Windows Analysis Report
3ZD5tEC5DH.exe

Overview

General Information

Sample name: 3ZD5tEC5DH.exe
renamed because original name is a hash value
Original sample name: 149131a90f99225e6c7e28a06164dd9a.exe
Analysis ID: 1519286
MD5: 149131a90f99225e6c7e28a06164dd9a
SHA1: f9d0e7ae3bed79498bf4da92c0ef9568d4e5595e
SHA256: 6b176bab868dc372496ab3c6ce97518d276c17143f77ae15c992970c1efdf21f
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges URL Reputation: Label: malware
Source: lootebarrkeyn.shop Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api Avira URL Cloud: Label: malware
Source: stogeneratmns.shop Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/api Avira URL Cloud: Label: malware
Source: reinforcenh.shop Avira URL Cloud: Label: malware
Source: https://performenj.shop/6& Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/ Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/d& Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/&-7 Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/ Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/W Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/ Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/ Avira URL Cloud: Label: malware
Source: https://performenj.shop/pi Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/apiO Avira URL Cloud: Label: malware
Source: https://performenj.shop/ Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api Avira URL Cloud: Label: malware
Source: gutterydhowi.shop Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/api Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api Avira URL Cloud: Label: malware
Source: fragnantbui.shop Avira URL Cloud: Label: malware
Source: offensivedzvju.shop Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/api Avira URL Cloud: Label: malware
Source: drawzhotdog.shop Avira URL Cloud: Label: malware
Source: https://performenj.shop/apit Avira URL Cloud: Label: malware
Source: https://performenj.shop/api Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/apiJ Avira URL Cloud: Label: malware
Source: vozmeatillu.shop Avira URL Cloud: Label: malware
Found malware configuration
Source: 3.2.RegAsm.exe.400000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["offensivedzvju.shop", "gutterydhowi.shop", "stogeneratmns.shop", "lootebarrkeyn.shop", "vozmeatillu.shop", "ghostreedmnu.shop", "drawzhotdog.shop", "fragnantbui.shop", "reinforcenh.shop"], "Build id": "FATE99--"}
Multi AV Scanner detection for submitted file
Source: 3ZD5tEC5DH.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: reinforcenh.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: stogeneratmns.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: fragnantbui.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: drawzhotdog.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: vozmeatillu.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: offensivedzvju.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: ghostreedmnu.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: gutterydhowi.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: lootebarrkeyn.shop
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: TeslaBrowser/5.5
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: - Screen Resoluton:
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: - Physical Installed Memory:
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: Workgroup: -
Source: 3.2.RegAsm.exe.400000.0.raw.unpack String decryptor: FATE99--
Uses 32bit PE files
Source: 3ZD5tEC5DH.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: 3ZD5tEC5DH.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 3_2_00447600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0044A7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+1Ch] 3_2_0040FEBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then xor eax, eax 3_2_0040EFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000120h] 3_2_0040EFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then push ebx 3_2_00415078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ecx, byte ptr [esp+34h] 3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 3_2_004450E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_004340F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_004340F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edi, byte ptr [eax+esi] 3_2_00407120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0042A274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [edx], ax 3_2_0042A274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0040D2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0042A2F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [edx], ax 3_2_0042A2F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 3_2_00442280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0042A345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [edx], ax 3_2_0042A345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0042A345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 3_2_00431370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, eax 3_2_0040A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebp, eax 3_2_0040A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 3_2_0042C390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 3_2_0042C390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 3_2_00449390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_00449390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_00424490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 3_2_004204A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], dx 3_2_004204A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, esi 3_2_0042D56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_0043B510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+000006A8h] 3_2_0041E52C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, esi 3_2_0042D58E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0042F5B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi] 3_2_004146B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 3_2_0040F7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edx], cl 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 3_2_0041A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp al, 2Eh 3_2_0042C891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then xor eax, eax 3_2_0042C891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 3_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 3_2_004489F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_00434A2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 3_2_00445AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi] 3_2_00413AE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, ecx 3_2_00413AE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 3_2_00413AE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 3_2_0042BB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp edx 3_2_00427B0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_00430BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 3_2_00448BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 3_2_0044AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 3_2_00404C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 3_2_00426CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then add edi, 02h 