Windows Analysis Report
17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Overview

General Information

Sample name:	17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe
Analysis ID:	1545600
MD5:	b129cb1b9d3dcb2bcea9a5a836070070
SHA1:	e4d9174aff0a87c95c108d961d34dc3c791a580b
SHA256:	4c40d639d5f18b16a519e4be04c75440c02ab871a143ec2a27feed3392dc0ec5
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file does not import any functions

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Found malware configuration

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Malware Configuration Extractor: LummaC {"C2 url": ["forbidstow.site", "dilemmadu.site", "seallysl.site", "goalyfeastz.site", "faulteyotk.site", "authorisev.site", "opposezmny.site", "servicedny.site", "contemteny.site"], "Build id": "1AsNN2--5148330480"}

Multi AV Scanner detection for submitted file

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: servicedny.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: authorisev.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: faulteyotk.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: dilemmadu.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: contemteny.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: goalyfeastz.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: opposezmny.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: seallysl.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: forbidstow.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: TeslaBrowser/5.5
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: - Screen Resoluton:
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: - Physical Installed Memory:
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: Workgroup: -
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	String decryptor: 1AsNN2--5148330480

Uses 32bit PE files

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	1_2_00401000
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	1_2_0040111D
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	1_2_0040392F
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	1_2_00403933
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	1_2_0040393A
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h	1_2_0040D33A

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: forbidstow.site
Source: Malware configuration extractor	URLs: dilemmadu.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: servicedny.site
Source: Malware configuration extractor	URLs: contemteny.site

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Detected potential crypto function

Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 1_2_00441AE5	1_2_00441AE5
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 1_2_0040B17B	1_2_0040B17B
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Code function: 1_2_0040B181	1_2_0040B181

One or more processes crash

Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 224

PE file does not import any functions

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/5@1/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6520

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b3fc588e-2e1f-4e95-a06f-b3be1d605f71

Jump to behavior

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe "C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe"
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 224

Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Section loaded: apphelp.dll

Jump to behavior

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Code function: 1_2_00401525 push dword ptr [edx+eax-77h]; ret

1_2_0040152A

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: servicedny.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: authorisev.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: faulteyotk.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: dilemmadu.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: contemteny.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: goalyfeastz.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: opposezmny.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: seallysl.site
Source: 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe, 00000001.00000000.1503201494.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: forbidstow.site

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
241.42.69.40.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
goalyfeastz.site	true	unknown
servicedny.site	true	unknown
contemteny.site	true	unknown
faulteyotk.site	true	unknown
opposezmny.site	true	unknown
dilemmadu.site	true	unknown
seallysl.site	true	unknown
forbidstow.site	true	unknown
authorisev.site	true	unknown

ID:	1545600
Product:	CloudBasic
Start time:	17:54:08
Start date:	30.10.2024
Sample:	17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b129cb1b9d3dcb2bcea9a5a836070070
SHA1:	e4d9174aff0a87c95c108d961d34dc3c791a580b
SHA256:	4c40d639d5f18b16a519e4be04c75440c02ab871a143ec2a27feed3392dc0ec5
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_17303071876386e3_244e86189a14f4516226cec895f755d816d6ef_1b816ac5_7996cf82-149b-4b58-bb4f-4a1efff292fc\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C15757141831704E21D22B802AFBC9E7	EAF8CADF3CFC3B2CED50F9CEE42FBF2C727CF7F0	CF176E07476E0120CFB00902DAFED88FB6FDB8AC019276F175249AA1A54A648C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB49D.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Oct 30 16:55:18 2024, 0x1205a4 type	08040C4DBF4A19806DB1125CF6761FD7	18C2BDBE00167BF63D08C20E09A42D61C80187AC	246023C9EA8CDACC4E52DD9C022A56D78C977D99B32FA3B5D876CB9D5AC34AF9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4DD.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D4755FA5A114FA9212E40C5D91851F2D	5FF156BF3ADE1856658C110CC32A283060A496EE	243A06078C8E0338A6391F5D8173EBA52A2525CDC5964A35BAC510F3C5836513
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4FD.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B56865C62F599E447330DD1F761C8229	2ACD848E7AE29F593547CAF6EAB48DD604AD99BF	D235F9A819F557BD961659BB334A7017843FC7B12660C69BD1FD8DCD0BE7B6C7
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	FCAFC5736A52203687C356DE5CA18B26	FADED12BC082D303A1D72D7CC0AF7A88B2B17E1A	4FF6C543D4AB03D6F89C54632D1BBEC36ED9409D5FD9145E908DAE5858717067

Windows Analysis Report
17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report 17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs

Windows Analysis Report
17303071876386e352212a6fcbe671f992a5355b5429aa9e8a123b07340d12981e86c28206748.dat-decoded.exe

Malware Threat Intel
Provided by