Windows Analysis Report
IGAnbXyZVx.exe

Overview

General Information

Sample name: IGAnbXyZVx.exe
renamed because original name is a hash value
Original sample name: f194835270a81357b06e41c56103d7065107bad719fab220f518f07138d33b87.exe
Analysis ID: 1524039
MD5: 6073814ce9d8799eed467e85f78d1599
SHA1: 8984255be7f0b0099bfdfa280a03a74143933abb
SHA256: f194835270a81357b06e41c56103d7065107bad719fab220f518f07138d33b87
Tags: exeGuizhouSixuandaTechnologyCoLtdsigneduser-JAMESWT_MHT
Infos:

Detection

LummaC, Go Injector, LummaC Stealer
Score: 87
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Go Injector
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges URL Reputation: Label: malware
Found malware configuration
Source: 0.3.IGAnbXyZVx.exe.28a7e4d0000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["tearrybyiwo.shop", "captainynfanw.shop", "strappystyio.shop", "fossillargeiw.shop", "tendencerangej.shop", "nurserrsjwuwq.shop", "coursedonnyre.shop", "surveriysiop.shop", "appleboltelwk.shop"], "Build id": "c2CoW0--adv1"}
Multi AV Scanner detection for submitted file
Source: IGAnbXyZVx.exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.3% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: strappystyio.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: coursedonnyre.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: fossillargeiw.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: tendencerangej.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: appleboltelwk.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: tearrybyiwo.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: captainynfanw.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: surveriysiop.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: nurserrsjwuwq.shop
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String decryptor: c2CoW0--adv1
Source: IGAnbXyZVx.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:64662 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:64663 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.5:64664 version: TLS 1.2
Source: IGAnbXyZVx.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030AD0F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+0Ch] 3_2_030AFC50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030C1310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030C933C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 3_2_030C0330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030EC370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then dec ebx 3_2_030E03D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030C83FA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 3_2_030A12C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030C82F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h 3_2_030E1160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov di, 0008h 3_2_030A91EF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [edx+34h], 00000001h 3_2_030A91EF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+00000878h] 3_2_030C91E6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030CD1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esi+edx] 3_2_030A1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 3_2_030A7020
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+eax+23h], 00000000h 3_2_030AF032
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+74h] 3_2_030D305E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030CE0B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030CE0F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-3Ch] 3_2_030C87A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebx], cx 3_2_030CF7FC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 3_2_030B567D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 3_2_030B567D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 3_2_030B567D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 3_2_030E56A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 3_2_030AF6F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000000B8h] 3_2_030B256A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000001B8h] 3_2_030B256A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000000B8h] 3_2_030B256A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebx], cx 3_2_030CF57C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_030DC5F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030CEB14
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 3_2_030BAB30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 3_2_030C6B40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 3_2_030A4B50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+000000A8h] 3_2_030BDBE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+000000A8h] 3_2_030BDBE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+000000A8h] 3_2_030BDBE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 3_2_030A5BE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 3_2_030ADA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 3_2_030E9960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, ecx 3_2_030B59E8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 3_2_030B49F2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h 3_2_030BD816
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 3_2_030E6810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 3_2_030CEF22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 3_2_030CEF22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 3_2_030CEF22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_030CDF23
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 3_2_030EBF90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_030D0FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 3_2_030EBE20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [esi+eax*4-04h] 3_2_030ABE30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [esi+eax] 3_2_030E2E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000001B8h] 3_2_030B2E74
