Windows Analysis Report
p37SE6gM52.exe

Overview

General Information

Sample name: p37SE6gM52.exe
renamed because original name is a hash value
Original sample name: cd68144879cf39befd5d96950a78370d.exe
Analysis ID: 1519287
MD5: cd68144879cf39befd5d96950a78370d
SHA1: f22e8d8421fc6b41de89ab747c1c74b3e934ee2e
SHA256: 2ca1aa726259687599cbc1eac5cb922aa247ce62a537dc1506c95855f3e4322a
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: p37SE6gM52.exe Avira: detected
Antivirus detection for URL or domain
Source: pianoswimen.shop Avira URL Cloud: Label: malware
Source: surroundeocw.shop Avira URL Cloud: Label: malware
Source: priooozekw.shop Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/p Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api Avira URL Cloud: Label: malware
Source: racedsuitreow.shop Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/ Avira URL Cloud: Label: malware
Source: covvercilverow.shop Avira URL Cloud: Label: malware
Source: pumpkinkwquo.shop Avira URL Cloud: Label: malware
Source: abortinoiwiam.shop Avira URL Cloud: Label: malware
Source: deallyharvenw.shop Avira URL Cloud: Label: malware
Source: defenddsouneuw.shop Avira URL Cloud: Label: malware
Found malware configuration
Source: 1.3.p37SE6gM52.exe.2766edc0000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["surroundeocw.shop", "defenddsouneuw.shop", "racedsuitreow.shop", "priooozekw.shop", "pumpkinkwquo.shop", "deallyharvenw.shop", "covvercilverow.shop", "pianoswimen.shop", "abortinoiwiam.shop"], "Build id": "tLYMe5--rui111"}
Multi AV Scanner detection for submitted file
Source: p37SE6gM52.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.5% probability
Sample uses string decryption to hide its real strings
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: covvercilverow.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: surroundeocw.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: abortinoiwiam.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: pumpkinkwquo.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: priooozekw.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: deallyharvenw.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: defenddsouneuw.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: racedsuitreow.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: pianoswimen.shop
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String decryptor: tLYMe5--rui111
Source: unknown HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: p37SE6gM52.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 4_2_02B18BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi] 4_2_02B0DEE8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02ADCD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02ADCD20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push ebx 4_2_02B0E20D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 4_2_02AED26A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000009E4h] 4_2_02AED26A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+ebp+02h], 0000h 4_2_02AFD260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 4_2_02ADF380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 4_2_02ADF380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02ADF380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000001C0h] 4_2_02AE2324
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h 4_2_02B19310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 4_2_02B19310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp+04h], eax 4_2_02AD131E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [eax+ecx] 4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [eax] 4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000004B0h] 4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebx], ax 4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 4_2_02B16080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp al, 2Eh 4_2_02AFB0D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea eax, dword ptr [esi+04h] 4_2_02AFB0D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp al, 25h 4_2_02AD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, esi 4_2_02AD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 4_2_02B19000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 4_2_02B19190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 4_2_02AF71F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp edx 4_2_02B18120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02B1417F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then dec eax 4_2_02AD36A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push 00000000h 4_2_02AD36A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp+24h], 525E5C56h 4_2_02AFE607
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 4_2_02B12660
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 4_2_02ADD670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 4_2_02AEF7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 4_2_02AEF7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 4_2_02AEF7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebx], ax 4_2_02AEF7B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push esi 4_2_02AE0785
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 4_2_02B0E79E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push esi 4_2_02AE27F9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 4_2_02AF5730
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 4_2_02AD5710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 4_2_02AFF4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_02AF34D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp edx 4_2_02B18460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [eax+01h], 00000000h 4_2_02AF658F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 4_2_02B17570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 4_2_02AFD541
