Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1532358
MD5: 05443b11c90686db9e945c7b5db2083f
SHA1: 4d06a81a31d2a24acf23aebc669e36ab43198c83
SHA256: 941bc1cae6bd0f033e560e2312324653586dbe7d84bb231e89c479501ab3419d
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 2.2.BitLockerToGo.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["condifendteu.sbs", "allocatinow.sbs", "ehticsprocw.sbs", "vennurviot.sbs", "divewanntwj.biz", "drawwyobstacw.sbs", "enlargkiw.sbs", "resinedyw.sbs", "mathcucom.sbs"], "Build id": "k99eRC--davi"}
Multi AV Scanner detection for submitted file
Source: Setup.exe ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: divewanntwj.biz
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: divewanntwj.biz
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String decryptor: k99eRC--davi
Uses 32bit PE files
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.6:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.6:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.6:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 2_2_004438E4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [ebp+esi-1Eh] 2_2_004439B5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-2D586584h] 2_2_0043CCC5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp edi 2_2_00443D4F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-0000008Dh] 2_2_0040CE60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 2_2_0042E049
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea edi, dword ptr [esp+04h] 2_2_0042E049
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp+18h] 2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1Eh] 2_2_0040F0C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push eax 2_2_004430D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0042E0D7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 731CDBF3h 2_2_004410E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5715E8D1h] 2_2_004410E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [esi+ecx-43CF5BD5h] 2_2_004320A3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], dl 2_2_00430120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], cl 2_2_00430120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 2_2_0041E180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push 2CCA4B49h 2_2_0040E244
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], dx 2_2_004252E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, ebx 2_2_004252E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [edi+eax-17h] 2_2_004252E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_0042C2EE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_0042F2F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 2_2_004452A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_004452A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 2_2_00427350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, ecx 2_2_00429370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, dword ptr [esp+38h] 2_2_00429370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 87573896h 2_2_004463E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 2_2_004453F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_004453F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h 2_2_0041E4E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 2_2_0042B500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], C85F7986h 2_2_0042B500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, ecx 2_2_00429500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-3643ABD5h] 2_2_0042D530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h 2_2_004405F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 2_2_004455B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_004455B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_0041E670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 2_2_004056F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 2_2_00440750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, ecx 2_2_00410772
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 2_2_00445700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_00445700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 2_2_0042E7C2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_004207E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 2_2_004457F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_004457F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx] 2_2_0040F819
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ebx 2_2_0040F819
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+14h] 2_2_0040D8C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [esp+ebx+04h] 2_2_0040D8C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-73239D8Bh] 2_2_0042B8F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_004398F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 2_2_004108A8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 2_2_0042F900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push esi 2_2_0042C913
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h] 2_2_00432992
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+74h] 2_2_00432992
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [esi+ecx+02h], 0000h 2_2_00421A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 62429966h 2_2_00440AA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [edi+ecx], 00000000h 2_2_00445B20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_00445B20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp dword ptr [0044EF6Ch] 2_2_0042CBDC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 2_2_00406B90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 2_2_0042CC28
