Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Analysis ID: | 1545676 |
| MD5: | 21eb0b29554b832d677cea9e8a59b999 |
| SHA1: | e6775ef09acc67f90e07205788a4165cbf8496ca |
| SHA256: | 9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe (PID: 4524 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.PWS .Lumma.749 .8914.1499 2.exe" MD5: 21EB0B29554B832D677CEA9E8A59B999)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["faulteyotk.site", "dilemmadu.site", "ponintnykqwm.shop", "authorisev.site", "goalyfeastz.site", "contemteny.site", "servicedny.site", "opposezmny.site", "seallysl.site"], "Build id": "g392sM--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:19:00.833281+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:01.992255+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:12.011244+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.5 | 49711 | 104.21.33.140 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:19:00.833281+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.5 | 49704 | 104.21.33.140 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:19:01.992255+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 104.21.33.140 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:19:00.362602+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49704 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:01.534963+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49705 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:02.848223+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49706 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:04.171340+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49707 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:05.718290+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49708 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:07.384730+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49709 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:09.139385+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49710 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:11.600660+0100 | 2057086 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 49711 | 104.21.33.140 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:18:59.693224+0100 | 2057085 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 57318 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:18:59.680936+0100 | 2057089 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 64649 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:18:59.667744+0100 | 2057093 | 1 | Domain Observed Used for C2 Detected | 192.168.2.5 | 56982 | 1.1.1.1 | 53 | UDP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:19:03.330518+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.5 | 49706 | 104.21.33.140 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Code function: | 0_2_003ED5AF | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_0045B490 | |
| Source: | Code function: | 0_2_003E0130 | |
| Source: | Code function: | 0_2_003E0130 | |
| Source: | Code function: | 0_2_003E0130 | |
| Source: | Code function: | 0_2_003E0130 | |
| Source: | Code function: | 0_2_003E0130 | |
| Source: | Code function: | 0_2_004141F0 | |
| Source: | Code function: | 0_2_0041137E | |
| Source: | Code function: | 0_2_004113D5 | |
| Source: | Code function: | 0_2_003ED5AF | |
| Source: | Code function: | 0_2_0040A97E | |
| Source: | Code function: | 0_2_0040A97E | |
| Source: | Code function: | 0_2_0040A97E | |
| Source: | Code function: | 0_2_003E011A | |
| Source: | Code function: | 0_2_003E011A | |
| Source: | Code function: | 0_2_003E011A | |
| Source: | Code function: | 0_2_003E011A | |
| Source: | Code function: | 0_2_003E011A | |
| Source: | Code function: | 0_2_003F41E0 | |
| Source: | Code function: | 0_2_00414380 | |
| Source: | Code function: | 0_2_0040C6D0 | |
| Source: | Code function: | 0_2_003EC6E0 | |
| Source: | Code function: | 0_2_003EC8CE | |
| Source: | Code function: | 0_2_003DC960 | |
| Source: | Code function: | 0_2_003FCA72 | |
| Source: | Code function: | 0_2_003FCA72 | |
| Source: | Code function: | 0_2_00410E3A | |
| Source: | Code function: | 0_2_003FCEDA | |
| Source: | Code function: | 0_2_003F8F00 | |
| Source: | Code function: | 0_2_003D1000 | |
| Source: | Code function: | 0_2_003D1000 | |
| Source: | Code function: | 0_2_003D12D5 | |
| Source: | Code function: | 0_2_003F1333 | |
| Source: | Code function: | 0_2_003DD500 | |
| Source: | Code function: | 0_2_00411648 | |
| Source: | Code function: | 0_2_00411720 | |
| Source: | Code function: | 0_2_003D5820 | |
| Source: | Code function: | 0_2_003F1B40 | |
| Source: | Code function: | 0_2_003FDE70 | |
| Source: | Code function: | 0_2_003F5F00 | |
| Source: | Code function: | 0_2_003FE400 | |
| Source: | Code function: | 0_2_003FE870 | |
| Source: | Code function: | 0_2_003DE8DE | |
| Source: | Code function: | 0_2_003DE996 | |
| Source: | Code function: | 0_2_003FAA60 | |
| Source: | Code function: | 0_2_003FAA40 | |
| Source: | Code function: | 0_2_003FAC04 | |
| Source: | Code function: | 0_2_003EECDE | |
| Source: | Code function: | 0_2_00412EB0 | |
| Source: | Code function: | 0_2_00412EB0 | |
| Source: | Code function: | 0_2_0040B170 | |
| Source: | Code function: | 0_2_004131D0 | |
| Source: | Code function: | 0_2_004131D0 | |
| Source: | Code function: | 0_2_004132C0 | |
| Source: | Code function: | 0_2_004132C0 | |
| Source: | Code function: | 0_2_004133B0 | |
| Source: | Code function: | 0_2_004133B0 | |
| Source: | Code function: | 0_2_003EF510 | |
| Source: | Code function: | 0_2_003EF510 | |
| Source: | Code function: | 0_2_00413720 | |
| Source: | Code function: | 0_2_0040F7E0 | |
| Source: | Code function: | 0_2_0040FAD0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00483650 | |
| Source: | Code function: | 0_2_00483634 | |
| Source: | Code function: | 0_2_004836B8 | |
| Source: | Code function: | 0_2_00483710 | |
| Source: | Code function: | 0_2_004837F0 | |
| Source: | Code function: | 0_2_00482B50 | |
| Source: | Code function: | 0_2_00482BE4 | |
| Source: | Code function: | 0_2_00482BB0 | |
| Source: | Code function: | 0_2_00482C50 | |
| Source: | Code function: | 0_2_00482CF8 | |
| Source: | Code function: | 0_2_00482CA0 | |
| Source: | Code function: | 0_2_00482D60 | |
| Source: | Code function: | 0_2_00482DE0 | |
| Source: | Code function: | 0_2_00482D8C | |
| Source: | Code function: | 0_2_00482E6C | |
| Source: | Code function: | 0_2_00482E14 | |
| Source: | Code function: | 0_2_00482F54 | |
| Source: | Code function: | 0_2_00482F74 | |
| Source: | Code function: | 0_2_00482F04 | |
| Source: | Code function: | 0_2_00482FE8 | |
| Source: | Code function: | 0_2_00482FB4 | |
| Source: | Code function: | 0_2_00483070 | |
| Source: | Code function: | 0_2_00483028 | |
| Source: | Code function: | 0_2_004830B0 | |
| Source: | Code function: | 0_2_004831E0 | |
| Source: | Code function: | 0_2_00483180 | |
| Source: | Code function: | 0_2_0048327C | |
| Source: | Code function: | 0_2_004832C4 | |