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 4_2_02AFAA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 4_2_02AFAA90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0716B6A2h 4_2_02B0DAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 7D006057h 4_2_02B0DAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000004B0h] 4_2_02AECA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 4_2_02AFDB9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_02AE0BD3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 4_2_02B16B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [ebp+eax*4+00h] 4_2_02ADBB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h] 4_2_02ADBB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebx], cx 4_2_02B156C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 4_2_02B156C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea esi, dword ptr [esi+esi*4] 4_2_02ADC810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 4_2_02B13840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 4_2_02AF59A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 4_2_02B09980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 4_2_02AFF9E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [edi] 4_2_02AFE9C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 4_2_02AE9FB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, eax 4_2_02AD9FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebp, eax 4_2_02AD9FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [esi+eax] 4_2_02B0FFC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+68h] 4_2_02B16CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp+1Ch], CF5AC950h 4_2_02ADEC76
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 4_2_02AFDD67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 4_2_02B12DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+000001B8h] 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edx], cl 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000088h] 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edx], cl 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 4_2_02AFDD67

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.7:59476 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.7:49704 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.7:49705 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49705 -> 104.21.37.97:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 104.21.37.97:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: surroundeocw.shop
Source: Malware configuration extractor URLs: defenddsouneuw.shop
Source: Malware configuration extractor URLs: racedsuitreow.shop
Source: Malware configuration extractor URLs: priooozekw.shop
Source: Malware configuration extractor URLs: pumpkinkwquo.shop
Source: Malware configuration extractor URLs: deallyharvenw.shop
Source: Malware configuration extractor URLs: covvercilverow.shop
Source: Malware configuration extractor URLs: pianoswimen.shop
Source: Malware configuration extractor URLs: abortinoiwiam.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.37.97 104.21.37.97
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=iUcK268UmskJ7BooTQRCfMUbls.hg05IeE3Z8iZ6ob4-1727337613-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: racedsuitreow.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: pianoswimen.shop
Source: global traffic DNS traffic detected: DNS query: racedsuitreow.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: p37SE6gM52.exe String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: p37SE6gM52.exe String found in binary or memory: https://github.com/uber-go/dig/issues/new
Source: p37SE6gM52.exe String found in binary or memory: https://golang.org/doc/faq#nil_errorMemory
Source: p37SE6gM52.exe String found in binary or memory: https://opentelemetry.io/schemas/1.26.0google.golang.org/genproto/protobuf/apigoogle.golang.org/prot
Source: p37SE6gM52.exe String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictserver
Source: BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/
Source: BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/api
Source: BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://racedsuitreow.shop/p
Source: BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731193361.0000000002E8C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731554267.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731193361.0000000002E8C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.37.97:443 -> 192.168.2.7:49705 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B07400 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_02B07400
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B07400 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_02B07400

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0E468 4_2_02B0E468
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0DEE8 4_2_02B0DEE8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AED26A 4_2_02AED26A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0D240 4_2_02B0D240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD13B8 4_2_02AD13B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD131E 4_2_02AD131E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD8340 4_2_02AD8340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AEE35A 4_2_02AEE35A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B17090 4_2_02B17090
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AFB0D7 4_2_02AFB0D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02ADB030 4_2_02ADB030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AFC007 4_2_02AFC007
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD1000 4_2_02AD1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AFA070 4_2_02AFA070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B071B0 4_2_02B071B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B1618A 4_2_02B1618A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AFC1CD 4_2_02AFC1CD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B18120 4_2_02B18120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B056B0 4_2_02B056B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD36A0 4_2_02AD36A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD979A 4_2_02AD979A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B19720 4_2_02B19720
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AE076F 4_2_02AE076F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B185A2 4_2_02B185A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AF658F 4_2_02AF658F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02ADA510 4_2_02ADA510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B17570 4_2_02B17570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AECA10 4_2_02AECA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B17BB0 4_2_02B17BB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AF7BA6 4_2_02AF7BA6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02ADABA0 4_2_02ADABA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AFDB9C 4_2_02AFDB9C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD6BF0 4_2_02AD6BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02ADBB40 4_2_02ADBB40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B156C9 4_2_02B156C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02ADC810 4_2_02ADC810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B13840 4_2_02B13840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD79A0 4_2_02AD79A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B17E90 4_2_02B17E90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD4E50 4_2_02AD4E50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD6FA0 4_2_02AD6FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD9FC0 4_2_02AD9FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AE0F20 4_2_02AE0F20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AD8DA0 4_2_02AD8DA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AFDD67 4_2_02AFDD67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B12DE0 4_2_02B12DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B00DD0 4_2_02B00DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B17D00 4_2_02B17D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02AFDD67 4_2_02AFDD67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B17D6B 4_2_02B17D6B
