Edit tour
Windows
Analysis Report
17280510295b445988b983a0ba49d44db487bf2f71dfa528305f86c932b16b62f2d30add9d700.dat-decoded.exe
Overview
General Information
| Sample name: | 17280510295b445988b983a0ba49d44db487bf2f71dfa528305f86c932b16b62f2d30add9d700.dat-decoded.exe |
| Analysis ID: | 1525918 |
| MD5: | 164eb877226ca8048b6174ab1c19411f |
| SHA1: | 72246e7ded9eca6a5ae5571f54f73bea754e0915 |
| SHA256: | 045ebac9be39cdf940790eee8267d9b69710c39808e41368ca42ee4d3c890079 |
| Tags: | base64-decodedexeuser-abuse_ch |
| Infos: |  |
 | |
Errors
| |
Detection
LummaC
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Uses 32bit PE files
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["tendencctywop.shop", "keennylrwmqlw.shop", "licenseodqwmqn.shop", "tryyudjasudqo.shop", "tesecuuweqo.shop", "eemmbryequo.shop", "relaxatinownio.shop", "reggwardssdqw.shop"], "Build id": "DtiPjR--myfile"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 PowerShell | Path Interception | Path Interception | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 16% | ReversingLabs | |||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1525918 |
| Start date and time: | 2024-10-04 16:18:25 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 5s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 17280510295b445988b983a0ba49d44db487bf2f71dfa528305f86c932b16b62f2d30add9d700.dat-decoded.exe |
| Detection: | MAL |
| Classification: | mal84.troj.evad.winEXE@0/0@0/0 |
| Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
- Exclude process from analysis (whitelisted): dllhost.exe
- VT rate limit hit for: 17280510295b445988b983a0ba49d44db487bf2f71dfa528305f86c932b16b62f2d30add9d700.dat-decoded.exe
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.68270228829449 |
| TrID: |
|
| File name: | 17280510295b445988b983a0ba49d44db487bf2f71dfa528305f86c932b16b62f2d30add9d700.dat-decoded.exe |
| File size: | 328'218 bytes |
| MD5: | 164eb877226ca8048b6174ab1c19411f |
| SHA1: | 72246e7ded9eca6a5ae5571f54f73bea754e0915 |
| SHA256: | 045ebac9be39cdf940790eee8267d9b69710c39808e41368ca42ee4d3c890079 |
| SHA512: | 23ce65993050e324703771f7c4f29786927399e43adc3af0fcbf2450403aac8d8659c77f7d5518a5d6172458b1eb0dba61571cb0a8e198813e926055daa52a2d |
| SSDEEP: | 6144:pKPcsqgA+gTaOVk//BIYXxPzgUkVP4c4ljt2xVUVXDIJXEr4HbgXA1dgvgwu5dG8:FsFC1mksfPFifF+ |
| TLSH: | BF645D09DF23C099EC9B44B151F9E73FDA7923158B324C8B9A9CD6A07C636DF2031986 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....".f..........................................@.......................................@.................................q4..x.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x40a1a0 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x66DB2289 [Fri Sep 6 15:40:57 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: |
| Instruction |
|---|
| pop eax |
| mov edi, edx |
| cmp dword ptr [esp+18h], 00000000h |
| je 00007F43D48DFC23h |
| cmp ebx, 01h |
| adc ebx, 00000000h |
| cmp ebx, eax |
| jnc 00007F43D48DFC1Bh |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| mov edx, ebx |
| and edx, FFFFFFFDh |
| mov ebp, ebx |
| cmp byte ptr [eax], 00000013h |
| lodsd |
| in eax, 02h |
| or ebx, 02h |
| imul ebx, ebp |
| xor ebp, 02h |
| imul ebp, edx |
| add ebx, ebp |
| cmp ebx, eax |
| jc 00007F43D48DFBD6h |
| jmp 00007F43D48DFBF4h |
| mov ebx, eax |
| push ebx |
| push dword ptr [edi+0Ch] |
| push dword ptr [edi] |
| push dword ptr [ecx+34h] |
| call dword ptr [ecx+30h] |
| add esp, 10h |
| test eax, eax |
| je 00007F43D48DFBF9h |
| mov dword ptr [edi], eax |
| mov dword ptr [edi+08h], ebx |
| jmp 00007F43D48DFBF4h |
| xor esi, esi |
| mov eax, esi |
| pop esi |
| pop edi |
| pop ebx |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ecx |
| lea ecx, dword ptr [esp+04h] |
| sub ecx, eax |
| sbb eax, eax |
| not eax |
| and ecx, eax |
| mov eax, esp |
| and eax, FFFFF000h |
| cmp ecx, eax |
| jc 00007F43D48DFBFCh |
| mov eax, ecx |
| pop ecx |
| xchg eax, esp |
| mov eax, dword ptr [eax] |
| mov dword ptr [esp], eax |
| ret |
| sub eax, 00001000h |
| test dword ptr [eax], eax |
| call 00007F43BE3B0F2Dh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| jmp 00007F43D4910F50h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| jmp 00007F43D4910FE0h |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| jmp 00007F43D4912D30h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x43471 | 0x78 | .relo |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x53000 | 0x41d8 | .relo |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x43594 | 0xa8 | .relo |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .relo | 0x41 | 0xd8000063 | 0x530 | af2c93099a96bfc5f4f89ab51bf279ac | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_READ |
| @.data | 0xeb | 0xb8000000 | 0x440 | ed0eee0036818305899fc2001fc717aa | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_READ |
| .text | 0x1000 | 0x3f341 | 0x3f400 | 822d1255fbcac66f0fea4582875b2284 | False | 0.4742851408102767 | data | 6.516375664844288 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x41000 | 0x289d | 0x2a00 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
⊘No statistics
⊘No system behavior
⊘No disassembly