Windows Analysis Report
Full-Setup.exe

Overview

General Information

Sample name: Full-Setup.exe
Analysis ID: 1521582
MD5: 88a1c446d3d26bfdd2dde2029de24beb
SHA1: ff8ffbbabdc7b4a9af03f9466656ec5167660fff
SHA256: 4f6c45165a60433a77d4fce2f5bf06216ef38af6ab7ab6c836aa9f8446de33ba
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 2.2.BitLockerToGo.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["vozmeatillu.shop", "stogeneratmns.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "gutterydhowi.shop", "trustterwowqm.shop", "reinforcenh.shop", "offensivedzvju.shop", "fragnantbui.shop"], "Build id": "tLYMe5--111"}
Multi AV Scanner detection for submitted file
Source: Full-Setup.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: reinforcenh.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: stogeneratmns.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: fragnantbui.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: drawzhotdog.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: vozmeatillu.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: offensivedzvju.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: ghostreedmnu.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: gutterydhowi.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: trustterwowqm.shop
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000002.00000002.2326311368.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: tLYMe5--111
Uses 32bit PE files
Source: Full-Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: Full-Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 68677325h 2_2_00446C94
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 2_2_0040EFF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_00449F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+edx*4] 2_2_0040C070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+28h] 2_2_0040C070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h] 2_2_0040C070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0040E080
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 2_2_00448120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 2_2_004441D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, ecx 2_2_004141F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000878h] 2_2_004291A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [edx], ax 2_2_004291A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp+40h] 2_2_004291A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0042E20E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_004232D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 2_2_0042C2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 2_2_0042C2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 2_2_00415292
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+18h] 2_2_00401295
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 2_2_00445310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+58h] 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_004133E4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 2_2_0044A3A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 2_2_00431420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h 2_2_004274C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h] 2_2_004494C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_004494C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [edi], ax 2_2_004214F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then dec ebx 2_2_0043F510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 2_2_0044A520
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0042F5E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h] 2_2_004495A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_004495A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_0041260C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebp+00h], al 2_2_0042D624
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then test eax, eax 2_2_0041E6E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 2_2_0044A690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push 00000000h 2_2_00403710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0042C710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi], 00000000h 2_2_004157D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_004307F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 2_2_00408780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_0043B8C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_004498A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0042B8B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 2_2_0042B8B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_00413900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_00444900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 2_2_00444900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [eax+edx] 2_2_00444900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 2_2_004489D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_004489D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0042D9B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 44CAAEB6h 2_2_00427A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+14h] 2_2_0040DA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_0044AA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_0041FA83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 2_2_00441A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_00426B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 2_2_0042EB0B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_00449B30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 2_2_00404BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 2_2_00412B9E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_00412B9E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 2_2_0042EBA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [esi], ax 2_2_00420C60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 2_2_00420C60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 2_2_00405C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 2_2_0042FC31
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 2_2_0040DCC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+48h] 2_2_00413DE2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 2_2_00443D90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 2_2_0041AF40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 2_2_00447F30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 2_2_00443FC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 2_2_00430FB0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.6:60033 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:49716 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2056174 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (trustterwowqm .shop) : 192.168.2.6:59324 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:49715 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49716 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49716 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 104.21.4.136:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
Source: Malware configuration extractor URLs: drawzhotdog.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
Source: Malware configuration extractor URLs: trustterwowqm.shop
Source: Malware configuration extractor URLs: reinforcenh.shop
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: fragnantbui.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.4.136 104.21.4.136