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02ADC620 appears 43 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 02ADE8C0 appears 132 times
PE file contains more sections than normal
Source: p37SE6gM52.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs p37SE6gM52.exe
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs p37SE6gM52.exe
Source: p37SE6gM52.exe, 00000001.00000000.1325186248.00007FF6FD5EE000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDisplayTool.exe8 vs p37SE6gM52.exe
Source: p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs p37SE6gM52.exe
Source: p37SE6gM52.exe Binary or memory string: OriginalFilenameDisplayTool.exe8 vs p37SE6gM52.exe
Yara signature match
Source: 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@2/1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B0DE76 CoCreateInstance,GetVolumeInformationW, 4_2_02B0DE76
Source: C:\Users\user\Desktop\p37SE6gM52.exe File created: C:\Users\Public\Libraries\dbncj.scif Jump to behavior
Source: p37SE6gM52.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\p37SE6gM52.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: p37SE6gM52.exe ReversingLabs: Detection: 52%
Source: p37SE6gM52.exe String found in binary or memory: pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero p
Source: p37SE6gM52.exe String found in binary or memory: pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero p
Source: p37SE6gM52.exe String found in binary or memory: (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not ot
Source: p37SE6gM52.exe String found in binary or memory: (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not ot
Source: p37SE6gM52.exe String found in binary or memory: rom deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop
Source: p37SE6gM52.exe String found in binary or memory: rom deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop
Source: p37SE6gM52.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: p37SE6gM52.exe String found in binary or memory: net/addrselect.go
Source: p37SE6gM52.exe String found in binary or memory: error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated ... omitting case_not_founddata_exceptiongrouping_errorquery_canceledadmin_shutdowncrash_shutdownundefined_fileduplicate_filefdw_no_schemasinternal_errordata_corruptedpos
Source: p37SE6gM52.exe String found in binary or memory: ifRmlZMLlG/load.go
Source: p37SE6gM52.exe String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine .localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = RIPEMD-160ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOT for type trim_errorPGPASSFILEkrbsrvname READ ONLYdecode: %sConnectionlocal-addrUser-AgentRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
Source: p37SE6gM52.exe String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=RegSetValueExWinternal error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated
Source: p37SE6gM52.exe String found in binary or memory: too many Questions to pack (>65535)transform: short destination buffermime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largemlkem768: crypto/rand Read failed: mlkem768: invalid ciphertext lengthcbor: invalid ByteSliceLaterFormat P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitymissing EncodeTime in EncoderConfigcannot create scope info metric: %wmanual reader: invalid producer: %Tduplicate list-member in tracestatetoo many list-members in tracestatego.opentelemetry.io/otel/sdk/tracerdelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messageflate: corrupt input before offset range can only initialize variablesexpected unsigned integer; found %snon-comparable types %s: %v, %s: %vcannot use an unfiltered option: %vambiguous set of applicable optionschacha20: output smaller than inputGOMEMLIMIT is already set, skippingprocess.runtime.go.mem.heap_objectsprocess.runtime.go.mem.live_objectsAGGREGATION_TEMPORALITY_UNSPECIFIEDno ErrorHandler delegate configuredprocess_network_receive_bytes_totalgrpc.internal.transport.networktypethere is an empty key in the headerGRPC_ALTS_MAX_CONCURRENT_HANDSHAKES%s: none of the oneof fields is setcrypto/cipher: input not full blocksTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't alignreflect.Value.Equal: values of type strings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)Error parsing certificate from ASN.1accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: p37SE6gM52.exe String found in binary or memory: too many Questions to pack (>65535)transform: short destination buffermime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largemlkem768: crypto/rand Read failed: mlkem768: invalid ciphertext lengthcbor: invalid ByteSliceLaterFormat P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitymissing EncodeTime in EncoderConfigcannot create scope info metric: %wmanual reader: invalid producer: %Tduplicate list-member in tracestatetoo many list-members in tracestatego.opentelemetry.io/otel/sdk/tracerdelimiters may only be "{}" or "<>"string field contains invalid UTF-8%v already implements proto.Messageflate: corrupt input before offset range can only initialize variablesexpected unsigned integer; found %snon-comparable types %s: %v, %s: %vcannot use an unfiltered option: %vambiguous set of applicable optionschacha20: output smaller than inputGOMEMLIMIT is already set, skippingprocess.runtime.go.mem.heap_objectsprocess.runtime.go.mem.live_objectsAGGREGATION_TEMPORALITY_UNSPECIFIEDno ErrorHandler delegate configuredprocess_network_receive_bytes_totalgrpc.internal.transport.networktypethere is an empty key in the headerGRPC_ALTS_MAX_CONCURRENT_HANDSHAKES%s: none of the oneof fields is setcrypto/cipher: input not full blocksTime.UnmarshalBinary: invalid lengthmethod ABI and value ABI don't alignreflect.Value.Equal: values of type strings.Builder.Grow: negative countstrings: Join output length overflowThunk Address Of Data too spread outPower PC with floating point supportCherokee United States (chr-Cher-US)Chinese (Traditional) Taiwan (zh-TW)English United Arab Emirates (en-AE)Error parsing certificate from ASN.1accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: p37SE6gM52.exe String found in binary or memory: net/addrselect.go
