Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1521515
MD5: 54e50cc52a1d35cdd951d475e0fb7aa9
SHA1: b5f83428a5b8c07dbd239beed5605282f73e5dbd
SHA256: d3bdd83b9fe90afaead22c1e6bfc2051e6cfa6e885986cc4c87708415d0484f8
Tags: exeLummaStealeruser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 1.2.BitLockerToGo.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["vozmeatillu.shop", "ghostreedmnu.shop", "offensivedzvju.shop", "fragnantbui.shop", "gutterydhowi.shop", "drawzhotdog.shop", "reinforcenh.shop", "pianoswimen.shop", "stogeneratmns.shop"], "Build id": "tLYMe5--2"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: reinforcenh.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: stogeneratmns.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: fragnantbui.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: drawzhotdog.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: vozmeatillu.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: offensivedzvju.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: ghostreedmnu.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: gutterydhowi.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: pianoswimen.shop
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: tLYMe5--2
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_0040D060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_0040D060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 1_2_0040F4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 1_2_0040F4B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_0040EC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [eax+esi] 1_2_00407000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 1_2_004490D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_00432080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp edx 1_2_0040915E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 1_2_0042C170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 1_2_0042C170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 1_2_00431110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [edx], ax 1_2_00429251
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [eax+edx] 1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+7Ch] 1_2_00433FB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+7Ch] 1_2_00433FB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ecx 1_2_004012BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 1_2_0042E3C2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 1_2_0044B3C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 1_2_0044B3C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_004443D4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h 1_2_0041445A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_0044440C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 1_2_00442420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 1_2_0044B550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 1_2_0044B550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+7Ch] 1_2_004335DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 1_2_0042F64F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+edx+02h], 0000h 1_2_0044B6D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 1_2_0044B6D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_00430740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00444740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00428710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 1_2_0041A780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 1_2_00420780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 1_2_00420832
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 1_2_00449950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 1_2_0044A996
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00427ADF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_00432AB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_00432AB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h 1_2_00413B52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 1_2_0040FB7C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 1_2_00404B00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 1_2_0043BBD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 1_2_00444B80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 1_2_00405B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+38h] 1_2_00410BAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h 1_2_00430C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then dec ebx 1_2_0043FC70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 1_2_00445CE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 1_2_00426C80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00426C80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add esi, 02h 1_2_00413D32
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_0044BDC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_00428DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000660h] 1_2_0041DE74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000660h] 1_2_0041DE06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h 1_2_0041DE06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 1_2_00448ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00426EF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+34h] 1_2_00445F60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+7Ch] 1_2_00433FB3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+7Ch] 1_2_00433FB3

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:58380 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49730 -> 172.67.132.32:443
Source: Network traffic Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49731 -> 172.67.132.32:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 172.67.132.32:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.132.32:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.132.32:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.132.32:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: fragnantbui.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
Source: Malware configuration extractor URLs: drawzhotdog.shop
Source: Malware configuration extractor URLs: reinforcenh.shop
Source: Malware configuration extractor URLs: pianoswimen.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.132.32 172.67.132.32
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=ePko5sjqf4a2HTkHHS9QQxBhBcqdvUN3ImaZPw8RSbw-1727548212-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 75Host: gutterydhowi.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: pianoswimen.shop
Source: global traffic DNS traffic detected: DNS query: gutterydhowi.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: file.exe String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C82000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808657646.0000000002C84000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/api
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/apiC
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/apisw
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/api~
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/g
Source: file.exe String found in binary or memory: https://management.azure.compending
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-err
Source: BitLockerToGo.exe, 00000001.00000003.1808467665.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000001.00000003.1808467665.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.4:49731 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00438F30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_00438F30
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00438F30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_00438F30
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043A2E5 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 1_2_0043A2E5

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004403D0 1_2_004403D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00447A52 1_2_00447A52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00401000 1_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00437020 1_2_00437020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040915E 1_2_0040915E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0044A130 1_2_0044A130
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0044A19B 1_2_0044A19B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00429251 1_2_00429251
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004052C0 1_2_004052C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004452C0 1_2_004452C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00449FC0 1_2_00449FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040B2E0 1_2_0040B2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042D2E2 1_2_0042D2E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040A2F0 1_2_0040A2F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040E290 1_2_0040E290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004012BF 1_2_004012BF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00407340 1_2_00407340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040136B 1_2_0040136B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0044A320 1_2_0044A320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041445A 1_2_0041445A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0043F4C0 1_2_0043F4C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00449480 1_2_00449480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042D578 1_2_0042D578
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004155DC 1_2_004155DC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004405A4 1_2_004405A4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004405A4 1_2_004405A4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040166E 1_2_0040166E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00423672 1_2_00423672
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004036F0 1_2_004036F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042B810 1_2_0042B810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00449950 1_2_00449950
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0044A9A2 1_2_0044A9A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00438A50 1_2_00438A50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00427ADF 1_2_00427ADF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0044BAF0 1_2_0044BAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00413B52 1_2_00413B52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0042DB06 1_2_0042DB06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00433B19 1_2_00433B19
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00410BAE 1_2_00410BAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00407D40 1_2_00407D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00409D09 1_2_00409D09
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040BDF0 1_2_0040BDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00436DB0 1_2_00436DB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0040AE50 1_2_0040AE50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_0041DE06 1_2_0041DE06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00449FC0 1_2_00449FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00410FD0 1_2_00410FD0
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040C980 appears 49 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0041CE20 appears 165 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@2/1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_00437420 CoCreateInstance, 1_2_00437420
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 26%
Source: file.exe String found in binary or memory: net/addrselect.go
Source: file.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 12859392 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x535c00
Source: file.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x65ec00
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: file.exe, 00000000.00000002.1802808473.000000000239A000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\file.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3744 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: BitLockerToGo.exe, 00000001.00000003.1808487829.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000001.00000002.1820785163.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW^
Source: file.exe, 00000000.00000002.1799972236.000000000089C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 1_2_004478C0 LdrInitializeThunk, 1_2_004478C0

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Source: file.exe, 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: pianoswimen.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 96E008 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44D000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 450000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 460000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1802808473.000000000217D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1820464419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1802808473.0000000002002000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1802808473.000000000217D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521515 Sample: file.exe Startdate: 28/09/2024 Architecture: WINDOWS Score: 100 13 pianoswimen.shop 2->13 15 gutterydhowi.shop 2->15 19 Suricata IDS alerts for network traffic 2->19 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 5 other signatures 2->25 7 file.exe 2->7         started        signatures3 process4 signatures5 27 Writes to foreign memory regions 7->27 29 Allocates memory in foreign processes 7->29 31 Injects a PE file into a foreign processes 7->31 33 LummaC encrypted strings found 7->33 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 17 gutterydhowi.shop 172.67.132.32, 443, 49730, 49731 CLOUDFLARENETUS United States 10->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.132.32
 gutterydhowi.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
gutterydhowi.shop 172.67.132.32 true
pianoswimen.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
fragnantbui.shop true
    		unknown
    gutterydhowi.shop true
      		unknown
      offensivedzvju.shop true
        		unknown
        https://gutterydhowi.shop/api true
          		unknown
          drawzhotdog.shop true
            		unknown
            ghostreedmnu.shop true
              		unknown
              pianoswimen.shop true
                		unknown
                reinforcenh.shop true
                  		unknown
                  stogeneratmns.shop true
                    		unknown
                    vozmeatillu.shop true
                      		unknown