Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe
Analysis ID: 1545676
MD5: 21eb0b29554b832d677cea9e8a59b999
SHA1: e6775ef09acc67f90e07205788a4165cbf8496ca
SHA256: 9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Avira: detected
Found malware configuration
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe.4524.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["faulteyotk.site", "dilemmadu.site", "ponintnykqwm.shop", "authorisev.site", "goalyfeastz.site", "contemteny.site", "servicedny.site", "opposezmny.site", "seallysl.site"], "Build id": "g392sM--"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe ReversingLabs: Detection: 72%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: servicedny.site
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: authorisev.site
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: faulteyotk.site
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: dilemmadu.site
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: contemteny.site
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: goalyfeastz.site
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: opposezmny.site
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: seallysl.site
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: ponintnykqwm.shop
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2179308756.00000000003D1000.00000040.00000001.01000000.00000003.sdmp String decryptor: g392sM--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003ED5AF CryptUnprotectData, 0_2_003ED5AF
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0045B490 FindFirstFileW, 0_2_0045B490
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 0_2_003E0130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov byte ptr [ebx], dl 0_2_003E0130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 0_2_003E0130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edx, ecx 0_2_003E0130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edx, ecx 0_2_003E0130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx esi, byte ptr [eax] 0_2_004141F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edx, ecx 0_2_0041137E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edx, ecx 0_2_004113D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then jmp eax 0_2_003ED5AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edx, eax 0_2_0040A97E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then cmp dword ptr [eax+ebx*8], 7CDE1E50h 0_2_0040A97E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h 0_2_0040A97E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 0_2_003E011A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov byte ptr [ebx], dl 0_2_003E011A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 0_2_003E011A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edx, ecx 0_2_003E011A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edx, ecx 0_2_003E011A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h] 0_2_003F41E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx esi, byte ptr [eax] 0_2_00414380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_0040C6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_003EC6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_003EC8CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx ebx, byte ptr [edx+esi] 0_2_003DC960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_003FCA72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_003FCA72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov dword ptr [esp+3Ch], 595A5B84h 0_2_00410E3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edi, dword ptr [esp+54h] 0_2_003FCEDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx edi, word ptr [edx] 0_2_003F8F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h 0_2_003D1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_003D1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h 0_2_003D12D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov ecx, ebx 0_2_003F1333
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov ebx, eax 0_2_003DD500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-67BC38F0h] 0_2_00411648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+52B71DE2h] 0_2_00411720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx ecx, byte ptr [edi+ebx] 0_2_003D5820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edi, edx 0_2_003F1B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_003FDE70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_003F5F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 0_2_003FE400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 0_2_003FE870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov ecx, eax 0_2_003DE8DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov ecx, eax 0_2_003DE996
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch] 0_2_003FAA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then jmp eax 0_2_003FAA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then cmp al, 2Eh 0_2_003FAC04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov edi, esi 0_2_003EECDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then jmp edx 0_2_00412EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_00412EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h 0_2_0040B170
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then jmp edx 0_2_004131D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_004131D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then jmp edx 0_2_004132C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_004132C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then jmp edx 0_2_004133B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_004133B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov word ptr [ebx], ax 0_2_003EF510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_003EF510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 0_2_00413720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h] 0_2_0040F7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh] 0_2_0040FAD0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057089 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opposezmny .site) : 192.168.2.5:64649 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057085 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (goalyfeastz .site) : 192.168.2.5:57318 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057086 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) : 192.168.2.5:49710 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2057086 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) : 192.168.2.5:49711 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2057086 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) : 192.168.2.5:49706 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2057093 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site) : 192.168.2.5:56982 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057086 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) : 192.168.2.5:49709 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2057086 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) : 192.168.2.5:49708 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2057086 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) : 192.168.2.5:49705 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2057086 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) : 192.168.2.5:49707 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2057086 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) : 192.168.2.5:49704 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49711 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.33.140:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49706 -> 104.21.33.140:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: faulteyotk.site
Source: Malware configuration extractor URLs: dilemmadu.site
Source: Malware configuration extractor URLs: ponintnykqwm.shop
Source: Malware configuration extractor URLs: authorisev.site
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: servicedny.site
Source: Malware configuration extractor URLs: opposezmny.site
Source: Malware configuration extractor URLs: seallysl.site
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: goalyfeastz.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: goalyfeastz.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: goalyfeastz.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: goalyfeastz.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20562Host: goalyfeastz.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1266Host: goalyfeastz.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551704Host: goalyfeastz.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: goalyfeastz.site
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: ponintnykqwm.shop
Source: global traffic DNS traffic detected: DNS query: seallysl.site
Source: global traffic DNS traffic detected: DNS query: opposezmny.site
Source: global traffic DNS traffic detected: DNS query: goalyfeastz.site
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: goalyfeastz.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2168082306.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microH
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179308756.0000000000429000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.enigmaprotector.com/
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179308756.0000000000429000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.enigmaprotector.com/openU
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107225236.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109587943.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2180620426.0000000003C55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.si
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2178900486.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179824263.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2179061369.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/FO?