3_2_0041DD64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebx] 3_2_0041DD64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 3_2_00405D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_00434DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 3_2_00445D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 3_2_0044AD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_00449E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 3_2_00414E26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then xor eax, eax 3_2_00414E26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 3_2_00447EDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0044AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 3_2_0044AF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_00426F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 3_2_0041CFF0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.6:63504 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.6:62281 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056048 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) : 192.168.2.6:52018 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.6:49718 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.6:49717 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.6:49711 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.6:59886 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.6:50739 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.6:49715 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.6:65346 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.6:55477 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.6:65127 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:49710 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.6:58108 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49717 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49711 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49717 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49720 -> 172.67.189.2:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49718 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49720 -> 172.67.189.2:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49718 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 172.67.162.108:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
Source: Malware configuration extractor URLs: lootebarrkeyn.shop
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
Source: Malware configuration extractor URLs: drawzhotdog.shop
Source: Malware configuration extractor URLs: fragnantbui.shop
Source: Malware configuration extractor URLs: reinforcenh.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.4.136 104.21.4.136
Source: Joe Sandbox View IP Address: 172.67.189.2 172.67.189.2
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: performenj.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: lootebarrkeyn.shop
Source: global traffic DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: performenj.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e199731
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.c
Source: RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTS
Source: RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=gC
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamaoE
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawzhotdog.shop/
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fragnantbui.shop/api
Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ghostreedmnu.shop/
Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ghostreedmnu.shop/api
Source: RegAsm.exe, 00000003.00000002.2239685477.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/api
Source: RegAsm.exe, 00000003.00000002.2239685477.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/apiO
Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/W
Source: RegAsm.exe, 00000003.00000002.2239685477.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/6&
Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/api
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/apit
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://performenj.shop/pi
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/d&
Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2239685477.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/N
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/&-7
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/api
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/apiJ
Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/api
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.6:49720 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00439000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_00439000
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00439000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_00439000

System Summary
barindex
.NET source code contains very large array initializations
Source: 3ZD5tEC5DH.exe, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 364544
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00410480 3_2_00410480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00447600 3_2_00447600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040FEBC 3_2_0040FEBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0044004B 3_2_0044004B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00401000 3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0044B020 3_2_0044B020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004450E0 3_2_004450E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004340F5 3_2_004340F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004091F0 3_2_004091F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004012A7 3_2_004012A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042A345 3_2_0042A345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0044B300 3_2_0044B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040A3C0 3_2_0040A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042C390 3_2_0042C390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00449390 3_2_00449390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00407470 3_2_00407470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040B470 3_2_0040B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040E470 3_2_0040E470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00405400 3_2_00405400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00411420 3_2_00411420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042D56C 3_2_0042D56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041E52C 3_2_0041E52C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042D58E 3_2_0042D58E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00437620 3_2_00437620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00409737 3_2_00409737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00403790 3_2_00403790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004327B0 3_2_004327B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00408810 3_2_00408810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042C891 3_2_0042C891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00449970 3_2_00449970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040A910 3_2_0040A910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00409A02 3_2_00409A02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00445AD0 3_2_00445AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00449B60 3_2_00449B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042BB00 3_2_0042BB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00427B0F 3_2_00427B0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00438C00 3_2_00438C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043FD0E 3_2_0043FD0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00449E60 3_2_00449E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00407E70 3_2_00407E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00447EDE 3_2_00447EDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042DEF8 3_2_0042DEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043EF50 3_2_0043EF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040AFD0 3_2_0040AFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042DFE0 3_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040BF80 3_2_0040BF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00448F80 3_2_00448F80
