Windows Analysis Report
a7HdB2dU5P.exe

Overview

General Information

Sample name: a7HdB2dU5P.exe
renamed because original name is a hash value
Original sample name: ec5818decca5d6703e23c9db8a772997.exe
Analysis ID: 1519281
MD5: ec5818decca5d6703e23c9db8a772997
SHA1: daeca7f333cedb461891a3fa4be6a857df452b59
SHA256: 2da667c881a6b5f4b773c932bcbb6825fda5a85a38bfb51e06921cb88c353f3b
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://drawzhotdog.shop/api Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/api Avira URL Cloud: Label: malware
Source: stogeneratmns.shop Avira URL Cloud: Label: malware
Source: https://performenj.shop/vo Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/ Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: lootebarrkeyn.shop Avira URL Cloud: Label: malware
Source: reinforcenh.shop Avira URL Cloud: Label: malware
Source: https://performenj.shop/apiG Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/ Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: https://reinforcenh.shop/api2 Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/ Avira URL Cloud: Label: malware
Source: https://performenj.shop/ Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/Y Avira URL Cloud: Label: malware
Source: gutterydhowi.shop Avira URL Cloud: Label: malware
Source: fragnantbui.shop Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/api Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/api Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/apiD Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api Avira URL Cloud: Label: malware
Source: https://performenj.shop/G Avira URL Cloud: Label: malware
Source: offensivedzvju.shop Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges URL Reputation: Label: malware
Source: https://performenj.shop/api Avira URL Cloud: Label: malware
Source: drawzhotdog.shop Avira URL Cloud: Label: malware
Source: vozmeatillu.shop Avira URL Cloud: Label: malware
Found malware configuration
Source: 2.2.RegAsm.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["reinforcenh.shop", "offensivedzvju.shop", "fragnantbui.shop", "lootebarrkeyn.shop", "stogeneratmns.shop", "ghostreedmnu.shop", "drawzhotdog.shop", "vozmeatillu.shop", "gutterydhowi.shop"], "Build id": "FATE99--"}
Multi AV Scanner detection for submitted file
Source: a7HdB2dU5P.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Sample uses string decryption to hide its real strings
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: reinforcenh.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: stogeneratmns.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: fragnantbui.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: drawzhotdog.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: vozmeatillu.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: offensivedzvju.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: ghostreedmnu.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: gutterydhowi.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: lootebarrkeyn.shop
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: TeslaBrowser/5.5
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: - Screen Resoluton:
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: - Physical Installed Memory:
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: Workgroup: -
Source: 2.2.RegAsm.exe.400000.0.unpack String decryptor: FATE99--
Uses 32bit PE files
Source: a7HdB2dU5P.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:58440 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58441 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58442 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58443 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.4:58444 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58445 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58446 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.4:58447 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:58448 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.4:58449 version: TLS 1.2
Source: a7HdB2dU5P.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 2_2_00447600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0044A7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+1Ch] 2_2_0040FEBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then xor eax, eax 2_2_0040EFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000120h] 2_2_0040EFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then push ebx 2_2_00415078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ecx, byte ptr [esp+34h] 2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 2_2_004450E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004340F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004340F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edi, byte ptr [eax+esi] 2_2_00407120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0042A274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [edx], ax 2_2_0042A274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0040D2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0042A2F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [edx], ax 2_2_0042A2F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 2_2_00442280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0042A345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [edx], ax 2_2_0042A345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0042A345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 2_2_00431370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, eax 2_2_0040A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebp, eax 2_2_0040A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 2_2_0042C390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 2_2_0042C390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 2_2_00449390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_00449390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_00424490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 2_2_004204A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], dx 2_2_004204A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, esi 2_2_0042D56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_0043B510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, esi 2_2_0042D58E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0042F5B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi] 2_2_004146B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 2_2_0040F7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edx], cl 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 2_2_0041A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp al, 2Eh 2_2_0042C891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then xor eax, eax 2_2_0042C891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 2_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 2_2_004489F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 2_2_00434A2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 2_2_00445AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi] 2_2_00413AE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, ecx 2_2_00413AE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 2_2_00413AE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 2_2_0042BB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp edx 2_2_00427B0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_00430BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 2_2_00448BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 2_2_0044AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 2_2_00404C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 2_2_00426CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then add edi, 02h 2_2_0041DD64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebx] 2_2_0041DD64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 2_2_00405D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 2_2_00434DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 2_2_00445D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 2_2_0044AD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_00449E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 2_2_00414E26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then xor eax, eax 2_2_00414E26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 2_2_00447EDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0044AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 2_2_0044AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_00426F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 2_2_0041CFF0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:52810 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:60842 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:53726 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056048 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) : 192.168.2.4:63148 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:60602 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:58445 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:58444 -> 104.21.58.182:443