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ecx+edi*8], FFFF4170h 2_2_00446C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+312BE668h] 2_2_00440CC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 7B3AFDABh 2_2_00440CC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea eax, dword ptr [esp+48h] 2_2_0042AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 2_2_00445E70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 2_2_0043EE00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 53F09CFAh 2_2_0041EE2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 2_2_0041EE2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 2_2_0041EE2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], C59B8BCBh 2_2_00446F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebp, word ptr [eax] 2_2_00446F00

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.6:49780 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.6:49790 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.6:49774 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.6:65205 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.6:63862 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.6:49806 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.6:63346 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.6:49813 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.6:55186 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.6:54466 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.6:56776 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.6:52725 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.6:54019 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.6:49819 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.6:49799 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49763 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49763 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49774 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49774 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49780 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49780 -> 104.21.33.249:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49819 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49819 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49837 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49837 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49790 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49826 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49813 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49813 -> 104.21.79.35:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49806 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49806 -> 172.67.173.224:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49790 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49799 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49799 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49843 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49843 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: condifendteu.sbs
Source: Malware configuration extractor URLs: allocatinow.sbs
Source: Malware configuration extractor URLs: ehticsprocw.sbs
Source: Malware configuration extractor URLs: vennurviot.sbs
Source: Malware configuration extractor URLs: divewanntwj.biz
Source: Malware configuration extractor URLs: drawwyobstacw.sbs
Source: Malware configuration extractor URLs: enlargkiw.sbs
Source: Malware configuration extractor URLs: resinedyw.sbs
Source: Malware configuration extractor URLs: mathcucom.sbs
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 104.21.33.249 104.21.33.249
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: divewanntwj.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=bxMlIAxRNFAWJgPn4rB1sAax3Kr_T1ZtpPoatisDzkE-1728776609-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: divewanntwj.biz
Source: global traffic DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: divewanntwj.biz
Source: Setup.exe, program.js.0.dr String found in binary or memory: http://json-schema.org/draft-07/schema
Source: program.js.0.dr String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: Setup.exe, program.js.0.dr String found in binary or memory: http://json-schema.org/schema
Source: Setup.exe, 00000000.00000002.2279698242.0000000003E1E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://jsperf.com/1-vs-infinity
Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/
Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/3l
Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/api
Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/api1
Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/co
Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/pi
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Setup.exe, program.js.0.dr String found in binary or memory: https://aws.amazon.com
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: BitLockerToGo.exe, 00000002.00000003.2297598155.00000000031AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://divewanntwj.biz/api
Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/api
Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/li3
Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://enlargkiw.sbs/
Source: Setup.exe, program.js.0.dr String found in binary or memory: https://github.com/aws/jsii
Source: Setup.exe, program.js.0.dr String found in binary or memory: https://github.com/aws/jsii.git
Source: Setup.exe, program.js.0.dr String found in binary or memory: https://github.com/aws/jsii/issues
Source: program.js.0.dr String found in binary or memory: https://github.com/jprichardson/node-fs-extra/issues/269
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: Setup.exe, 00000000.00000002.2279698242.0000000003E1E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jsperf.com/object-keys-vs-for-in-with-closure/3
Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297598155.00000000031AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/
Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/api
Source: BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/apij