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040CAD0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040ED80 appears 194 times
Sample file is different than original file name gathered from version info
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2135373419.000000000095E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 3ZD5tEC5DH.exe
Source: 3ZD5tEC5DH.exe, 00000000.00000000.2117110100.000000000023E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVQP.exe< vs 3ZD5tEC5DH.exe
Source: 3ZD5tEC5DH.exe Binary or memory string: OriginalFilenameVQP.exe< vs 3ZD5tEC5DH.exe
Uses 32bit PE files
Source: 3ZD5tEC5DH.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3ZD5tEC5DH.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/2@11/7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004381AA CoCreateInstance, 3_2_004381AA
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3ZD5tEC5DH.exe.log Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:972:120:WilError_03
Source: 3ZD5tEC5DH.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 3ZD5tEC5DH.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 3ZD5tEC5DH.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\3ZD5tEC5DH.exe "C:\Users\user\Desktop\3ZD5tEC5DH.exe"
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: 3ZD5tEC5DH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 3ZD5tEC5DH.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 3ZD5tEC5DH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0045535E push edx; retf 3_2_0045535F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00437333 push 04EC839Eh; mov dword ptr [esp], edi 3_2_0043733A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004533F4 push edi; ret 3_2_004533F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00453400 push edi; ret 3_2_00453401
Source: 3ZD5tEC5DH.exe Static PE information: section name: .text entropy: 7.995705798028068
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory allocated: BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory allocated: 26A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory allocated: 23E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe TID: 6092 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2404 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn!5
Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2239609640.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00447560 LdrInitializeThunk, 3_2_00447560
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Code function: 0_2_026A2151 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_026A2151
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: lootebarrkeyn.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000 Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000 Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000 Jump to behavior
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A31008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe Queries volume information: C:\Users\user\Desktop\3ZD5tEC5DH.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519286 Sample: 3ZD5tEC5DH.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 18 vozmeatillu.shop 2->18 20 stogeneratmns.shop 2->20 22 11 other IPs or domains 2->22 30 Suricata IDS alerts for network traffic 2->30 32 Found malware configuration 2->32 34 Antivirus detection for URL or domain 2->34 36 6 other signatures 2->36 7 3ZD5tEC5DH.exe 2 2->7         started        signatures3 process4 file5 16 C:\Users\user\AppData\...\3ZD5tEC5DH.exe.log, CSV 7->16 dropped 38 Contains functionality to inject code into remote processes 7->38 40 Writes to foreign memory regions 7->40 42 Allocates memory in foreign processes 7->42 44 2 other signatures 7->44 11 RegAsm.exe 7->11         started        14 conhost.exe 7->14         started        signatures6 process7 dnsIp8 24 gutterydhowi.shop 104.21.4.136, 443, 49710 CLOUDFLARENETUS United States 11->24 26 drawzhotdog.shop 172.67.162.108, 443, 49715 CLOUDFLARENETUS United States 11->26 28 5 other IPs or domains 11->28
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.4.136
 gutterydhowi.shop United States
13335 CLOUDFLARENETUS true
172.67.189.2
 performenj.shop United States
13335 CLOUDFLARENETUS true
188.114.97.3
 ghostreedmnu.shop European Union
13335 CLOUDFLARENETUS true
172.67.162.108
 drawzhotdog.shop United States
13335 CLOUDFLARENETUS true
188.114.96.3
 fragnantbui.shop European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
172.67.208.139
 reinforcenh.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
fragnantbui.shop 188.114.96.3 true
performenj.shop 172.67.189.2 true
gutterydhowi.shop 104.21.4.136 true
steamcommunity.com 104.102.49.254 true
offensivedzvju.shop 188.114.96.3 true
stogeneratmns.shop 188.114.96.3 true
reinforcenh.shop 172.67.208.139 true
drawzhotdog.shop 172.67.162.108 true
ghostreedmnu.shop 188.114.97.3 true
vozmeatillu.shop 188.114.96.3 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
lootebarrkeyn.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://drawzhotdog.shop/api true
  • Avira URL Cloud: malware
 unknown
lootebarrkeyn.shop true
  • Avira URL Cloud: malware
 unknown
https://gutterydhowi.shop/api true
  • Avira URL Cloud: malware
 unknown
stogeneratmns.shop true
  • Avira URL Cloud: malware
 unknown
reinforcenh.shop true
  • Avira URL Cloud: malware
 unknown
https://reinforcenh.shop/api true
  • Avira URL Cloud: malware
 unknown
ghostreedmnu.shop true
  • Avira URL Cloud: malware
 unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
https://vozmeatillu.shop/api true
  • Avira URL Cloud: malware
 unknown
https://stogeneratmns.shop/api true
  • Avira URL Cloud: malware
 unknown
https://ghostreedmnu.shop/api true
  • Avira URL Cloud: malware
 unknown
fragnantbui.shop true
  • Avira URL Cloud: malware
 unknown
gutterydhowi.shop true
  • Avira URL Cloud: malware
 unknown
https://offensivedzvju.shop/api true
  • Avira URL Cloud: malware
 unknown
https://fragnantbui.shop/api true
  • Avira URL Cloud: malware
 unknown
offensivedzvju.shop true
  • Avira URL Cloud: malware
 unknown
drawzhotdog.shop true
  • Avira URL Cloud: malware
 unknown
https://performenj.shop/api true
  • Avira URL Cloud: malware
 unknown
vozmeatillu.shop true
  • Avira URL Cloud: malware
 unknown