.174.127:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.161.217:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.84.50:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.84.50:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2619863522.000000000323D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2619863522.000000000323D000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 4_2_02FAAB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi] 4_2_02FD269E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_02FD4D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi] 4_2_02FC02C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h 4_2_02FBB2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [esp+48h] 4_2_02FBB2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 4_2_02FB4A9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 4_2_02FB4A9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02FAE28D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 4_2_02FB3240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+50h] 4_2_02FB4208
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 4_2_02FB3BE1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], A3C1F363h 4_2_02FB2BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+18h] 4_2_02FB2BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02FAFBA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [esi+ebx], 0000h 4_2_02FB7B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 4_2_02FB58E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h 4_2_02FB408C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h 4_2_02FB408C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_02FD3870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, edx 4_2_02FD3870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h 4_2_02FC01EF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 4_2_02FB39D9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push esi 4_2_02FB49C3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02FB0185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02FB0185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02FB0185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h 4_2_02FB9160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h 4_2_02FAE93D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000A88h] 4_2_02FBB120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h 4_2_02FAE110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_02FD4EF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp edx 4_2_02FB9EEE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [edi+eax] 4_2_02FBF662
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [ecx] 4_2_02FBEE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 4_2_02FBEE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h 4_2_02FBEE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+18h] 4_2_02FB179D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, edx 4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h 4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [esi+04h] 4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 4_2_02FC1720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ecx 4_2_02FB24DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_02FB24DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+18h] 4_2_02FB24DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], A3C1F363h 4_2_02FB2BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+18h] 4_2_02FB2BBF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi] 4_2_02FBAC79
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, edx 4_2_02FD3C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 4_2_02FC1420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+08h] 4_2_02FA95E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 4_2_02FA35E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 4_2_02FCADC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 4_2_02FCF5B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h 4_2_02FBF592
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], cl 4_2_02FC258B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+70h] 4_2_02FC258B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi+25h] 4_2_02FA4D80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, edx 4_2_02FD3D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_02FA9D20

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2055301 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop) : 192.168.2.5:52293 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055294 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) : 192.168.2.5:49714 -> 104.21.84.50:443
Source: Network traffic Suricata IDS: 2055299 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop) : 192.168.2.5:56479 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055300 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (interactiedovspm .shop in TLS SNI) : 192.168.2.5:49713 -> 172.67.161.217:443
Source: Network traffic Suricata IDS: 2055364 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (drinnkysoapmzv .shop) : 192.168.2.5:49712 -> 172.67.174.127:443
Source: Network traffic Suricata IDS: 2055361 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (drinnkysoapmzv .shop) : 192.168.2.5:58033 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055293 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop) : 192.168.2.5:49572 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055294 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (charecteristicdxp .shop in TLS SNI) : 192.168.2.5:49715 -> 104.21.84.50:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49715 -> 104.21.84.50:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49712 -> 172.67.174.127:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49715 -> 104.21.84.50:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49712 -> 172.67.174.127:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49714 -> 104.21.84.50:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49714 -> 104.21.84.50:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49713 -> 172.67.161.217:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49713 -> 172.67.161.217:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: consciousourwi.shop
Source: Malware configuration extractor URLs: drinnkysoapmzv.shop
Source: Malware configuration extractor URLs: cagedwifedsozm.shop
Source: Malware configuration extractor URLs: weiggheticulop.shop
Source: Malware configuration extractor URLs: interactiedovspm.shop
Source: Malware configuration extractor URLs: potentioallykeos.shop
Source: Malware configuration extractor URLs: charecteristicdxp.shop
Source: Malware configuration extractor URLs: southedhiscuso.shop
Source: Malware configuration extractor URLs: deicedosmzj.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.161.217 172.67.161.217
Source: Joe Sandbox View IP Address: 104.21.84.50 104.21.84.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drinnkysoapmzv.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: interactiedovspm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: charecteristicdxp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=Aiq6LY3fReQR5MfaD5shs0Qt6Wr7W4V4x_sb5i2pGE4-1725222298-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: charecteristicdxp.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: drinnkysoapmzv.shop
Source: global traffic DNS traffic detected: DNS query: potentioallykeos.shop
Source: global traffic DNS traffic detected: DNS query: interactiedovspm.shop
Source: global traffic DNS traffic detected: DNS query: charecteristicdxp.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drinnkysoapmzv.shop