| Source: | Code function: | 0_2_004832E0 | |
| Source: | Code function: | 0_2_0048336C | |
| Source: | Code function: | 0_2_00483338 | |
| Source: | Code function: | 0_2_004833F4 | |
| Source: | Code function: | 0_2_0048343C | |
| Source: | Code function: | 0_2_004834EC | |
| Source: | Code function: | 0_2_0048348C | |
| Source: | Code function: | 0_2_00483558 | |
| Source: | Code function: | 0_2_0048353C | |
| Source: | Code function: | 0_2_004835EC | |
| Source: | Code function: | 0_2_0048358C | |
| Source: | Code function: | 0_2_00483684 | |
| Source: | Code function: | 0_2_00483778 | |
| Source: | Code function: | 0_2_004E1CA4 | |
| Source: | Code function: | 0_3_00E872CB | |
| Source: | Code function: | 0_3_00E874CF | |
| Source: | Code function: | 0_3_00E872D7 | |
| Source: | Code function: | 0_3_00E87E48 | |
| Source: | Code function: | 0_3_00E87E43 | |
| Source: | Code function: | 0_3_00E8753B | |
| Source: | Code function: | 0_3_00E86D12 | |
| Source: | Code function: | 0_2_003E0130 | |
| Source: | Code function: | 0_2_00414620 | |
| Source: | Code function: | 0_2_003F509D | |
| Source: | Code function: | 0_2_003ED5AF | |
| Source: | Code function: | 0_2_0040A2E0 | |
| Source: | Code function: | 0_2_003FA6D0 | |
| Source: | Code function: | 0_2_003F6800 | |
| Source: | Code function: | 0_2_0040A97E | |
| Source: | Code function: | 0_2_003DF970 | |
| Source: | Code function: | 0_2_003E00C7 | |
| Source: | Code function: | 0_2_003E011A | |
| Source: | Code function: | 0_2_0053013C | |
| Source: | Code function: | 0_2_003F41E0 | |
| Source: | Code function: | 0_2_003D8340 | |
| Source: | Code function: | 0_2_003FC3E0 | |
| Source: | Code function: | 0_2_004FC498 | |
| Source: | Code function: | 0_2_004086FE | |
| Source: | Code function: | 0_2_003E482A | |
| Source: | Code function: | 0_2_0051C958 | |
| Source: | Code function: | 0_2_00414920 | |
| Source: | Code function: | 0_2_003F0A24 | |
| Source: | Code function: | 0_2_00504A18 | |
| Source: | Code function: | 0_2_003FCA72 | |
| Source: | Code function: | 0_2_00500AC8 | |
| Source: | Code function: | 0_2_003E4BBF | |
| Source: | Code function: | 0_2_00414C50 | |
| Source: | Code function: | 0_2_00404C60 | |
| Source: | Code function: | 0_2_003D8DA0 | |
| Source: | Code function: | 0_2_0051CE80 | |
| Source: | Code function: | 0_2_00508EB0 | |
| Source: | Code function: | 0_2_003F8F00 | |
| Source: | Code function: | 0_2_003D4FA0 | |
| Source: | Code function: | 0_2_00404F80 | |
| Source: | Code function: | 0_2_003D1000 | |
| Source: | Code function: | 0_2_003F91E0 | |
| Source: | Code function: | 0_2_004E1264 | |
| Source: | Code function: | 0_2_003D12D5 | |
| Source: | Code function: | 0_2_003D1328 | |
| Source: | Code function: | 0_2_00529434 | |
| Source: | Code function: | 0_2_003D94BF | |
| Source: | Code function: | 0_2_003F9494 | |
| Source: | Code function: | 0_2_003F55A4 | |
| Source: | Code function: | 0_2_004E1600 | |
| Source: | Code function: | 0_2_003FD642 | |
| Source: | Code function: | 0_2_003F9494 | |
| Source: | Code function: | 0_2_003DD760 | |
| Source: | Code function: | 0_2_00411720 | |
| Source: | Code function: | 0_2_00409940 | |
| Source: | Code function: | 0_2_00401980 | |
| Source: | Code function: | 0_2_004E1A40 | |
| Source: | Code function: | 0_2_00501A04 | |
| Source: | Code function: | 0_2_003DDB20 | |
| Source: | Code function: | 0_2_003F1B40 | |
| Source: | Code function: | 0_2_00409BA0 | |
| Source: | Code function: | 0_2_003E5BD8 | |
| Source: | Code function: | 0_2_0049DC0C | |
| Source: | Code function: | 0_2_00535D68 | |
| Source: | Code function: | 0_2_003F9D00 | |
| Source: | Code function: | 0_2_00515FF0 | |
| Source: | Code function: | 0_2_003D9F9C | |
| Source: | Code function: | 0_2_00411F80 | |
| Source: | Code function: | 0_2_0053205C | |
| Source: | Code function: | 0_2_0053A048 | |
| Source: | Code function: | 0_2_0053601C | |
| Source: | Code function: | 0_2_003DA270 | |
| Source: | Code function: | 0_2_0040E230 | |
| Source: | Code function: | 0_2_003EE298 | |
| Source: | Code function: | 0_2_00412380 | |
| Source: | Code function: | 0_2_003F26A0 | |
| Source: | Code function: | 0_2_003DA730 | |
| Source: | Code function: | 0_2_00412850 | |
| Source: | Code function: | 0_2_0047697C | |
| Source: | Code function: | 0_2_003FAA40 | |
| Source: | Code function: | 0_2_004DEAC8 | |
| Source: | Code function: | 0_2_003FAC04 | |
| Source: | Code function: | 0_2_0040EC20 | |
| Source: | Code function: | 0_2_004BEC28 | |
| Source: | Code function: | 0_2_003EECDE | |
| Source: | Code function: | 0_2_003DECC0 | |
| Source: | Code function: | 0_2_00402D80 | |
| Source: | Code function: | 0_2_004DED94 | |
| Source: | Code function: | 0_2_003DADD0 | |
| Source: | Code function: | 0_2_003E6E10 | |
| Source: | Code function: | 0_2_00412EB0 | |
| Source: | Code function: | 0_2_00596F40 | |
| Source: | Code function: | 0_2_003D6F60 | |
| Source: | Code function: | 0_2_004DEF24 | |
| Source: | Code function: | 0_2_003F6F82 | |
| Source: | Code function: | 0_2_004131D0 | |
| Source: | Code function: | 0_2_004031DE | |
| Source: | Code function: | 0_2_003DB260 | |
| Source: | Code function: | 0_2_003DF250 | |
| Source: | Code function: | 0_2_004132C0 | |
| Source: | Code function: | 0_2_004133B0 | |
| Source: | Code function: | 0_2_003EF510 | |
| Source: | Code function: | 0_2_004035B0 | |
| Source: | Code function: | 0_2_003F762D | |
| Source: | Code function: | 0_2_00413720 | |
| Source: | Code function: | 0_2_003F762D | |
| Source: | Code function: | 0_2_003FB7FE | |
| Source: | Code function: | 0_2_003FB7D9 | |
| Source: | Code function: | 0_2_0052F80C | |
| Source: | Code function: | 0_2_004AF82C | |
| Source: | Code function: | 0_2_005338C4 | |
| Source: | Code function: | 0_2_003D38E0 | |
| Source: | Code function: | 0_2_003D7960 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_00E8B179 | |
| Source: | Code function: | 0_3_00E8B935 | |
| Source: | Code function: | 0_3_00E8B935 | |
| Source: | Code function: | 0_2_004D0A49 | |
| Source: | Code function: | 0_2_0051C10C | |
| Source: | Code function: | 0_2_0051C0BC | |
| Source: | Code function: | 0_2_0050016C | |
| Source: | Code function: | 0_2_00500134 | |
| Source: | Code function: | 0_2_004FC138 | |
| Source: | Code function: | 0_2_005001A4 | |
| Source: | Code function: | 0_2_004D81D8 | |
| Source: | Code function: | 0_2_004FC264 | |
| Source: | Code function: | 0_2_0045C294 | |
| Source: | Code function: | 0_2_004EC250 | |
| Source: | Code function: | 0_2_0045C2F4 | |
| Source: | Code function: | 0_2_0045C2C5 | |
| Source: | Code function: | 0_2_004842EC | |
| Source: | Code function: | 0_2_00500338 | |
| Source: | Code function: | 0_2_0045C32C | |
| Source: | Code function: | 0_2_0045834C | |
| Source: | Code function: | 0_2_00448499 | |
| Source: | Code function: | 0_2_00454411 | |
| Source: | Code function: | 0_2_004F052C | |
| Source: | Code function: | 0_2_00434639 | |
| Source: | Code function: | 0_2_00514610 | |