Source: program.js.0.dr String found in binary or memory: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#
Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/
Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/api
Source: BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs:443/apii
Source: BitLockerToGo.exe, 00000002.00000002.2400111218.0000000003188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: BitLockerToGo.exe, 00000002.00000002.2400111218.000000000319C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: BitLockerToGo.exe, 00000002.00000002.2400111218.000000000319C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiC
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000002.00000003.2386774263.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.6:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.6:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.6:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.79.35:443 -> 192.168.2.6:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49843 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00436F40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00436F40
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00436F40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00436F40

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.2197228069.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000002.2281733359.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004112A3 2_2_004112A3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00443D4F 2_2_00443D4F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00401000 2_2_00401000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041900F 2_2_0041900F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040F0C0 2_2_0040F0C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004150C0 2_2_004150C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040A0E0 2_2_0040A0E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004410E0 2_2_004410E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040B0F0 2_2_0040B0F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004320A3 2_2_004320A3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00411100 2_2_00411100
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00430120 2_2_00430120
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004471F0 2_2_004471F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00420233 2_2_00420233
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004352D0 2_2_004352D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004252E2 2_2_004252E2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042C2EE 2_2_0042C2EE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004012F3 2_2_004012F3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043C2A0 2_2_0043C2A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004452A0 2_2_004452A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004122B0 2_2_004122B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040134E 2_2_0040134E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00429370 2_2_00429370
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00408320 2_2_00408320
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042D327 2_2_0042D327
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004453F0 2_2_004453F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00444460 2_2_00444460
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040D4D0 2_2_0040D4D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00415497 2_2_00415497
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042B500 2_2_0042B500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00429500 2_2_00429500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00435500 2_2_00435500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00423510 2_2_00423510
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042D530 2_2_0042D530
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041A596 2_2_0041A596
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041C596 2_2_0041C596
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040A5A0 2_2_0040A5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004275B0 2_2_004275B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004455B0 2_2_004455B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00401602 2_2_00401602
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004316CE 2_2_004316CE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00403770 2_2_00403770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00428770 2_2_00428770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00445700 2_2_00445700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042E7C2 2_2_0042E7C2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004207E0 2_2_004207E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004457F0 2_2_004457F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00444870 2_2_00444870
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040F819 2_2_0040F819
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040D8C0 2_2_0040D8C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_004078D0 2_2_004078D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042C8DA 2_2_0042C8DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043B970 2_2_0043B970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042F900 2_2_0042F900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042C931 2_2_0042C931
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00416982 2_2_00416982
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00432992 2_2_00432992