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2180634764.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179824263.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107031075.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092185676.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179772670.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2178900486.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2123072957.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2168029600.0000000003C5C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2178900486.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179932755.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179824263.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2139833690.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/api
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2107031075.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apie)
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2150212465.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2167970332.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179932755.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apil
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2150212465.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2167970332.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179932755.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apis
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2139742048.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apisH
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2139742048.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apiw
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2168082306.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/o
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2079827222.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2150212465.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site:443/api
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109587943.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109261947.0000000003EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109261947.0000000003EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080664665.0000000003BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109261947.0000000003EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109261947.0000000003EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109261947.0000000003EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109261947.0000000003EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109261947.0000000003EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2109261947.0000000003EEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.140:443 -> 192.168.2.5:49711 version: TLS 1.2

System Summary
barindex
PE file has nameless sections
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483650 NtSetInformationFile, 0_2_00483650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483634 NtClose, 0_2_00483634
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004836B8 NtReadFile, 0_2_004836B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483710 NtCreateFile, 0_2_00483710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004837F0 NtProtectVirtualMemory, 0_2_004837F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482B50 NtDeviceIoControlFile, 0_2_00482B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482BE4 NtCreateThread, 0_2_00482BE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482BB0 NtQueryInformationProcess, 0_2_00482BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482C50 NtCreateProcess, 0_2_00482C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482CF8 NtCreateUserProcess, 0_2_00482CF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482CA0 NtCreateProcessEx, 0_2_00482CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482D60 NtOpenKeyEx, 0_2_00482D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482DE0 NtQuerySecurityObject, 0_2_00482DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482D8C NtSetVolumeInformationFile, 0_2_00482D8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482E6C NtFsControlFile, 0_2_00482E6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482E14 NtNotifyChangeDirectoryFile, 0_2_00482E14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482F54 NtOpenKey, 0_2_00482F54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482F74 NtEnumerateValueKey, 0_2_00482F74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482F04 NtAccessCheck, 0_2_00482F04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482FE8 NtQueryValueKey, 0_2_00482FE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00482FB4 NtQueryKey, 0_2_00482FB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483070 NtEnumerateKey, 0_2_00483070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483028 NtCreateKey, 0_2_00483028
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004830B0 NtSetValueKey, 0_2_004830B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004831E0 NtQueryMultipleValueKey, 0_2_004831E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483180 NtNotifyChangeKey, 0_2_00483180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0048327C NtSetInformationKey, 0_2_0048327C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004832C4 NtTerminateProcess, 0_2_004832C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004832E0 NtWriteFile, 0_2_004832E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0048336C NtQueryDirectoryFile, 0_2_0048336C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483338 NtQueryObject, 0_2_00483338
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004833F4 NtDuplicateObject, 0_2_004833F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0048343C NtQueryVolumeInformationFile, 0_2_0048343C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004834EC NtUnlockFile, 0_2_004834EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0048348C NtLockFile, 0_2_0048348C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483558 NtQuerySection, 0_2_00483558
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0048353C NtUnmapViewOfSection, 0_2_0048353C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004835EC NtCreateSection, 0_2_004835EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0048358C NtMapViewOfSection, 0_2_0048358C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483684 NtQueryInformationFile, 0_2_00483684
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00483778 NtOpenFile, 0_2_00483778
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004E1CA4: CreateFileA,DeviceIoControl, 0_2_004E1CA4
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E872CB 0_3_00E872CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E874CF 0_3_00E874CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E872D7 0_3_00E872D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E87E48 0_3_00E87E48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E87E43 0_3_00E87E43
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E8753B 0_3_00E8753B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E86D12 0_3_00E86D12
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003E0130 0_2_003E0130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00414620 0_2_00414620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F509D 0_2_003F509D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003ED5AF 0_2_003ED5AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0040A2E0 0_2_0040A2E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003FA6D0 0_2_003FA6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F6800 0_2_003F6800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0040A97E 0_2_0040A97E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DF970 0_2_003DF970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003E00C7 0_2_003E00C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003E011A 0_2_003E011A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0053013C 0_2_0053013C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F41E0 0_2_003F41E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D8340 0_2_003D8340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003FC3E0 0_2_003FC3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004FC498 0_2_004FC498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004086FE 0_2_004086FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003E482A 0_2_003E482A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0051C958 0_2_0051C958
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00414920 0_2_00414920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F0A24 0_2_003F0A24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00504A18 0_2_00504A18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003FCA72 0_2_003FCA72
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00500AC8 0_2_00500AC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003E4BBF 0_2_003E4BBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00414C50 0_2_00414C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00404C60 0_2_00404C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D8DA0 0_2_003D8DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0051CE80 0_2_0051CE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00508EB0 0_2_00508EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F8F00 0_2_003F8F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D4FA0 0_2_003D4FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00404F80 0_2_00404F80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D1000 0_2_003D1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F91E0 0_2_003F91E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004E1264 0_2_004E1264
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D12D5 0_2_003D12D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D1328 0_2_003D1328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00529434 0_2_00529434
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D94BF 0_2_003D94BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F9494 0_2_003F9494
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F55A4 0_2_003F55A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004E1600 0_2_004E1600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003FD642 0_2_003FD642
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F9494 0_2_003F9494
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DD760 0_2_003DD760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00411720 0_2_00411720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00409940 0_2_00409940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00401980 0_2_00401980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004E1A40 0_2_004E1A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00501A04 0_2_00501A04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DDB20 0_2_003DDB20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F1B40 0_2_003F1B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00409BA0 0_2_00409BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003E5BD8 0_2_003E5BD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0049DC0C 0_2_0049DC0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00535D68 0_2_00535D68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F9D00 0_2_003F9D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00515FF0 0_2_00515FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D9F9C 0_2_003D9F9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00411F80 0_2_00411F80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0053205C 0_2_0053205C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0053A048 0_2_0053A048
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0053601C 0_2_0053601C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DA270 0_2_003DA270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0040E230 0_2_0040E230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003EE298 0_2_003EE298
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00412380 0_2_00412380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F26A0 0_2_003F26A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DA730 0_2_003DA730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00412850 0_2_00412850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0047697C 0_2_0047697C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003FAA40 0_2_003FAA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004DEAC8 0_2_004DEAC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003FAC04 0_2_003FAC04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0040EC20 0_2_0040EC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004BEC28 0_2_004BEC28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003EECDE 0_2_003EECDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DECC0 0_2_003DECC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00402D80 0_2_00402D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004DED94 0_2_004DED94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DADD0 0_2_003DADD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003E6E10 0_2_003E6E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00412EB0 0_2_00412EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00596F40 0_2_00596F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D6F60 0_2_003D6F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004DEF24 0_2_004DEF24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F6F82 0_2_003F6F82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004131D0 0_2_004131D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004031DE 0_2_004031DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DB260 0_2_003DB260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003DF250 0_2_003DF250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004132C0 0_2_004132C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004133B0 0_2_004133B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003EF510 0_2_003EF510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004035B0 0_2_004035B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F762D 0_2_003F762D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00413720 0_2_00413720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003F762D 0_2_003F762D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003FB7FE 0_2_003FB7FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003FB7D9 0_2_003FB7D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0052F80C 0_2_0052F80C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004AF82C 0_2_004AF82C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_005338C4 0_2_005338C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D38E0 0_2_003D38E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_003D7960 0_2_003D7960
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: String function: 003EC2A0 appears 154 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: String function: 003DC8C0 appears 67 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: String function: 00434D9C appears 122 times
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: Section: ZLIB complexity 0.9979495662811388
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: Section: ZLIB complexity 1.0011935763888888
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: Section: .data ZLIB complexity 0.9975373178785403
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@4/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080379791.0000000003BE6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2080816273.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092620048.0000000003CC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static file information: File size 1290240 > 1048576

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe.3d0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E8AE46 push esp; retf 0_3_00E8B179