| Source: | Code function: | 0_2_004A4666 | |
| Source: | Code function: | 0_2_0048486A | |
| Source: | Code function: | 0_2_004747E0 | |
| Source: | Code function: | 0_2_004348D0 | |
| Source: | Code function: | 0_2_004D09BA | |
| Source: | Code function: | 0_2_0043498C | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_0045B490 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_00410D90 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_004E0268 | |
| Source: | Code function: | 0_2_00592208 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00481CC0 | |
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 PowerShell | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 11 Deobfuscate/Decode Files or Information | LSASS Memory | 211 Security Software Discovery | Remote Desktop Protocol | 41 Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 4 Obfuscated Files or Information | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 12 Software Packing | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 41 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 73% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 100% | Avira | HEUR/AGEN.1314134 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| goalyfeastz.site | 104.21.33.140 | true | true | unknown | |
| ponintnykqwm.shop | unknown | unknown | true | unknown | |
| opposezmny.site | unknown | unknown | true | unknown | |
| seallysl.site | unknown | unknown | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.33.140 | goalyfeastz.site | United States | 13335 | CLOUDFLARENETUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1545676 |
| Start date and time: | 2024-10-30 20:18:06 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 29s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@4/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
- VT rate limit hit for: SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe
| Time | Type | Description |
|---|---|---|
| 15:18:58 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.33.140 | Get hash | malicious | LummaC Stealer | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| goalyfeastz.site | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | Mamba2FA | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Tycoon2FA | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC | Browse |
| |
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | KnowBe4 | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.990450651344029 |
| TrID: |
|
| File name: | SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| File size: | 1'290'240 bytes |
| MD5: | 21eb0b29554b832d677cea9e8a59b999 |
| SHA1: | e6775ef09acc67f90e07205788a4165cbf8496ca |
| SHA256: | 9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656 |
| SHA512: | e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742 |
| SSDEEP: | 24576:VUt6SS6/lwChL5nLexP9eVKN3RjJMDnhY3YnBypzcnNftDquJN:+t6fYFexPoKNfMbcYnEINVG8 |
| TLSH: | 315533E00F206926C918A9BAD9BE1FB415A7D164458530A6F28F1D78CC5CC6FAF1D2EC |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................D........................@..........................0<...........@................................. .-.... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x418b16 |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6715CDA7 [Mon Oct 21 03:42:31 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 71cc5af9daad65e58c6f29c42cdf9201 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 00401000h |
| call 00007EFC14D16C06h |
| call far 5DE5h : 8B10C483h |
| jmp 00007EFC150BF3ABh |
| lodsd |
| sti |
| inc eax |
| or eax, 0C9D675Ah |
| cmp dword ptr [edx-33995C5Eh], ebx |
| mov byte ptr [ebx-3DE88728h], FFFFFFA5h |
| int1 |
| xchg eax, esp |
| clc |
| mov edi, esi |
| fild dword ptr [edx-78F647B4h] |
| xchg eax, ebx |
| and ebx, dword ptr [eax-2595E2A7h] |
| sti |
| inc byte ptr [esi+042E60AAh] |
| dec edx |
| shr dword ptr [ecx-38h], 67h |
| adc eax, B89BD83Fh |
| sahf |
| mov cl, 6Fh |
| mov edi, dword ptr [ebx-033B4484h] |
| retf |
| lds edi, fword ptr [4F644706h] |
| push edi |
| bound esi, dword ptr [edx-78h] |
| jbe 00007EFC14D16BFEh |
| rol dword ptr [eax+279A04ECh], FFFFFFFCh |
| mov al, byte ptr [301EFBB7h] |
| xchg eax, esp |
| dec ebp |
| jecxz 00007EFC14D16C68h |
| add edi, dword ptr [edi+39h] |
| sar dword ptr [ecx-158AB99Eh], FFFFFFB4h |
| mov dword ptr [CD88C6BBh], eax |
| sub al, EEh |
| adc dword ptr [edx-495DD670h], FFFFFFFDh |
| add ebp, edi |
| sub byte ptr [esi], ch |
| jns 00007EFC14D16C62h |
| fcmove st(0), st(1) |
| out 96h, eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2dd020 | 0x214 | .data |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2dd000 | 0xc | .data |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| 0x1000 | 0x45000 | 0x23200 | cf44f7452dcf5f8d225cca2d88061768 | False | 0.9979495662811388 | data | 7.997714729230857 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x46000 | 0x3000 | 0x1000 | 669a906bed7426705bddbc9a6ec84728 | False | 0.92138671875 | data | 7.636228005076095 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x49000 | 0x10000 | 0x3400 | 89ac7c3fcb41eef78b191f650c86e226 | False | 0.9753605769230769 | data | 7.9278998086211505 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x59000 | 0x5000 | 0x2400 | a413c09bec6a56ff4498e3e84a763197 | False | 1.0011935763888888 | data | 7.978359432501147 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x5e000 | 0x27f000 | 0x2ba00 | f189a3e15470c420a7a5b53422700d4d | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| .data | 0x2dd000 | 0xe6000 | 0xe5800 | ba30390f681cdc4ed61f33a6d600d766 | False | 0.9975373178785403 | data | 7.985452413999655 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| kernel32.dll | GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA |
| user32.dll | MessageBoxA |
| advapi32.dll | RegCloseKey |
| oleaut32.dll | SysFreeString |
| gdi32.dll | CreateFontA |
| shell32.dll | ShellExecuteA |
| version.dll | GetFileVersionInfoA |
| ole32.dll | CoCreateInstance |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-30T20:18:59.667744+0100 | 2057093 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site) | 1 | 192.168.2.5 | 56982 | 1.1.1.1 | 53 | UDP |
| 2024-10-30T20:18:59.680936+0100 | 2057089 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opposezmny .site) | 1 | 192.168.2.5 | 64649 | 1.1.1.1 | 53 | UDP |
| 2024-10-30T20:18:59.693224+0100 | 2057085 | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (goalyfeastz .site) | 1 | 192.168.2.5 | 57318 | 1.1.1.1 | 53 | UDP |