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00446990 2_2_00446990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00421A60 2_2_00421A60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041FAC9 2_2_0041FAC9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042BAF1 2_2_0042BAF1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00436A90 2_2_00436A90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041BAAE 2_2_0041BAAE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00445B20 2_2_00445B20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043BBD0 2_2_0043BBD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00411C5B 2_2_00411C5B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040AC60 2_2_0040AC60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00427C6E 2_2_00427C6E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040BC00 2_2_0040BC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00422C00 2_2_00422C00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043CC17 2_2_0043CC17
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00423C30 2_2_00423C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00446C30 2_2_00446C30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0040ED40 2_2_0040ED40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00444D60 2_2_00444D60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00408D70 2_2_00408D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041BD73 2_2_0041BD73
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0042AD00 2_2_0042AD00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00436D00 2_2_00436D00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00404E60 2_2_00404E60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0041EE2E 2_2_0041EE2E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00406ED0 2_2_00406ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00446F00 2_2_00446F00
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040DF70 appears 198 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0040C720 appears 70 times
Sample file is different than original file name gathered from version info
Source: Setup.exe, 00000000.00000002.2279256146.0000000001E33000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs Setup.exe
Source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs Setup.exe
Uses 32bit PE files
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000003.2197228069.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000002.2281733359.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/4@11/9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_0043C754 CoCreateInstance,CoCreateInstance, 2_2_0043C754
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\jsii-runtime.3122541536 Jump to behavior
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup.exe ReversingLabs: Detection: 15%
Source: Setup.exe String found in binary or memory: github.com/aws/jsii-runtime-go@v1.103.1/internal/kernel/load.go
Source: Setup.exe String found in binary or memory: github.com/aws/aws-cdk-go/awscdk/v2@v2.162.1/awsec2/LaunchTemplate.go
Source: Setup.exe String found in binary or memory: github.com/aws/aws-cdk-go/awscdk/v2@v2.162.1/awsec2/LaunchTemplate__checks.go
Source: Setup.exe String found in binary or memory: github.com/aws/aws-cdk-go/awscdk/v2@v2.162.1/awsec2/LaunchTemplateRequireImdsv2Aspect.go
Source: Setup.exe String found in binary or memory: github.com/aws/aws-cdk-go/awscdk/v2@v2.162.1/awsec2/LaunchTemplateRequireImdsv2Aspect__checks.go
Source: Setup.exe String found in binary or memory: net/addrselect.go
Source: Setup.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Setup.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Setup.exe Static file information: File size 25899008 > 1048576
Source: Setup.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x9dac00
Source: Setup.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xdbd200
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: BitLockerToGo.pdb source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: Setup.exe, 00000000.00000002.2279698242.0000000003E98000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: Setup.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain checking for user administrative privileges
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Check user administrative privileges: IsUserAndAdmin, DecisionNode
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4416 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: BitLockerToGo.exe, 00000002.00000003.2338992409.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2319556533.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000002.00000003.2297775302.00000000031D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Setup.exe Binary or memory string: (sensitive)OUT_OF_RANGElogrus_errorbase32hexpadbase58flickrbase64urlpadexcursion %sstart of mapJSII_RUNTIME<unknown:%d>Sfixed32KindSfixed64Kindmessage_typejava_packageoptimize_forswift_prefixruby_packagedebug_redactdouble_valuestring_valueverificationis_extensionRCodeSuccessRCodeRefusedunknown type = struct { caller errorFieldOptionsOneofOptionsprotobuf_keyprotobuf_valavx5124fmapsavx512bitalgFieldNumbersAMDisbetter!AuthenticAMDCentaurHaulsGenuineIntelTransmetaCPUGenuineTMx86Geode by NSCVIA VIA VIA KVMKVMKVMKVMMicrosoft HvVMwareVMwareXenVMMXenVMMbhyve bhyve HygonGenuineVortex86 SoCSiS SiS SiS RiseRiseRiseGenuine RDCLITE_RUNTIMESTRING_PIECEparsing time out of rangelatestVersionaddPermissioncfnPropertiescreationStackroutingConfigaddDependencycdkTagManagerscalingConfigarchitecturesloggingConfigrecursiveLooptracingConfigsourceAccountruntimePolicybundlingImageruntimeEqualsPROXY_HANDLERAddPermissionLatestVersionAddDependencyCfnPropertiesCreationStackRoutingConfigCdkTagManagerScalingConfigArchitecturesLoggingConfigRecursiveLoopTracingConfigSourceAccountRuntimePolicyBundlingImageRuntimeEqualsparameter valtargetAddressTargetAddressFindFirstFileunimplementedlevel 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameWSACloseEventgethostbyaddrgetservbyportWSAResetEventWSAIsBlockingSysFreeStringSafeArrayLockSafeArrayCopyVarI2FromDateVarI2FromDispVarI2FromBoolVarI4FromDateVarI4FromDispVarI4FromBoolVarR4FromDateVarR4FromDispVarR4FromBoolVarR8FromDateVarR8FromDispVarR8FromBoolVarDateFromI2VarDateFromI4VarDateFromR4VarDateFromR8VarDateFromCyVarCyFromDateVarCyFromDispVarCyFromBoolVarBstrFromI2VarBstrFromI4VarBstrFromR4VarBstrFromR8VarBstrFromCyVarBoolFromI2VarBoolFromI4VarBoolFromR4VarBoolFromR8VarBoolFromCyVarUI1FromStrCreateTypeLibClearCustDataLoadTypeLibExVarDecFromUI1VarDecFromStrVarDateFromI1VarBstrFromI1VarBoolFromI1VarUI1FromUI2VarUI1FromUI4VarUI1FromDecVarDecFromUI2VarDecFromUI4VarI1FromDateVarI1FromDispVarI1FromBoolVarUI2FromUI1VarUI2FromStrVarUI2FromUI4VarUI2FromDecVarUI4FromUI1VarUI4FromStrVarUI4FromUI2VarUI4FromDecBSTR_UserSizeBSTR_UserFreeVarI8FromDateVarI8FromDispVarI8FromBoolVarDateFromI8VarBstrFromI8VarBoolFromI8VarUI1FromUI8VarDecFromUI8VarUI2FromUI8VarUI4FromUI8VarUI8FromUI1VarUI8FromStrVarUI8FromUI2VarUI8FromUI4VarUI8FromDecOMAP From SrcInterfaceImplStandAloneSigAssemblyRefOSEFI byte codeMIPS with FPUDebugStrippedHighEntropyVAEFI ROM imageRISC-V Low12sMIPS JMP AddrRISC-V Low 12Albanian (sq)Armenian (hy)Assamese (as)Corsican (co)Croatian (hr)Estonian (et)Galician (gl)Georgian (ka)Gujarati (gu)Japanese (ja)Kashmiri (ks)Konkani (kok)Quechua (quz)Romanian (ro)Sanskrit (sa)Setswana (tn)Tigrinya (ti)Contains CodeAlign128BytesAlign256BytesAlign512BytesExtendedRelocAlign 2-BytesAlign 4-BytesAlign 8-ByteswakeableSleepprofMemActiveprofMemFuturetraceStackTabexecRInternaltestRInternalGC sweep waitout of memory is nil, not value method
Source: BitLockerToGo.exe, 00000002.00000002.2400111218.000000000319C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Setup.exe, 00000000.00000002.2279367148.0000000001E9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 2_2_00443090 LdrInitializeThunk, 2_2_00443090

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Setup.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: drawwyobstacw.sbs
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: condifendteu.sbs
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ehticsprocw.sbs
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: vennurviot.sbs
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: resinedyw.sbs
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: enlargkiw.sbs
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: allocatinow.sbs
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mathcucom.sbs
Source: Setup.exe, 00000000.00000002.2281733359.0000000004215000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: divewanntwj.biz
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2DD0008 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 448000 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44B000 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 45C000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Users\user\Desktop\Setup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532358 Sample: Setup.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 14 vennurviot.sbs 2->14 16 steamcommunity.com 2->16 18 9 other IPs or domains 2->18 26 Suricata IDS alerts for network traffic 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 6 other signatures 2->32 7 Setup.exe 7 2->7         started        signatures3 process4 signatures5 34 Writes to foreign memory regions 7->34 36 Allocates memory in foreign processes 7->36 38 Injects a PE file into a foreign processes 7->38 40 LummaC encrypted strings found 7->40 10 BitLockerToGo.exe 7->10         started        process6 dnsIp7 20 enlargkiw.sbs 104.21.33.249, 443, 49780 CLOUDFLARENETUS United States 10->20 22 resinedyw.sbs 104.21.77.78, 443, 49790 CLOUDFLARENETUS United States 10->22 24 7 other IPs or domains 10->24 42 Found evasive API chain checking for user administrative privileges 10->42 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 mathcucom.sbs European Union
13335 CLOUDFLARENETUS true
104.21.33.249
 enlargkiw.sbs United States
13335 CLOUDFLARENETUS true
172.67.173.224
 ehticsprocw.sbs United States
13335 CLOUDFLARENETUS true
188.114.96.3
 drawwyobstacw.sbs European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.140.193
 vennurviot.sbs United States
13335 CLOUDFLARENETUS true
104.21.77.78
 resinedyw.sbs United States
13335 CLOUDFLARENETUS true
104.21.79.35
 condifendteu.sbs United States
13335 CLOUDFLARENETUS true
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
condifendteu.sbs 104.21.79.35 true
steamcommunity.com 104.102.49.254 true
vennurviot.sbs 172.67.140.193 true
drawwyobstacw.sbs 188.114.96.3 true
mathcucom.sbs 188.114.97.3 true
divewanntwj.biz 188.114.97.3 true
sergei-esenin.com 172.67.206.204 true
ehticsprocw.sbs 172.67.173.224 true
resinedyw.sbs 104.21.77.78 true
enlargkiw.sbs 104.21.33.249 true
allocatinow.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
enlargkiw.sbs true
    		unknown
    allocatinow.sbs true
      		unknown
      drawwyobstacw.sbs true
        		unknown
        mathcucom.sbs true
          		unknown
          https://steamcommunity.com/profiles/76561199724331900 true
          • URL Reputation: malware
          		 unknown
          https://vennurviot.sbs/api true
            		unknown
            ehticsprocw.sbs true
              		unknown
              https://divewanntwj.biz/api true
                		unknown
                condifendteu.sbs true
                  		unknown
                  https://drawwyobstacw.sbs/api true
                    		unknown
                    https://resinedyw.sbs/api true
                      		unknown
                      https://mathcucom.sbs/api true
                        		unknown
                        resinedyw.sbs true
                          		unknown
                          vennurviot.sbs true
                            		unknown
                            https://condifendteu.sbs/api true
                              		unknown
                              divewanntwj.biz true
                                		unknown
                                https://enlargkiw.sbs/api true
                                  		unknown