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030E8EC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [eax] 3_2_030BEEE6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h 3_2_030BEEE6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 3_2_030BEEE6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_030ADDA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_030C6DA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 3_2_030B4DA6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 3_2_030E5DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 3_2_030CCDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 3_2_030CCDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_030CCDF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 3_2_030B4C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 3_2_030EBCA0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056036 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop) : 192.168.2.5:53973 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056042 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop) : 192.168.2.5:60072 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056040 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop) : 192.168.2.5:62856 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056058 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop) : 192.168.2.5:62804 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056046 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop) : 192.168.2.5:62258 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056056 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop) : 192.168.2.5:50204 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056052 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop) : 192.168.2.5:63776 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056054 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop) : 192.168.2.5:62869 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:64664 -> 104.21.16.12:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:64664 -> 104.21.16.12:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:64662 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:64662 -> 188.114.96.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: tearrybyiwo.shop
Source: Malware configuration extractor URLs: captainynfanw.shop
Source: Malware configuration extractor URLs: strappystyio.shop
Source: Malware configuration extractor URLs: fossillargeiw.shop
Source: Malware configuration extractor URLs: tendencerangej.shop
Source: Malware configuration extractor URLs: nurserrsjwuwq.shop
Source: Malware configuration extractor URLs: coursedonnyre.shop
Source: Malware configuration extractor URLs: surveriysiop.shop
Source: Malware configuration extractor URLs: appleboltelwk.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 104.21.16.12 104.21.16.12
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nurserrsjwuwq.shop
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gravvitywio.store
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: nurserrsjwuwq.shop
Source: global traffic DNS traffic detected: DNS query: surveriysiop.shop
Source: global traffic DNS traffic detected: DNS query: captainynfanw.shop
Source: global traffic DNS traffic detected: DNS query: tearrybyiwo.shop
Source: global traffic DNS traffic detected: DNS query: appleboltelwk.shop
Source: global traffic DNS traffic detected: DNS query: tendencerangej.shop
Source: global traffic DNS traffic detected: DNS query: fossillargeiw.shop
Source: global traffic DNS traffic detected: DNS query: coursedonnyre.shop
Source: global traffic DNS traffic detected: DNS query: strappystyio.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: gravvitywio.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: nurserrsjwuwq.shop
Source: IGAnbXyZVx.exe String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: IGAnbXyZVx.exe String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: IGAnbXyZVx.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: IGAnbXyZVx.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: IGAnbXyZVx.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: IGAnbXyZVx.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: IGAnbXyZVx.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: IGAnbXyZVx.exe String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: IGAnbXyZVx.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: IGAnbXyZVx.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: IGAnbXyZVx.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: IGAnbXyZVx.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000003.00000002.2492415527.0000000003392000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appleboltelwk.shop/
Source: BitLockerToGo.exe, 00000003.00000002.2492415527.0000000003392000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appleboltelwk.shop/L
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appleboltelwk.shop/api
Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=8vRVyaZK
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=w4s3
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=pvBDaFhF2LLJ&l=e
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://coursedonnyre.shop/api
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fossillargeiw.shop/api
Source: IGAnbXyZVx.exe String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/
Source: BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/api
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/apil
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/bc
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gravvitywio.store/rc
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 00000003.00000002.2492415527.000000000338B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nurserrsjwuwq.shop/api
Source: IGAnbXyZVx.exe String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900;
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491681981.0000000003397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://strappystyio.shop/
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://strappystyio.shop/api
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tendencerangej.shop/
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tendencerangej.shop/api
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tendencerangej.shop/ig
Source: IGAnbXyZVx.exe String found in binary or memory: https://www.certum.pl/CPS0
Source: IGAnbXyZVx.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: BitLockerToGo.exe, 00000003.00000003.2492068972.0000000003430000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2491643213.0000000003427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 64663 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64662 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64664 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64662
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64664
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64663
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:64662 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:64663 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.12:443 -> 192.168.2.5:64664 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030D9FE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_030D9FE0
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030D9FE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_030D9FE0
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030B0300 3_2_030B0300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030E8585 3_2_030E8585
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030AFC50 3_2_030AFC50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A5310 3_2_030A5310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030AB320 3_2_030AB320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030C933C 3_2_030C933C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030AA330 3_2_030AA330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A7370 3_2_030A7370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030EC370 3_2_030EC370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030EA3C0 3_2_030EA3C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030EB240 3_2_030EB240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030AE270 3_2_030AE270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A12C0 3_2_030A12C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A91EF 3_2_030A91EF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030B11E0 3_2_030B11E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030CD1F0 3_2_030CD1F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A1000 3_2_030A1000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A8710 3_2_030A8710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A9747 3_2_030A9747
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A3790 3_2_030A3790
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030AA7F0 3_2_030AA7F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030D1690 3_2_030D1690
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030CC510 3_2_030CC510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030B0B30 3_2_030B0B30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030D2920 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030ACBA0 3_2_030ACBA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030BDBE9 3_2_030BDBE9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030EAA30 3_2_030EAA30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030D2920 3_2_030D2920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030E6810 3_2_030E6810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030CE8A0 3_2_030CE8A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030EAF50 3_2_030EAF50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030E8FA9 3_2_030E8FA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030ABE30 3_2_030ABE30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030AAE90 3_2_030AAE90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030BEEE6 3_2_030BEEE6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030E9EE0 3_2_030E9EE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030EAD40 3_2_030EAD40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030A7D70 3_2_030A7D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030D9D70 3_2_030D9D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030E5DE0 3_2_030E5DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030DFC50 3_2_030DFC50
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 030AEC00 appears 157 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 030AC990 appears 45 times
PE file contains more sections than normal
Source: IGAnbXyZVx.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IGAnbXyZVx.exe
Source: IGAnbXyZVx.exe, 00000000.00000002.2462908522.00007FF7FE530000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiTunesSetup.exe0 vs IGAnbXyZVx.exe
Source: IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IGAnbXyZVx.exe
Source: IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs IGAnbXyZVx.exe
Source: IGAnbXyZVx.exe Binary or memory string: OriginalFilenameiTunesSetup.exe0 vs IGAnbXyZVx.exe
Source: IGAnbXyZVx.exe Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockx509: malformed validityexec: Stdout already setjson: unsupported type: invalid interlace method\Device\NamedPipe\cygwinstreamSafe was not resetzlib: invalid dictionaryinvalid pattern syntax: address string too shortresource length too longunpacking Question.Classidna: disallowed rune %Usequence number overflow^[a-zA-Z_][a-zA-Z0-9_]*$Asia Pacific (Hong Kong)Asia Pacific (Hyderabad)Asia Pacific (Singapore)Asia Pacific (Melbourne)athena.ap-east-1.api.awsathena.ca-west-1.api.awsathena.eu-west-1.api.awsathena.eu-west-2.api.awsathena.eu-west-3.api.awsathena.sa-east-1.api.awsathena.us-east-1.api.awsathena.us-east-2.api.awsathena.us-west-1.api.awsathena.us-west-2.api.awscloudfront.amazonaws.comaos.ca-central-1.api.awsaos.eu-central-1.api.awsaos.eu-central-2.api.awsaos.il-central-1.api.awsaos.me-central-1.api.awslambda.ap-east-1.api.awslambda.ca-west-1.api.awslambda.eu-west-1.api.awslambda.eu-west-2.api.awslambda.eu-west-3.api.awslambda.sa-east-1.api.awslambda.us-east-1.api.awslambda.us-east-2.api.awslambda.us-west-1.api.awslambda.us-west-2.api.awsrekognition.ca-central-1budgets.amazonaws.com.cnroute53.amazonaws.com.cnacm.{region}.{dnsSuffix}dms.{region}.{dnsSuffix}ec2.{region}.{dnsSuffix}eks.{region}.{dnsSuffix}iam.us-gov.amazonaws.compi.us-gov-east-1.api.awspi.us-gov-west-1.api.awsrds.{region}.{dnsSuffix}sqs.{region}.{dnsSuffix}ssm.{region}.{dnsSuffix}sts.{region}.{dnsSuffix}flate: maxBits too largeTLS_PSK_WITH_AES_128_CCMGODEBUG sys/cpu: value "", required CPU feature
Source: classification engine Classification label: mal87.troj.evad.winEXE@3/0@11/3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030D5250 CoCreateInstance, 3_2_030D5250
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe File created: C:\Users\Public\Libraries\pmlha.scif Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe File opened: C:\Windows\system32\af329a41ecddd1e24c464ce77c50e456259658029e6786b8eb3dc245028698c9AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: IGAnbXyZVx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: IGAnbXyZVx.exe ReversingLabs: Detection: 21%