| 2024-10-30T20:19:00.362602+0100 | 2057086 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) | 1 | 192.168.2.5 | 49704 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:00.833281+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.5 | 49704 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:00.833281+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49704 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:01.534963+0100 | 2057086 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) | 1 | 192.168.2.5 | 49705 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:01.992255+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.5 | 49705 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:01.992255+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49705 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:02.848223+0100 | 2057086 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) | 1 | 192.168.2.5 | 49706 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:03.330518+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.5 | 49706 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:04.171340+0100 | 2057086 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) | 1 | 192.168.2.5 | 49707 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:05.718290+0100 | 2057086 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) | 1 | 192.168.2.5 | 49708 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:07.384730+0100 | 2057086 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) | 1 | 192.168.2.5 | 49709 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:09.139385+0100 | 2057086 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) | 1 | 192.168.2.5 | 49710 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:11.600660+0100 | 2057086 | ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI) | 1 | 192.168.2.5 | 49711 | 104.21.33.140 | 443 | TCP |
| 2024-10-30T20:19:12.011244+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.5 | 49711 | 104.21.33.140 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 30, 2024 20:18:59.712537050 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:18:59.712589025 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:18:59.712682009 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:18:59.713864088 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:18:59.713881016 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.362294912 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.362601995 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.366456985 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.366467953 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.366712093 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.420542955 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.431099892 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.431138039 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.431199074 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.833264112 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.833340883 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.833408117 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.835356951 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.835393906 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.835423946 CET | 49704 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.835438967 CET | 443 | 49704 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.915796995 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.915844917 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:00.915934086 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.916326046 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:00.916348934 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.534852028 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.534962893 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:01.536236048 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:01.536252022 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.536454916 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.537780046 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:01.537816048 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:01.537849903 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992249012 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992291927 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992331982 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992360115 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992382050 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992450953 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:01.992474079 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992569923 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:01.992578983 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992913008 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992938042 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.992981911 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:01.992990017 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:01.993098974 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.110836029 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.110991001 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.111027002 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.111043930 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.111063957 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.111123085 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.111131907 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.111143112 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.111183882 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.111423016 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.111423016 CET | 49705 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.111440897 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.111450911 CET | 443 | 49705 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.234951019 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.234976053 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.235047102 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.235398054 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.235408068 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.847867966 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.848222971 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.849564075 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.849571943 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.849770069 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:02.851300001 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.851474047 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:02.851500034 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:03.330499887 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:03.330566883 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:03.330832958 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:03.331190109 CET | 49706 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:03.331213951 CET | 443 | 49706 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:03.551418066 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:03.551466942 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:03.551595926 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:03.551929951 