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://charecteristicdxp.shop/
Source: BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://charecteristicdxp.shop/C
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2658742837.000000000326D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2656023005.000000000326C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://charecteristicdxp.shop/api
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://charecteristicdxp.shop/apiz
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://charecteristicdxp.shop/h
Source: BitLockerToGo.exe, 00000004.00000003.2630757931.000000000326D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drinnkysoapmzv.shop/
Source: BitLockerToGo.exe, 00000004.00000002.2658639500.000000000323B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drinnkysoapmzv.shop/api
Source: BitLockerToGo.exe, 00000004.00000002.2658639500.000000000323B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drinnkysoapmzv.shop/p
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe String found in binary or memory: https://github.com/quic-go/quic-go/wiki/Logging11579208921035624876269744694940757353008614341529031
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://interactiedovspm.shop/
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://interactiedovspm.shop/T
Source: BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://potentioallykeos.shop/
Source: BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://potentioallykeos.shop/api
Source: BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://potentioallykeos.shop/api)
Source: BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://potentioallykeos.shop/api9
Source: BitLockerToGo.exe, 00000004.00000003.2630820171.0000000003299000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630757931.0000000003299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://potentioallykeos.shop/h
Source: BitLockerToGo.exe, 00000004.00000003.2656060688.000000000324F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000004.00000003.2656060688.000000000324F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 172.67.174.127:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.161.217:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.84.50:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.84.50:443 -> 192.168.2.5:49715 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FC8B80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_02FC8B80
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FC8B80 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_02FC8B80
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FC9443 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 4_2_02FC9443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAC28C 4_2_02FAC28C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD2A34 4_2_02FD2A34
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAA380 4_2_02FAA380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAAB40 4_2_02FAAB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD21B0 4_2_02FD21B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FCD120 4_2_02FCD120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD269E 4_2_02FD269E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FACC60 4_2_02FACC60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD32F5 4_2_02FD32F5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBDAF0 4_2_02FBDAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FC2AEA 4_2_02FC2AEA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FCDAC0 4_2_02FCDAC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBB2A0 4_2_02FBB2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB4A9D 4_2_02FB4A9D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FCCA70 4_2_02FCCA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FC0A6F 4_2_02FC0A6F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB121A 4_2_02FB121A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA6A10 4_2_02FA6A10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBC3E8 4_2_02FBC3E8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB43E7 4_2_02FB43E7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD5BD0 4_2_02FD5BD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA43C0 4_2_02FA43C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAFBA2 4_2_02FAFBA2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAE370 4_2_02FAE370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FACB00 4_2_02FACB00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB20BA 4_2_02FB20BA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB60A0 4_2_02FB60A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA9890 4_2_02FA9890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD5880 4_2_02FD5880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD3870 4_2_02FD3870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA8050 4_2_02FA8050
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBD00A 4_2_02FBD00A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD51F0 4_2_02FD51F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBE1E7 4_2_02FBE1E7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FCC1A7 4_2_02FCC1A7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB999E 4_2_02FB999E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB0185 4_2_02FB0185
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAE93D 4_2_02FAE93D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA3920 4_2_02FA3920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD4120 4_2_02FD4120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAE110 4_2_02FAE110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD16F0 4_2_02FD16F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB9EEE 4_2_02FB9EEE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD36E0 4_2_02FD36E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBF662 4_2_02FBF662
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD3E40 4_2_02FD3E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA1E30 4_2_02FA1E30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBEE18 4_2_02FBEE18
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA5770 4_2_02FA5770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FCD750 4_2_02FCD750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBFF44 4_2_02FBFF44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FB24DE 4_2_02FB24DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAC4D0 4_2_02FAC4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FCCCD0 4_2_02FCCCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA6480 4_2_02FA6480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD3C30 4_2_02FD3C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBD410 4_2_02FBD410
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FAB5AF 4_2_02FAB5AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FCDD90 4_2_02FCDD90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FC258B 4_2_02FC258B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA4D80 4_2_02FA4D80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FBA574 4_2_02FBA574
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD3D40 4_2_02FD3D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD5540 4_2_02FD5540
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FA9D20 4_2_02FA9D20
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02FA9360 appears 76 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02FA8A40 appears 43 times
One or more processes crash
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1440
PE file contains more sections than normal