Source: IGAnbXyZVx.exe String found in binary or memory: 0-9a-zA-Z]accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: IGAnbXyZVx.exe String found in binary or memory: 0-9a-zA-Z]accessing a corrupted shared library444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzbytes.Reader.ReadAt: negative offsetlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: IGAnbXyZVx.exe String found in binary or memory: net/addrselect.go
Source: IGAnbXyZVx.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: IGAnbXyZVx.exe String found in binary or memory: PMbEegzCOH/load.go
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe File read: C:\Users\user\Desktop\IGAnbXyZVx.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\IGAnbXyZVx.exe "C:\Users\user\Desktop\IGAnbXyZVx.exe"
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: IGAnbXyZVx.exe Static PE information: certificate valid
Source: IGAnbXyZVx.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: IGAnbXyZVx.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: IGAnbXyZVx.exe Static file information: File size 13700856 > 1048576
Source: IGAnbXyZVx.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x40ec00
Source: IGAnbXyZVx.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x869a00
Source: IGAnbXyZVx.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C000600000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000003.2439647614.0000028A7E470000.00000004.00001000.00020000.00000000.sdmp, IGAnbXyZVx.exe, 00000000.00000002.2459717228.000000C000800000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: IGAnbXyZVx.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1532 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: BitLockerToGo.exe, 00000003.00000003.2491681981.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2492100941.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492415527.0000000003378000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.2492568491.00000000033B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: IGAnbXyZVx.exe, 00000000.00000002.2460312983.0000028A7CF3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_030E84C0 LdrInitializeThunk, 3_2_030E84C0

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 30A0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 30A0000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: strappystyio.shop
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: coursedonnyre.shop
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fossillargeiw.shop
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tendencerangej.shop
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: appleboltelwk.shop
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tearrybyiwo.shop
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: captainynfanw.shop
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: surveriysiop.shop
Source: IGAnbXyZVx.exe, 00000000.00000002.2459496957.000000C0006DC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: nurserrsjwuwq.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 30A0000 Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E19008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Queries volume information: C:\Users\user\Desktop\IGAnbXyZVx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IGAnbXyZVx.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: IGAnbXyZVx.exe, type: SAMPLE
Source: Yara match File source: 0.0.IGAnbXyZVx.exe.7ff7fd7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IGAnbXyZVx.exe.7ff7fd7b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2461513968.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2025429322.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IGAnbXyZVx.exe PID: 6432, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: IGAnbXyZVx.exe, type: SAMPLE
Source: Yara match File source: 0.0.IGAnbXyZVx.exe.7ff7fd7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IGAnbXyZVx.exe.7ff7fd7b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2461513968.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2025429322.00007FF7FE224000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IGAnbXyZVx.exe PID: 6432, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524039 Sample: IGAnbXyZVx.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 87 13 tendencerangej.shop 2->13 15 tearrybyiwo.shop 2->15 17 9 other IPs or domains 2->17 25 Suricata IDS alerts for network traffic 2->25 27 Found malware configuration 2->27 29 Antivirus detection for URL or domain 2->29 31 6 other signatures 2->31 7 IGAnbXyZVx.exe 2 2->7         started        signatures3 process4 signatures5 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 Injects a PE file into a foreign processes 7->37 39 LummaC encrypted strings found 7->39 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 19 gravvitywio.store 104.21.16.12, 443, 64664 CLOUDFLARENETUS United States 10->19 21 nurserrsjwuwq.shop 188.114.96.3, 443, 64662 CLOUDFLARENETUS European Union 10->21 23 steamcommunity.com 104.102.49.254, 443, 64663 AKAMAI-ASUS United States 10->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 nurserrsjwuwq.shop European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
104.21.16.12
 gravvitywio.store United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
gravvitywio.store 104.21.16.12 true
nurserrsjwuwq.shop 188.114.96.3 true
fossillargeiw.shop unknown unknown
strappystyio.shop unknown unknown
coursedonnyre.shop unknown unknown
captainynfanw.shop unknown unknown
tearrybyiwo.shop unknown unknown
surveriysiop.shop unknown unknown
appleboltelwk.shop unknown unknown
tendencerangej.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
coursedonnyre.shop true
    		unknown
    strappystyio.shop true
      		unknown
      https://nurserrsjwuwq.shop/api true
        		unknown
        tearrybyiwo.shop true
          		unknown
          https://steamcommunity.com/profiles/76561199724331900 true
          • URL Reputation: malware
          		 unknown
          surveriysiop.shop true
            		unknown
            nurserrsjwuwq.shop true
              		unknown
              tendencerangej.shop true
                		unknown
                https://gravvitywio.store/api true
                  		unknown
                  captainynfanw.shop true
                    		unknown
                    fossillargeiw.shop true
                      		unknown
                      appleboltelwk.shop true
                        		unknown