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=03XKCjmbDCyhHo5BktRxoxoyo3NZqMvaFNaDOl2gcK0-1727563759-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: gutterydhowi.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: trustterwowqm.shop
Source: global traffic DNS traffic detected: DNS query: gutterydhowi.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: Full-Setup.exe String found in binary or memory: http://.css
Source: Full-Setup.exe String found in binary or memory: http://.jpg
Source: Full-Setup.exe String found in binary or memory: http://html4/loose.dtd
Source: Full-Setup.exe String found in binary or memory: https://DwmFlushTlsAllocIsIconicIsZoomedPtInRectSetFocusdxgi.dll
Source: Full-Setup.exe, 00000000.00000002.2310510440.0000000002146000.00000004.00001000.00020000.00000000.sdmp, Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp, Full-Setup.exe, 00000000.00000002.2312557976.0000000002446000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature
Source: Full-Setup.exe, 00000000.00000002.2314493525.0000000002580000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureSizes
Source: Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureZ
Source: Full-Setup.exe, 00000000.00000002.2310510440.000000000236E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signaturexS
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/R
Source: BitLockerToGo.exe, 00000002.00000003.2315276259.0000000002F94000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315276259.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/api
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gutterydhowi.shop/b
Source: Full-Setup.exe String found in binary or memory: https://login.chinacloudapi.cn/non-pointer
Source: Full-Setup.exe String found in binary or memory: https://management.azure.comnil
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315243598.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000002.00000003.2315243598.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49716 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00439240 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00439240
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00439240 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00439240
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004395AA GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 2_2_004395AA
Creates a DirectInput object (often for capturing keystrokes)
Source: Full-Setup.exe, 00000000.00000002.2308354197.0000000000E93000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: directInput8Create memstr_63937bb8-2
Installs a raw input device (often for capturing keystrokes)
Source: Full-Setup.exe, 00000000.00000002.2308354197.0000000000E93000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: exit hook invoked panicSplit called after Scanflate: internal error: pattern bits too long: gamepaddb: syntax errortoo many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classmultipart: NextPart: %wvarint integer overflowinvalid UTF-8 in stringmismatching cardinalityunsupported edition: %vinvalid escape sequenceunknown empty width arglatest balancer error: name resolver error: %vproduced zero addressesxml: unsupported type: expected element type <0123456789abcdefABCDEF_function %q not defined&CloseCurlyDoubleQuote;&DoubleContourIntegral;&FilledVerySmallSquare;&NegativeVeryThinSpace;&NotPrecedesSlantEqual;&NotRightTriangleEqual;&NotSucceedsSlantEqual;<a href="#fn:%s">%d</a> <meta charset="utf-8"rle symbol %d >= max %dX-Amz-Copy-Source-RangeP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curvebad %s slice length: %dinvalid UUID length: %dDwmGetColorizationColorDwmIsCompositionEnabledSetThreadExecutionStateRegisterRawInputDevicesglfw: invalid shape: %dunexpected operator: %sredeclared function: %sinvalid length of arrayinvalid length array %d%v is not a valid tokenunknown accessor: %v.%sinvalid Message.Get on invalid Message.Set on no SubConn is availablenon-existent entity #%dlast resolver error: %vgrpc-status-details-binfinished writing statusGrpc-Status-Details-BinDiacriticalDoubleAcute;NotSquareSupersetEqual;invalid scalar encodingmissing type constraintunbalanced label scopesobject already resolvedhtml/template:%s:%d: %s%q in unquoted attr: %qtimeseries: num < 0, %vAlpcGetMessageAttributeNtAlpcAcceptConnectPortImageList_GetImageCountImageList_SetImageCountDwmSetPresentParametersSetConsoleTextAttributeQueryPerformanceCounterGetClipboardFormatNameWaes7z: Read after Closebzip2: Read after Closedelta: Read after Closelzma2: Read after Closeccm: invalid nonce sizeunknown character widthwhile scanning an alias%s (and %d more errors)illegal byte order markinvalid column number: invalid radix point in unknown escape sequencebrotli: excessive inputSIMPLE_HUFFMAN_ALPHABETblock checksum mismatchno tree selectors givendata exceeds block sizelz4: invalid block sizelzma: wrong chunk state%w: got %x; expected %xfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard TimeAzerbaijan Standard TimeBangladesh Standard TimeNorth Asia Standard TimeCape Verde Standard Timeapplication/octet-streamgoogle.protobuf.DurationRequired flag %q not setCLI_TEMPLATE_ERROR_DEBUGCLI TEMPLATE ERROR: %#v memstr_a02208bd-3
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00410B44 2_2_00410B44
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00439040 2_2_00439040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040C070 2_2_0040C070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00401000 2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040B0D0 2_2_0040B0D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042BEE7 2_2_0042BEE7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004490AC 2_2_004490AC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00449190 2_2_00449190
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004291A0 2_2_004291A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00428202 2_2_00428202
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042C2E0 2_2_0042C2E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00401295 2_2_00401295
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040134C 2_2_0040134C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004323D0 2_2_004323D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00405380 2_2_00405380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004073B0 2_2_004073B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004494C0 2_2_004494C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004484C0 2_2_004484C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00447488 2_2_00447488
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040E540 2_2_0040E540
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040B560 2_2_0040B560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040A570 2_2_0040A570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004015FB 2_2_004015FB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004495A0 2_2_004495A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042D624 2_2_0042D624
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041E6E6 2_2_0041E6E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00403710 2_2_00403710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042C710 2_2_0042C710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00408780 2_2_00408780