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:03.551949024 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:04.171251059 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:04.171339989 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:04.242450953 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:04.242464066 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:04.242697001 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:04.244291067 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:04.244420052 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:04.244452000 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:04.244513035 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:04.244519949 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:04.797727108 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:04.797817945 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:04.797929049 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:04.798101902 CET | 49707 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:04.798118114 CET | 443 | 49707 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:05.097467899 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:05.097511053 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:05.097594976 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:05.098033905 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:05.098051071 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:05.718187094 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:05.718290091 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:05.719788074 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:05.719803095 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:05.720127106 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:05.721560955 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:05.721713066 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:05.721751928 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:05.721816063 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:05.721827030 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:06.411712885 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:06.411793947 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:06.411864042 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:06.412070036 CET | 49708 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:06.412111044 CET | 443 | 49708 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:06.738900900 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:06.738940954 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:06.739010096 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:06.739413023 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:06.739428997 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:07.384625912 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:07.384730101 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:07.386164904 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:07.386176109 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:07.386377096 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:07.387938976 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:07.388060093 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:07.388067007 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:08.096782923 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:08.096848965 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:08.096926928 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:08.097227097 CET | 49709 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:08.097253084 CET | 443 | 49709 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:08.519248009 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:08.519264936 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:08.519341946 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:08.519777060 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:08.519789934 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.139282942 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.139384985 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.140907049 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.140927076 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.141136885 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.142441988 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.143188000 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.143229008 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.143357038 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.143402100 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.143528938 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.143595934 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.143738031 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.143790960 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.143944979 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.144001007 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.144193888 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.144237041 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.144258022 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.144287109 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.144422054 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.144464016 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.144522905 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.144598007 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.144644022 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.154329062 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.154562950 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.154607058 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:09.154676914 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.154742956 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:09.155103922 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:10.916407108 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:10.916490078 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:10.916604042 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:10.916770935 CET | 49710 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:10.916796923 CET | 443 | 49710 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:10.958085060 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:10.958132029 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:10.958230972 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:10.958538055 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:10.958554029 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:11.600522041 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:11.600660086 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:11.602159977 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:11.602173090 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:11.602416039 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:11.603799105 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:11.603822947 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:11.603863001 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:12.011243105 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:12.011324883 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:12.011396885 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:12.011532068 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:12.011554956 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Oct 30, 2024 20:19:12.011568069 CET | 49711 | 443 | 192.168.2.5 | 104.21.33.140 |
| Oct 30, 2024 20:19:12.011574984 CET | 443 | 49711 | 104.21.33.140 | 192.168.2.5 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 30, 2024 20:18:59.652915955 CET | 63584 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 30, 2024 20:18:59.663239956 CET | 53 | 63584 | 1.1.1.1 | 192.168.2.5 |
| Oct 30, 2024 20:18:59.667743921 CET | 56982 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 30, 2024 20:18:59.677783012 CET | 53 | 56982 | 1.1.1.1 | 192.168.2.5 |
| Oct 30, 2024 20:18:59.680936098 CET | 64649 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 30, 2024 20:18:59.690809011 CET | 53 | 64649 | 1.1.1.1 | 192.168.2.5 |
| Oct 30, 2024 20:18:59.693223953 CET | 57318 | 53 | 192.168.2.5 | 1.1.1.1 |
| Oct 30, 2024 20:18:59.707374096 CET | 53 | 57318 | 1.1.1.1 | 192.168.2.5 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 30, 2024 20:18:59.652915955 CET | 192.168.2.5 | 1.1.1.1 | 0x4e6c | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 30, 2024 20:18:59.667743921 CET | 192.168.2.5 | 1.1.1.1 | 0xbbe3 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 30, 2024 20:18:59.680936098 CET | 192.168.2.5 | 1.1.1.1 | 0xd747 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 30, 2024 20:18:59.693223953 CET | 192.168.2.5 | 1.1.1.1 | 0xf9c2 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 30, 2024 20:18:59.663239956 CET | 1.1.1.1 | 192.168.2.5 | 0x4e6c | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 30, 2024 20:18:59.677783012 CET | 1.1.1.1 | 192.168.2.5 | 0xbbe3 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 30, 2024 20:18:59.690809011 CET | 1.1.1.1 | 192.168.2.5 | 0xd747 | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
| Oct 30, 2024 20:18:59.707374096 CET | 1.1.1.1 | 192.168.2.5 | 0xf9c2 | No error (0) | 104.21.33.140 | A (IP address) | IN (0x0001) | false | ||
| Oct 30, 2024 20:18:59.707374096 CET | 1.1.1.1 | 192.168.2.5 | 0xf9c2 | No error (0) | 172.67.145.203 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49704 | 104.21.33.140 | 443 | 4524 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-30 19:19:00 UTC | 263 | OUT | |
| 2024-10-30 19:19:00 UTC | 8 | OUT | |
| 2024-10-30 19:19:00 UTC | 1008 | IN | |
| 2024-10-30 19:19:00 UTC | 7 | IN | |
| 2024-10-30 19:19:00 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.5 | 49705 | 104.21.33.140 | 443 | 4524 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-30 19:19:01 UTC | 264 | OUT | |
| 2024-10-30 19:19:01 UTC | 42 | OUT | |
| 2024-10-30 19:19:01 UTC | 1013 | IN | |
| 2024-10-30 19:19:01 UTC | 356 | IN | |
| 2024-10-30 19:19:01 UTC | 1369 | IN | |
| 2024-10-30 19:19:01 UTC | 1369 | IN | |
| 2024-10-30 19:19:01 UTC | 1369 | IN | |
| 2024-10-30 19:19:01 UTC | 1369 | IN | |
| 2024-10-30 19:19:01 UTC | 1369 | IN | |
| 2024-10-30 19:19:01 UTC | 1369 | IN | |
| 2024-10-30 19:19:01 UTC | 1369 | IN | |
| 2024-10-30 19:19:01 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.5 | 49706 | 104.21.33.140 | 443 | 4524 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-30 19:19:02 UTC | 282 | OUT | |
| 2024-10-30 19:19:02 UTC | 12830 | OUT | |
| 2024-10-30 19:19:03 UTC | 1008 | IN | |
| 2024-10-30 19:19:03 UTC | 23 | IN | |
| 2024-10-30 19:19:03 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.5 | 49707 | 104.21.33.140 | 443 | 4524 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-30 19:19:04 UTC | 282 | OUT | |
| 2024-10-30 19:19:04 UTC | 15072 | OUT | |
| 2024-10-30 19:19:04 UTC | 1019 | IN | |
| 2024-10-30 19:19:04 UTC | 23 | IN | |
| 2024-10-30 19:19:04 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.5 | 49708 | 104.21.33.140 | 443 | 4524 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-30 19:19:05 UTC | 282 | OUT | |
| 2024-10-30 19:19:05 UTC | 15331 | OUT | |
| 2024-10-30 19:19:05 UTC | 5231 | OUT | |
| 2024-10-30 19:19:06 UTC | 1015 | IN | |
| 2024-10-30 19:19:06 UTC | 23 | IN | |
| 2024-10-30 19:19:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.5 | 49709 | 104.21.33.140 | 443 | 4524 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-30 19:19:07 UTC | 281 | OUT | |
| 2024-10-30 19:19:07 UTC | 1266 | OUT | |
| 2024-10-30 19:19:08 UTC | 1007 | IN | |
| 2024-10-30 19:19:08 UTC | 23 | IN | |
| 2024-10-30 19:19:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.5 | 49710 | 104.21.33.140 | 443 | 4524 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-30 19:19:09 UTC | 283 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:09 UTC | 15331 | OUT | |
| 2024-10-30 19:19:10 UTC | 1017 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.5 | 49711 | 104.21.33.140 | 443 | 4524 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-10-30 19:19:11 UTC | 264 | OUT | |
| 2024-10-30 19:19:11 UTC | 77 | OUT | |
| 2024-10-30 19:19:12 UTC | 1012 | IN | |
| 2024-10-30 19:19:12 UTC | 54 | IN | |
| 2024-10-30 19:19:12 UTC | 5 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 15:18:58 |
| Start date: | 30/10/2024 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.749.8914.14992.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x3d0000 |
| File size: | 1'290'240 bytes |
| MD5 hash: | 21EB0B29554B832D677CEA9E8A59B999 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 3.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 40.9% |
| Total number of Nodes: | 159 |
| Total number of Limit Nodes: | 10 |
Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DF970 Relevance: 15.3, Strings: 12, Instructions: 280COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A2E0 Relevance: 11.6, Strings: 9, Instructions: 302COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F6800 Relevance: 8.7, Strings: 6, Instructions: 1152COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003ED5AF Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 404encryptionCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F509D Relevance: 6.4, Strings: 5, Instructions: 163COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00592208 Relevance: 3.9, Strings: 3, Instructions: 184COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00483710 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52filenativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00483634 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9nativeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A97E Relevance: 3.1, Strings: 2, Instructions: 587COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F6F82 Relevance: 3.0, Strings: 2, Instructions: 524COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FA6D0 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E00C7 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410D90 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E1CA4 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0045B490 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414620 Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004141F0 Relevance: .2, Instructions: 157COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004113D5 Relevance: .1, Instructions: 102COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041137E Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00481CC0 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004837F0 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410CC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DC40 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401859 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404A7F Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040A952 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040DC18 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0059B598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004086FE Relevance: 66.6, Strings: 53, Instructions: 390COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004FC498 Relevance: 42.0, Strings: 33, Instructions: 740COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003EF510 Relevance: 24.0, Strings: 18, Instructions: 1543COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1000 Relevance: 19.5, Strings: 14, Instructions: 1989COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409BA0 Relevance: 17.8, Strings: 14, Instructions: 304COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D12D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DD760 Relevance: 10.3, Strings: 8, Instructions: 302COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DD500 Relevance: 10.2, Strings: 8, Instructions: 218COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DF250 Relevance: 9.2, Strings: 7, Instructions: 471COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DDB20 Relevance: 9.1, Strings: 7, Instructions: 361COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F0A24 Relevance: 8.0, Strings: 6, Instructions: 505COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F41E0 Relevance: 8.0, Strings: 6, Instructions: 461COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040EC20 Relevance: 7.0, Strings: 5, Instructions: 723COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0053205C Relevance: 6.9, Strings: 5, Instructions: 623COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FAA40 Relevance: 6.8, Strings: 5, Instructions: 523COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003EECDE Relevance: 6.8, Strings: 5, Instructions: 521COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DECC0 Relevance: 6.7, Strings: 5, Instructions: 426COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F9D00 Relevance: 6.7, Strings: 5, Instructions: 405COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D1328 Relevance: 6.6, Strings: 5, Instructions: 389COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F55A4 Relevance: 6.4, Strings: 5, Instructions: 157COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F8F00 Relevance: 5.5, Strings: 4, Instructions: 489COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FD642 Relevance: 5.3, Strings: 4, Instructions: 333COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412EB0 Relevance: 4.7, Strings: 3, Instructions: 910COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004131D0 Relevance: 4.4, Strings: 3, Instructions: 680COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F1B40 Relevance: 4.4, Strings: 3, Instructions: 657COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004132C0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FAC04 Relevance: 4.3, Strings: 3, Instructions: 578COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412850 Relevance: 4.2, Strings: 3, Instructions: 475COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D8340 Relevance: 4.2, Strings: 3, Instructions: 420COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FC3E0 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DE8DE Relevance: 3.8, Strings: 3, Instructions: 51COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DE996 Relevance: 3.8, Strings: 3, Instructions: 25COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048336C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482B50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482E6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00483180 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048348C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482CA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482BE4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativethreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482F04 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00483028 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004833F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004835EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482FE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482DE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00483338 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048343C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004834EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26filenativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004832C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048353C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11nativeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FB7D9 Relevance: 3.2, Strings: 2, Instructions: 674COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FB7FE Relevance: 3.1, Strings: 2, Instructions: 613COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F26A0 Relevance: 3.0, Strings: 2, Instructions: 480COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D38E0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00501A04 Relevance: 2.9, Strings: 2, Instructions: 390COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D94BF Relevance: 2.8, Strings: 2, Instructions: 305COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00504A18 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0049DC0C Relevance: 2.2, Strings: 1, Instructions: 905COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004133B0 Relevance: 1.9, Strings: 1, Instructions: 672COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00508EB0 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D4FA0 Relevance: 1.8, Strings: 1, Instructions: 514COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FE400 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E87E43 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E87E48 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 005338C4 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00412380 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004035B0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482CF8 Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048358C Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F1333 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482F74 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00483070 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004830B0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004831E0 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482BB0 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482FB4 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00483558 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482D60 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0048327C Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DA730 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00482F54 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040F7E0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FE870 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040E230 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E1264 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E1600 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E1A40 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F762D Relevance: 1.4, Strings: 1, Instructions: 170COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E482A Relevance: 1.4, Strings: 1, Instructions: 140COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004E0268 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FCEDA Relevance: 1.3, Strings: 1, Instructions: 67COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0053013C Relevance: .7, Instructions: 681COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DB260 Relevance: .7, Instructions: 670COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D6F60 Relevance: .7, Instructions: 657COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D7960 Relevance: .6, Instructions: 611COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00500AC8 Relevance: .5, Instructions: 521COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E872D7 Relevance: .5, Instructions: 520COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411720 Relevance: .5, Instructions: 497COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004BEC28 Relevance: .4, Instructions: 405COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DA270 Relevance: .4, Instructions: 399COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F9494 Relevance: .4, Instructions: 390COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003EE298 Relevance: .3, Instructions: 347COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00413720 Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411F80 Relevance: .3, Instructions: 334COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00596F40 Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00515FF0 Relevance: .3, Instructions: 320COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E4BBF Relevance: .3, Instructions: 319COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FCA72 Relevance: .3, Instructions: 318COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E874CF Relevance: .3, Instructions: 317COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414C50 Relevance: .3, Instructions: 311COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DADD0 Relevance: .3, Instructions: 303COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414920 Relevance: .3, Instructions: 301COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E6E10 Relevance: .3, Instructions: 298COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E86D12 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0051CE80 Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004AF82C Relevance: .3, Instructions: 284COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404C60 Relevance: .3, Instructions: 283COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401980 Relevance: .3, Instructions: 277COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E8753B Relevance: .3, Instructions: 266COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402D80 Relevance: .3, Instructions: 259COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0047697C Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004031DE Relevance: .3, Instructions: 258COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F5F00 Relevance: .3, Instructions: 251COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00529434 Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0052F80C Relevance: .2, Instructions: 238COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0051C958 Relevance: .2, Instructions: 236COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003E5BD8 Relevance: .2, Instructions: 234COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404F80 Relevance: .2, Instructions: 230COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D8DA0 Relevance: .2, Instructions: 223COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0053601C Relevance: .2, Instructions: 222COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E872CB Relevance: .2, Instructions: 213COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00535D68 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409940 Relevance: .2, Instructions: 189COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DEAC8 Relevance: .2, Instructions: 174COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D5820 Relevance: .2, Instructions: 163COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003F91E0 Relevance: .2, Instructions: 159COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0053A048 Relevance: .2, Instructions: 158COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00414380 Relevance: .2, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040B170 Relevance: .1, Instructions: 142COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003EC6E0 Relevance: .1, Instructions: 128COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DED94 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004DEF24 Relevance: .1, Instructions: 123COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003DC960 Relevance: .1, Instructions: 106COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003EC8CE Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003D9F9C Relevance: .1, Instructions: 66COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00410E3A Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FDE70 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040FAD0 Relevance: .1, Instructions: 53COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 003FAA60 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00411648 Relevance: .0, Instructions: 25COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C6D0 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|