Source: p37SE6gM52.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: p37SE6gM52.exe String found in binary or memory: google.golang.org/grpc@v1.67.0/internal/balancerload/load.go
Source: p37SE6gM52.exe String found in binary or memory: ifRmlZMLlG/load.go
Source: C:\Users\user\Desktop\p37SE6gM52.exe File read: C:\Users\user\Desktop\p37SE6gM52.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\p37SE6gM52.exe "C:\Users\user\Desktop\p37SE6gM52.exe"
Source: C:\Users\user\Desktop\p37SE6gM52.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\p37SE6gM52.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: p37SE6gM52.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: p37SE6gM52.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: p37SE6gM52.exe Static file information: File size 19140096 > 1048576
Source: p37SE6gM52.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x859400
Source: p37SE6gM52.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x900a00
Source: p37SE6gM52.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000688000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000002.1725521935.000000C00064E000.00000004.00001000.00020000.00000000.sdmp, p37SE6gM52.exe, 00000001.00000003.1710429168.000002766ED60000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: p37SE6gM52.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B04EA8 push es; mov dword ptr [esp], eax 4_2_02B04EB1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B20C14 push ebx; ret 4_2_02B20C15
Source: C:\Users\user\Desktop\p37SE6gM52.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7804 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: BitLockerToGo.exe, 00000004.00000003.1731257436.0000000002E33000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731554267.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000003.1731449847.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000004.00000002.1744682940.0000000002E33000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: p37SE6gM52.exe, 00000001.00000002.1726573970.000002762971C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4_2_02B15510 LdrInitializeThunk, 4_2_02B15510
Enables debug privileges
Source: C:\Users\user\Desktop\p37SE6gM52.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\p37SE6gM52.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AD0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\p37SE6gM52.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AD0000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: covvercilverow.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: surroundeocw.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: abortinoiwiam.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: pumpkinkwquo.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: priooozekw.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: deallyharvenw.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: defenddsouneuw.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: racedsuitreow.shop
Source: p37SE6gM52.exe, 00000001.00000002.1725521935.000000C000512000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: pianoswimen.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\p37SE6gM52.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2AD0000 Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 29C3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\p37SE6gM52.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\p37SE6gM52.exe Queries volume information: C:\Users\user\Desktop\p37SE6gM52.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\p37SE6gM52.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: p37SE6gM52.exe, type: SAMPLE
Source: Yara match File source: 1.0.p37SE6gM52.exe.7ff6fc380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.p37SE6gM52.exe.7ff6fc380000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1324374308.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1728658450.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p37SE6gM52.exe PID: 7324, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: p37SE6gM52.exe, type: SAMPLE
Source: Yara match File source: 1.0.p37SE6gM52.exe.7ff6fc380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.p37SE6gM52.exe.7ff6fc380000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1324374308.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1728658450.00007FF6FCC57000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p37SE6gM52.exe PID: 7324, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519287 Sample: p37SE6gM52.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 13 racedsuitreow.shop 2->13 15 pianoswimen.shop 2->15 19 Suricata IDS alerts for network traffic 2->19 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 8 other signatures 2->25 7 p37SE6gM52.exe 2 2->7         started        signatures3 process4 signatures5 27 Writes to foreign memory regions 7->27 29 Allocates memory in foreign processes 7->29 31 Injects a PE file into a foreign processes 7->31 33 LummaC encrypted strings found 7->33 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 17 racedsuitreow.shop 104.21.37.97, 443, 49704, 49705 CLOUDFLARENETUS United States 10->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.37.97
 racedsuitreow.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
racedsuitreow.shop 104.21.37.97 true
pianoswimen.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
priooozekw.shop true
  • Avira URL Cloud: malware
 unknown
https://racedsuitreow.shop/api true
  • Avira URL Cloud: malware
 unknown
surroundeocw.shop true
  • Avira URL Cloud: malware
 unknown
racedsuitreow.shop true
  • Avira URL Cloud: malware
 unknown
pianoswimen.shop true
  • Avira URL Cloud: malware
 unknown
covvercilverow.shop true
  • Avira URL Cloud: malware
 unknown
pumpkinkwquo.shop true
  • Avira URL Cloud: malware
 unknown
abortinoiwiam.shop true
  • Avira URL Cloud: malware
 unknown
deallyharvenw.shop true
  • Avira URL Cloud: malware
 unknown
defenddsouneuw.shop true
  • Avira URL Cloud: malware
 unknown