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004117B0 2_2_004117B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004498A0 2_2_004498A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042B8B2 2_2_0042B8B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00444900 2_2_00444900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004489D0 2_2_004489D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042D9B3 2_2_0042D9B3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00427A60 2_2_00427A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0044AA70 2_2_0044AA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040AA30 2_2_0040AA30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041FA83 2_2_0041FA83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00409B67 2_2_00409B67
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00449B30 2_2_00449B30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042ED7D 2_2_0042ED7D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00438D30 2_2_00438D30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00407DE0 2_2_00407DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043ED90 2_2_0043ED90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040CE30 2_2_0040CE30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042BEE7 2_2_0042BEE7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040FFA7 2_2_0040FFA7
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040EEE0 appears 173 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040CB10 appears 50 times
Sample file is different than original file name gathered from version info
Source: Full-Setup.exe, 00000000.00000002.2309634937.00000000016B1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSoundpad.exe2 vs Full-Setup.exe
Source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Full-Setup.exe
Source: Full-Setup.exe Binary or memory string: OriginalFilenameSoundpad.exe2 vs Full-Setup.exe
Uses 32bit PE files
Source: Full-Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/0@2/1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043F920 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 2_2_0043F920
Source: Full-Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Full-Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Full-Setup.exe ReversingLabs: Detection: 34%
Source: Full-Setup.exe String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine (BADINDEX)%!(NOVERB)12207031256103515625ParseFloatcomplex128t.Kind == myhostname.localhostunixpacketwsarecvmsgwsasendmsgIP address netGo = local-addrRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookieuser-agentkeep-aliveequivalentHost: %s
Source: Full-Setup.exe String found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedmemprofileratesemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=invalid syntax1907348632812595367431640625unsafe.Pointer on zero Valuereflect.Value.unknown methodRegSetValueExW.WithoutCancel.WithDeadline(internal error.in-addr.arpa.unknown mode: MAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eof{$} not at endempty wildcardparsing %q: %wunknown error unknown code: Not AcceptableDkim-Signature"OUT_OF_RANGE"ALREADY_EXISTS(line %d:%d): invalid %v: %vreserved_rangefield_presence\.+*?()|[]{}^$len of type %s^[a-f0-9]{64}$^[a-f0-9]{96}$RequestExpiredRequestTimeout^cn\-\w+\-\d+$cn-northwest-1us-isob-east-1cloud.adc-e.ukeu-isoe-west-1csp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4aws-iso-globalfips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2boringcrypto: bad record MACControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWunreachable: /log/filter.go/log/helper.godata truncated
Source: Full-Setup.exe String found in binary or memory: net/addrselect.go
Source: Full-Setup.exe String found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go
Source: Full-Setup.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: Full-Setup.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: C:\Users\user\Desktop\Full-Setup.exe File read: C:\Users\user\Desktop\Full-Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Full-Setup.exe "C:\Users\user\Desktop\Full-Setup.exe"
Source: C:\Users\user\Desktop\Full-Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\Full-Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Full-Setup.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Full-Setup.exe Static file information: File size 16855552 > 1048576
Source: Full-Setup.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6e1400
Source: Full-Setup.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x6d6200
Source: Full-Setup.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x148400
Source: Full-Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Full-Setup.exe, 00000000.00000002.2314493525.00000000025FA000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: Full-Setup.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\Full-Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4372 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2315608551.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000002.00000002.2326588837.0000000002F67000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: Full-Setup.exe, 00000000.00000002.2310325254.0000000001A5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00440400 LdrInitializeThunk, 2_2_00440400

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Full-Setup.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Full-Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Source: Full-Setup.exe, 00000000.00000003.2290997997.0000000002720000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: trustterwowqm.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Full-Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2C00008 Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44C000 Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45E000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Full-Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Full-Setup.exe Queries volume information: C:\Users\user\Desktop\Full-Setup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Full-Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521582 Sample: Full-Setup.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 100 13 trustterwowqm.shop 2->13 15 gutterydhowi.shop 2->15 19 Suricata IDS alerts for network traffic 2->19 21 Found malware configuration 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 4 other signatures 2->25 7 Full-Setup.exe 2->7         started        signatures3 process4 signatures5 27 Writes to foreign memory regions 7->27 29 Allocates memory in foreign processes 7->29 31 Injects a PE file into a foreign processes 7->31 33 LummaC encrypted strings found 7->33 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 17 gutterydhowi.shop 104.21.4.136, 443, 49715, 49716 CLOUDFLARENETUS United States 10->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.4.136
 gutterydhowi.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
gutterydhowi.shop 104.21.4.136 true
trustterwowqm.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://gutterydhowi.shop/api true
    		unknown
    stogeneratmns.shop true
      		unknown
      reinforcenh.shop true
        		unknown
        fragnantbui.shop true
          		unknown
          gutterydhowi.shop true
            		unknown
            offensivedzvju.shop true
              		unknown
              drawzhotdog.shop true
                		unknown
                ghostreedmnu.shop true
                  		unknown
                  trustterwowqm.shop true
                    		unknown
                    vozmeatillu.shop true
                      		unknown