Source: Network traffic Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:58446 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:58441 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:64598 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:53338 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:64447 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:58440 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:58442 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:55892 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:58443 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:58447 -> 104.21.77.130:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58449 -> 172.67.189.2:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58441 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58449 -> 172.67.189.2:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58441 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58447 -> 104.21.77.130:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58447 -> 104.21.77.130:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58440 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58440 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58443 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58443 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58442 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58442 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58444 -> 104.21.58.182:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58444 -> 104.21.58.182:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58445 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58445 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58446 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58446 -> 188.114.96.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: reinforcenh.shop
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: fragnantbui.shop
Source: Malware configuration extractor URLs: lootebarrkeyn.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
Source: Malware configuration extractor URLs: drawzhotdog.shop
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.77.130 104.21.77.130
Source: Joe Sandbox View IP Address: 104.21.4.136 104.21.4.136
Source: Joe Sandbox View IP Address: 172.67.189.2 172.67.189.2
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: performenj.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: LRPC-e9c77b0923665da6f1.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: lootebarrkeyn.shop
Source: global traffic DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: performenj.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawzhotdog.shop/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fragnantbui.shop/api
Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/api
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/G
Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/api
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/apiG
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/vo
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/
Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/api
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/api2
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/K
Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/x
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/api
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/apiD
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/Y
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 58443 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58440 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58447
Source: unknown Network traffic detected: HTTP traffic on port 58445 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58446 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58446
Source: unknown Network traffic detected: HTTP traffic on port 58441 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58444 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58449
Source: unknown Network traffic detected: HTTP traffic on port 58442 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58448
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58443
Source: unknown Network traffic detected: HTTP traffic on port 58448 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58442
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58445
Source: unknown Network traffic detected: HTTP traffic on port 58447 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58444
Source: unknown Network traffic detected: HTTP traffic on port 58449 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58441
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58440
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:58440 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58441 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58442 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58443 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.4:58444 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58445 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58446 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.4:58447 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:58448 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.4:58449 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00439000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00439000
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00439000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00439000

System Summary
barindex
.NET source code contains very large array initializations
Source: a7HdB2dU5P.exe, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 364544
