Windows Analysis Report
17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe

Overview

General Information

Sample name: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe
Analysis ID: 1544508
MD5: 32baa3c5cb4cd2452cd26846692bfafb
SHA1: defb08a85f8a4adf2bdd20ae4408597b0204a1f0
SHA256: dfd4ae7f9c8039cf58ca2a551b5765582a1d3f11cc572ece8493f8581999875f
Tags: base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Malware Configuration Extractor: LummaC {"C2 url": ["dilemmadu.site", "servicedny.site", "seallysl.site", "contemteny.site", "faulteyotk.site", "authorisev.site", "goalyfeastz.site", "opposezmny.site"], "Build id": "Yyt5XI--"}
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe ReversingLabs: Detection: 23%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.3% probability
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Joe Sandbox ML: detected
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: servicedny.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: authorisev.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: faulteyotk.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: dilemmadu.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: contemteny.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: goalyfeastz.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: opposezmny.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: seallysl.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: dilemmadu.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: TeslaBrowser/5.5
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: - Screen Resoluton:
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: - Physical Installed Memory:
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: Workgroup: -
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe String decryptor: Yyt5XI--
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_00401000
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_0040111D
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_0040392F
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_00403933
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_0040393A
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h 0_2_0040D33A

Networking

barindex
Source: Malware configuration extractor URLs: dilemmadu.site
Source: Malware configuration extractor URLs: servicedny.site
Source: Malware configuration extractor URLs: seallysl.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: faulteyotk.site
Source: Malware configuration extractor URLs: authorisev.site
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: opposezmny.site
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 0_2_00441AE5 0_2_00441AE5
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 0_2_0040B17B 0_2_0040B17B
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 0_2_0040B181 0_2_0040B181
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 232
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Static PE information: No import functions for PE file found
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.evad.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3524
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7541b396-612a-415d-aa70-15c596fac54f Jump to behavior
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe "C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe"
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 232
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Code function: 0_2_00401525 push dword ptr [edx+eax-77h]; ret 0_2_0040152A
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe, 00000000.00000000.2161476971.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: servicedny.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe, 00000000.00000000.2161476971.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: authorisev.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe, 00000000.00000000.2161476971.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: faulteyotk.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe, 00000000.00000000.2161476971.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: dilemmadu.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe, 00000000.00000000.2161476971.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: contemteny.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe, 00000000.00000000.2161476971.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: goalyfeastz.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe, 00000000.00000000.2161476971.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: opposezmny.site
Source: 17302080091b4272992bbee9c090b25f6bf92f940e52dbb624bd0b65712ebe434dde6fac3b464.dat-decoded.exe, 00000000.00000000.2161476971.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: seallysl.site
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
No contacted IP infos