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E8B933 pushfd ; iretd 0_3_00E8B935
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_3_00E8B912 pushfd ; iretd 0_3_00E8B935
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004D09C4 push 004D0A51h; ret 0_2_004D0A49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0051C0E8 push 0051C114h; ret 0_2_0051C10C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0051C08C push 0051C0C4h; ret 0_2_0051C0BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00500148 push 00500174h; ret 0_2_0050016C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00500110 push 0050013Ch; ret 0_2_00500134
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004FC114 push 004FC140h; ret 0_2_004FC138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00500180 push 005001ACh; ret 0_2_005001A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004D81B4 push 004D81E0h; ret 0_2_004D81D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004FC240 push 004FC26Ch; ret 0_2_004FC264
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0045C250 push 0045C29Ch; ret 0_2_0045C294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004EC22C push 004EC258h; ret 0_2_004EC250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0045C2D0 push 0045C2FCh; ret 0_2_0045C2F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0045C2A0 push 0045C2CDh; ret 0_2_0045C2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004842B4 push 004842F4h; ret 0_2_004842EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00500314 push 00500340h; ret 0_2_00500338
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0045C308 push 0045C334h; ret 0_2_0045C32C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00458328 push 00458354h; ret 0_2_0045834C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00448454 push 004484A1h; ret 0_2_00448499
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0045440C push ecx; mov dword ptr [esp], edx 0_2_00454411
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004F0508 push 004F0534h; ret 0_2_004F052C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004345F0 push 00434641h; ret 0_2_00434639
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_005145EC push 00514618h; ret 0_2_00514610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004A462C push 004A466Eh; ret 0_2_004A4666
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004847F4 push 00484872h; ret 0_2_0048486A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004747BC push 004747E8h; ret 0_2_004747E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004348AC push 004348D8h; ret 0_2_004348D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004D095C push 004D09C2h; ret 0_2_004D09BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00434968 push 00434994h; ret 0_2_0043498C
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name: entropy: 7.997714729230857
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name: entropy: 7.636228005076095
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name: entropy: 7.9278998086211505
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name: entropy: 7.978359432501147
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Static PE information: section name: .data entropy: 7.985452413999655
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe System information queried: FirmwareTableInformation Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Window / User API: threadDelayed 1164 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe TID: 4296 Thread sleep count: 1164 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe TID: 7116 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe TID: 7116 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_0045B490 FindFirstFileW, 0_2_0045B490
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092772961.0000000003CC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179824263.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2178900486.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2178900486.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179824263.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179308756.0000000000429000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: &VBoxService.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179308756.0000000000429000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179308756.0000000000574000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~VirtualMachineTypes
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092772961.0000000003CC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179308756.0000000000574000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179308756.0000000000429000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000002.2179308756.0000000000574000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2092976502.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00410D90 LdrInitializeThunk, 0_2_00410D90

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: servicedny.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: authorisev.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: faulteyotk.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: dilemmadu.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: contemteny.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: goalyfeastz.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: opposezmny.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: seallysl.site
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: ponintnykqwm.shop
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_004E0268 cpuid 0_2_004E0268
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA, 0_2_00592208
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Code function: 0_2_00481CC0 GetTimeZoneInformation, 0_2_00481CC0
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe PID: 4524, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2125744394.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2125744394.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2125791042.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2125744394.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe, 00000000.00000003.2125744394.0000000000ECA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe PID: 4524, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe PID: 4524, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545676 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 10 seallysl.site 2->10 12 ponintnykqwm.shop 2->12 14 2 other IPs or domains 2->14 18 Suricata IDS alerts for network traffic 2->18 20 Found malware configuration 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 9 other signatures 2->24 6 SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe 2->6         started        signatures3 process4 dnsIp5 16 goalyfeastz.site 104.21.33.140, 443, 49704, 49705 CLOUDFLARENETUS United States 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Query firmware table information (likely to detect VMs) 6->28 30 Found many strings related to Crypto-Wallets (likely being stolen) 6->30 32 4 other signatures 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.33.140
 goalyfeastz.site United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
goalyfeastz.site 104.21.33.140 true
ponintnykqwm.shop unknown unknown
opposezmny.site unknown unknown
seallysl.site unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
servicedny.site true
    		unknown
    goalyfeastz.site true
      		unknown
      contemteny.site true
        		unknown
        opposezmny.site true
          		unknown
          https://goalyfeastz.site/api true
            		unknown
            authorisev.site true
              		unknown
              faulteyotk.site true
                		unknown
                ponintnykqwm.shop true
                  		unknown
                  seallysl.site true
                    		unknown
                    dilemmadu.site true
                      		unknown