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe
Yara signature match
Source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/0@4/3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FC73A0 CoCreateInstance, 4_2_02FC73A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe File created: C:\Users\Public\Libraries\dmdcp.scif Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Mutant created: \Sessions\1\BaseNamedObjects\donutfatshitlatte
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d2712346-7ece-4761-b076-126ffccf67ef Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe File opened: C:\Windows\system32\fa016e40584e3cd2cd8c0732909d2e74fdfa90a8e1a2991c24474f6ae0628f28AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Virustotal: Detection: 67%
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe String found in binary or memory: net/addrselect.go
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe String found in binary or memory: LwNOrAxUVY/load.go
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static file information: File size 5181952 > 1048576
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x210400
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x268c00
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2619863522.000000000323D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000534000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2621834022.000000C000476000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2606479076.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2619863522.000000000323D000.00000004.00000020.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6764 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000004.00000003.2630757931.000000000328B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWE
Source: BitLockerToGo.exe, 00000004.00000003.2630757931.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2658742837.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2655980514.000000000328B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.2658639500.000000000323B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.2630820171.000000000328B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000002.2622238549.000001FC68088000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhhM
Source: BitLockerToGo.exe, 00000004.00000003.2630820171.000000000328B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02FD2610 LdrInitializeThunk, 4_2_02FD2610

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2FA0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2FA0000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: weiggheticulop.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: consciousourwi.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: southedhiscuso.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: deicedosmzj.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: cagedwifedsozm.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: charecteristicdxp.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: interactiedovspm.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: potentioallykeos.shop
Source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: drinnkysoapmzv.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2FA0000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 31E5008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, type: SAMPLE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2622890654.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2030347840.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe PID: 6220, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BitLockerToGo.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BitLockerToGo.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2583891127.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621055667.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621834022.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621055667.000000C000304000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe, type: SAMPLE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.7ff698a90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2622890654.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2030347840.00007FF698CEA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe PID: 6220, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BitLockerToGo.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.BitLockerToGo.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.1fc6d540000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c000304000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe.c0001ba000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2619684127.000001FC6D540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2583891127.000001FC6D590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621055667.000000C0001BA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621834022.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621055667.000000C000346000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2658597275.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621055667.000000C000304000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2621055667.000000C000280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502490 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 01/09/2024 Architecture: WINDOWS Score: 100 16 potentioallykeos.shop 2->16 18 interactiedovspm.shop 2->18 20 2 other IPs or domains 2->20 28 Multi AV Scanner detection for domain / URL 2->28 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 9 other signatures 2->34 8 SecuriteInfo.com.Win64.Malware-gen.24437.6720.exe 2 2->8         started        signatures3 process4 signatures5 36 Writes to foreign memory regions 8->36 38 Allocates memory in foreign processes 8->38 40 Injects a PE file into a foreign processes 8->40 42 LummaC encrypted strings found 8->42 11 BitLockerToGo.exe 8->11         started        process6 dnsIp7 22 charecteristicdxp.shop 104.21.84.50, 443, 49714, 49715 CLOUDFLARENETUS United States 11->22 24 interactiedovspm.shop 172.67.161.217, 443, 49713 CLOUDFLARENETUS United States 11->24 26 drinnkysoapmzv.shop 172.67.174.127, 443, 49712 CLOUDFLARENETUS United States 11->26 14 WerFault.exe 2 11->14         started        process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.161.217
 interactiedovspm.shop United States
13335 CLOUDFLARENETUS true
172.67.174.127
 drinnkysoapmzv.shop United States
13335 CLOUDFLARENETUS true
104.21.84.50
 charecteristicdxp.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
interactiedovspm.shop 172.67.161.217 true
charecteristicdxp.shop 104.21.84.50 true
drinnkysoapmzv.shop 172.67.174.127 true
potentioallykeos.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
weiggheticulop.shop true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
deicedosmzj.shop true
  • 22%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
cagedwifedsozm.shop true
  • 22%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
consciousourwi.shop true
  • 22%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
potentioallykeos.shop true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://interactiedovspm.shop/api true
  • 22%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://drinnkysoapmzv.shop/api true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
southedhiscuso.shop true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
interactiedovspm.shop true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
drinnkysoapmzv.shop true
  • 20%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown