Windows Analysis Report
17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Overview

General Information

Sample name:	17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe
Analysis ID:	1525929
MD5:	f17bb17a8c7a8960d9cb35afa5a712f6
SHA1:	38939288774b4d5e03b008097510d5b500db5a8b
SHA256:	22f7f158df1f9cf06babc6e845806aa79d257fdef057bcbeb8a17647c8d8a04e
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus detection for URL or domain

Source: locatedblsoqp.shop	URL Reputation: Label: phishing
Source: caffegclasiqwp.shop	URL Reputation: Label: malware
Source: condedqpwqm.shop	URL Reputation: Label: phishing
Source: millyscroqwp.shop	URL Reputation: Label: malware
Source: stamppreewntnq.shop	URL Reputation: Label: phishing
Source: stagedchheiqwo.shop	URL Reputation: Label: phishing
Source: traineiwnqo.shop	URL Reputation: Label: malware

Found malware configuration

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Malware Configuration Extractor: LummaC {"C2 url": ["traineiwnqo.shop", "condedqpwqm.shop", "millyscroqwp.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop", "locatedblsoqp.shop", "exmptiondixv.shop", "stagedchheiqwo.shop", "stamppreewntnq.shop"], "Build id": "eFtdO8--"}

Multi AV Scanner detection for submitted file

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Machine Learning detection for sample

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: caffegclasiqwp.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: stamppreewntnq.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: stagedchheiqwo.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: millyscroqwp.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: evoliutwoqm.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: condedqpwqm.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: traineiwnqo.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: locatedblsoqp.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: exmptiondixv.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: TeslaBrowser/5.5
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: - Screen Resoluton:
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: - Physical Installed Memory:
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: Workgroup: -
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	String decryptor: eFtdO8--

Uses 32bit PE files

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	Code function: 4x nop then cld		1_2_00401850
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]		1_2_00442C0A

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: exmptiondixv.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

One or more processes crash

Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 224

PE file does not import any functions

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5236

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0525454c-7221-4edf-b87c-847520b51ce9

Jump to behavior

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe "C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe"
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 224

Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Section loaded: apphelp.dll

Jump to behavior

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	Code function: 1_2_00401297 push esp; ret		1_2_00401298
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	Code function: 1_2_00401369 pushfd ; ret		1_2_0040136A

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: millyscroqwp.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: condedqpwqm.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: traineiwnqo.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: exmptiondixv.shop

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
locatedblsoqp.shop	true	URL Reputation: phishing	unknown
caffegclasiqwp.shop	true	URL Reputation: malware	unknown
condedqpwqm.shop	true	URL Reputation: phishing	unknown
millyscroqwp.shop	true	URL Reputation: malware	unknown
stamppreewntnq.shop	true	URL Reputation: phishing	unknown
evoliutwoqm.shop	true	URL Reputation: safe	unknown
exmptiondixv.shop	true		unknown
stagedchheiqwo.shop	true	URL Reputation: phishing	unknown
traineiwnqo.shop	true	URL Reputation: malware	unknown

ID:	1525929
Product:	CloudBasic
Start time:	16:41:32
Start date:	04.10.2024
Sample:	17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f17bb17a8c7a8960d9cb35afa5a712f6
SHA1:	38939288774b4d5e03b008097510d5b500db5a8b
SHA256:	22f7f158df1f9cf06babc6e845806aa79d257fdef057bcbeb8a17647c8d8a04e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_17280510095e9673_3238bd9d8be125a3421114749f92e54b5e937e2_73825aa8_ca89b281-5e8a-498c-b381-8618a2d3477f\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	54D6D8D4B011D50E45379B3F3B429444	6FD054DF8CD0AA0B100207228299344DADBD942F	DCA35051C072FE33872FBBC94622669FACD4558F1EC8A3ED568A4EB64A120FEF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER57B5.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Oct 4 14:43:52 2024, 0x1205a4 type	3DF48CF113B0EB466586B28D4E13E1B6	76981FEE788A06C36EC1B9C8CF733CB673EF419D	2D488A4CB36A610B09C3EC15CA5CC061F05C12A7D5DBA87933A9B6317E678402
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5881.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	3AAD00C64F9329DFF1234BF8BC709F46	C4FAB0599D6E4983B43F3A41C32C8D60AC519E12	796B8C95F6250D8259D1D3A822578F07D6C885F24E591C22DAE71734829F5BBD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER58C0.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	8A67E0F0557D5B0B0653F72D5586EC4A	033424252125F1F336FAF7EC755D25051105BD8F	FADDF6DC839550047E4DDD2654E3E4689D38F143EBE8EF8BB793AC3C34F0156B
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	9286612F84670B3BB0E13F1C78751AF4	AF569A1B798CBAF142136DBD766DCDFDACA1AEAD	6FC67B8EDB86370A37B3748AD78A99660760C1A0C6A4238D58591136FAEC3994

Windows Analysis Report
17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe

Malware Threat Intel
Provided by