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00410480 2_2_00410480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00447600 2_2_00447600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040FEBC 2_2_0040FEBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044004B 2_2_0044004B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401000 2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044B020 2_2_0044B020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004450E0 2_2_004450E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004340F5 2_2_004340F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004091F0 2_2_004091F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004012A7 2_2_004012A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042A345 2_2_0042A345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044B300 2_2_0044B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040A3C0 2_2_0040A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042C390 2_2_0042C390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00449390 2_2_00449390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00407470 2_2_00407470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040B470 2_2_0040B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E470 2_2_0040E470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00405400 2_2_00405400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00411420 2_2_00411420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D56C 2_2_0042D56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D58E 2_2_0042D58E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00437620 2_2_00437620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409737 2_2_00409737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00403790 2_2_00403790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004327B0 2_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042C891 2_2_0042C891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00449970 2_2_00449970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409A02 2_2_00409A02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00445AD0 2_2_00445AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00449B60 2_2_00449B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042BB00 2_2_0042BB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00427B0F 2_2_00427B0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00438C00 2_2_00438C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0043FD0E 2_2_0043FD0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00449E60 2_2_00449E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00407E70 2_2_00407E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00447EDE 2_2_00447EDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042DEF8 2_2_0042DEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0043EF50 2_2_0043EF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040AFD0 2_2_0040AFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042DFE0 2_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BF80 2_2_0040BF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00448F80 2_2_00448F80
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040CAD0 appears 52 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040ED80 appears 194 times
Sample file is different than original file name gathered from version info
Source: a7HdB2dU5P.exe, 00000000.00000002.1693049512.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs a7HdB2dU5P.exe
Source: a7HdB2dU5P.exe, 00000000.00000000.1678966871.000000000062E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVQP.exe< vs a7HdB2dU5P.exe
Source: a7HdB2dU5P.exe Binary or memory string: OriginalFilenameVQP.exe< vs a7HdB2dU5P.exe
Uses 32bit PE files
Source: a7HdB2dU5P.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: a7HdB2dU5P.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/2@11/7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004381AA CoCreateInstance, 2_2_004381AA
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a7HdB2dU5P.exe.log Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: a7HdB2dU5P.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: a7HdB2dU5P.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: a7HdB2dU5P.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\a7HdB2dU5P.exe "C:\Users\user\Desktop\a7HdB2dU5P.exe"
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: a7HdB2dU5P.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: a7HdB2dU5P.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: a7HdB2dU5P.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00437333 push 04EC839Eh; mov dword ptr [esp], edi 2_2_0043733A
Source: a7HdB2dU5P.exe Static PE information: section name: .text entropy: 7.995621110986315
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory allocated: C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory allocated: 48C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe TID: 6544 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5968 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001265000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00447560 LdrInitializeThunk, 2_2_00447560
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Code function: 0_2_028C2145 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_028C2145
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: lootebarrkeyn.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000 Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000 Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000 Jump to behavior
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F4E008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\a7HdB2dU5P.exe Queries volume information: C:\Users\user\Desktop\a7HdB2dU5P.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519281 Sample: a7HdB2dU5P.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 18 vozmeatillu.shop 2->18 20 stogeneratmns.shop 2->20 22 9 other IPs or domains 2->22 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 Antivirus detection for URL or domain 2->34 36 6 other signatures 2->36 7 a7HdB2dU5P.exe 2 2->7         started        signatures3 process4 file5 16 C:\Users\user\AppData\...\a7HdB2dU5P.exe.log, CSV 7->16 dropped 38 Contains functionality to inject code into remote processes 7->38 40 Writes to foreign memory regions 7->40 42 Allocates memory in foreign processes 7->42 44 2 other signatures 7->44 11 RegAsm.exe 7->11         started        14 conhost.exe 7->14         started        signatures6 process7 dnsIp8 24 gutterydhowi.shop 104.21.4.136, 443, 58440 CLOUDFLARENETUS United States 11->24 26 drawzhotdog.shop 104.21.58.182, 443, 58444 CLOUDFLARENETUS United States 11->26 28 5 other IPs or domains 11->28
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.77.130
 reinforcenh.shop United States
13335 CLOUDFLARENETUS true
104.21.4.136
 gutterydhowi.shop United States
13335 CLOUDFLARENETUS true
172.67.189.2
 performenj.shop United States
13335 CLOUDFLARENETUS true
188.114.97.3
 fragnantbui.shop European Union
13335 CLOUDFLARENETUS true
188.114.96.3
 offensivedzvju.shop European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
104.21.58.182
 drawzhotdog.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
fragnantbui.shop 188.114.97.3 true
performenj.shop 172.67.189.2 true
gutterydhowi.shop 104.21.4.136 true
steamcommunity.com 104.102.49.254 true
offensivedzvju.shop 188.114.96.3 true
stogeneratmns.shop 188.114.96.3 true
reinforcenh.shop 104.21.77.130 true
drawzhotdog.shop 104.21.58.182 true
ghostreedmnu.shop 188.114.97.3 true
vozmeatillu.shop 188.114.96.3 true
lootebarrkeyn.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://drawzhotdog.shop/api true
  • Avira URL Cloud: malware
 unknown
lootebarrkeyn.shop true
  • Avira URL Cloud: malware
 unknown
https://gutterydhowi.shop/api true
  • Avira URL Cloud: malware
 unknown
reinforcenh.shop true
  • Avira URL Cloud: malware
 unknown
stogeneratmns.shop true
  • Avira URL Cloud: malware
 unknown
https://reinforcenh.shop/api true
  • Avira URL Cloud: malware
 unknown
ghostreedmnu.shop true
  • Avira URL Cloud: malware
 unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
https://vozmeatillu.shop/api true
  • Avira URL Cloud: malware
 unknown
https://stogeneratmns.shop/api true
  • Avira URL Cloud: malware
 unknown
https://ghostreedmnu.shop/api true
  • Avira URL Cloud: malware
 unknown
fragnantbui.shop true
  • Avira URL Cloud: malware
 unknown
gutterydhowi.shop true
  • Avira URL Cloud: malware
 unknown
https://offensivedzvju.shop/api true
  • Avira URL Cloud: malware
 unknown
https://fragnantbui.shop/api true
  • Avira URL Cloud: malware
 unknown
offensivedzvju.shop true
  • Avira URL Cloud: malware
 unknown
drawzhotdog.shop true
  • Avira URL Cloud: malware
 unknown
https://performenj.shop/api true
  • Avira URL Cloud: malware
 unknown
vozmeatillu.shop true
  • Avira URL Cloud: malware
 unknown