Windows
Analysis Report
1728051009ddd37f05bf17e06320c562854414579dfbd5afdf77d133a3e128c4a10feb2469902.dat-decoded.exe
Overview
General Information
Sample name: | 1728051009ddd37f05bf17e06320c562854414579dfbd5afdf77d133a3e128c4a10feb2469902.dat-decoded.exe |
Analysis ID: | 1525932 |
MD5: | 75096fa0c5fa1c62bde8b7f63ac05b98 |
SHA1: | 115bf0792da65bfa2ab0097b626881eed5f83be7 |
SHA256: | 6ab1a71c0b1bc3fe63c680d5d75703b05ccba656dc22b491dac2f13832b7e21d |
Tags: | base64-decodedexeuser-abuse_ch |
Infos: | |
Errors
|
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["stitchmiscpaew.shop", "grassemenwji.shop", "exmptiondixv.shop", "ignoracndwko.shop", "preachstrwnwjw.shop", "complainnykso.shop", "basedsymsotp.shop", "charistmatwio.shop", "commisionipwn.shop"], "Build id": "eFtdO8--"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
System Summary |
---|
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 PowerShell | Path Interception | Path Interception | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
16% | ReversingLabs | |||
100% | Joe Sandbox ML |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown | ||
true | unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1525932 |
Start date and time: | 2024-10-04 16:42:08 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 2m 28s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 1728051009ddd37f05bf17e06320c562854414579dfbd5afdf77d133a3e128c4a10feb2469902.dat-decoded.exe |
Detection: | MAL |
Classification: | mal84.troj.evad.winEXE@0/0@0/0 |
Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
- Exclude process from analysis (whitelisted): dllhost.exe
- VT rate limit hit for: 1728051009ddd37f05bf17e06320c562854414579dfbd5afdf77d133a3e128c4a10feb2469902.dat-decoded.exe
File type: | |
Entropy (8bit): | 6.68293358885377 |
TrID: |
|
File name: | 1728051009ddd37f05bf17e06320c562854414579dfbd5afdf77d133a3e128c4a10feb2469902.dat-decoded.exe |
File size: | 328'221 bytes |
MD5: | 75096fa0c5fa1c62bde8b7f63ac05b98 |
SHA1: | 115bf0792da65bfa2ab0097b626881eed5f83be7 |
SHA256: | 6ab1a71c0b1bc3fe63c680d5d75703b05ccba656dc22b491dac2f13832b7e21d |
SHA512: | 745d98dd7dc0137721537a3ba21526a852d48d8df03913756f32582bf8bbf77e479599e92ae9ba9caa1674801a1a6cada7ce7cde4774bae4811a01e28cfd65c8 |
SSDEEP: | 6144:pKPcsqgA+gTaOVk//BIYXxPzgUkVP4c4ljt2xVUVXDIJXEr4HbgXA1dgvgwu5dGF:FsFC1mksfPFifFx |
TLSH: | 3A645D09DF23C099EC9B44B151FAD73FDA7923158B364C8B9A9CD6A07C636DF2031986 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....".f..........................................@.......................................@.................................q4..x.. |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x40a1a0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66DB2289 [Fri Sep 6 15:40:57 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: |
Instruction |
---|
pop eax |
mov edi, edx |
cmp dword ptr [esp+18h], 00000000h |
je 00007F2A34AD7843h |
cmp ebx, 01h |
adc ebx, 00000000h |
cmp ebx, eax |
jnc 00007F2A34AD783Bh |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
nop |
mov edx, ebx |
and edx, FFFFFFFDh |
mov ebp, ebx |
cmp byte ptr [eax], 00000013h |
lodsd |
in eax, 02h |
or ebx, 02h |
imul ebx, ebp |
xor ebp, 02h |
imul ebp, edx |
add ebx, ebp |
cmp ebx, eax |
jc 00007F2A34AD77F6h |
jmp 00007F2A34AD7814h |
mov ebx, eax |
push ebx |
push dword ptr [edi+0Ch] |
push dword ptr [edi] |
push dword ptr [ecx+34h] |
call dword ptr [ecx+30h] |
add esp, 10h |
test eax, eax |
je 00007F2A34AD7819h |
mov dword ptr [edi], eax |
mov dword ptr [edi+08h], ebx |
jmp 00007F2A34AD7814h |
xor esi, esi |
mov eax, esi |
pop esi |
pop edi |
pop ebx |
pop ebp |
ret |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ecx |
lea ecx, dword ptr [esp+04h] |
sub ecx, eax |
sbb eax, eax |
not eax |
and ecx, eax |
mov eax, esp |
and eax, FFFFF000h |
cmp ecx, eax |
jc 00007F2A34AD781Ch |
mov eax, ecx |
pop ecx |
xchg eax, esp |
mov eax, dword ptr [eax] |
mov dword ptr [esp], eax |
ret |
sub eax, 00001000h |
test dword ptr [eax], eax |
call 00007F2A1E5A8B4Dh |
int3 |
int3 |
int3 |
int3 |
int3 |
jmp 00007F2A34B08B70h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
jmp 00007F2A34B08C00h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
jmp 00007F2A34B0A950h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x43471 | 0x78 | .relo |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x53000 | 0x41d8 | .relo |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x43594 | 0xa8 | .relo |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.relo | 0x41 | 0xd8000063 | 0x530 | af2c93099a96bfc5f4f89ab51bf279ac | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_READ |
@.data | 0xeb | 0xb8000000 | 0x440 | ed0eee0036818305899fc2001fc717aa | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_READ |
.text | 0x1000 | 0x3f341 | 0x3f400 | 822d1255fbcac66f0fea4582875b2284 | False | 0.4742851408102767 | data | 6.516375664844288 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x41000 | 0x289d | 0x2a00 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ |