Windows Analysis Report
injector V2.4.exe

Overview

General Information

Sample name:	injector V2.4.exe
Analysis ID:	1561471
MD5:	ad5bf840b79922950cbcd853a3e56134
SHA1:	5fe0ffa06bc526355af0ca520aa1750aee6499ef
SHA256:	5dc32a33db2f76834c6e96336d4bbbf276bc0b6b6cc9c02ad004607008dbe91a
Tags:	exeuser-4k95m
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["farewellnzu.icu"]}

Multi AV Scanner detection for submitted file

Source: injector V2.4.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.6% probability

Machine Learning detection for sample

Source: injector V2.4.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: farewellnzu.icu
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Uses 32bit PE files

Source: injector V2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.44.93:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: injector V2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BFC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00BFC7DB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402840
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h	2_2_0042A0D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_0042F8D5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp eax	2_2_0041E8E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ebx, dword ptr [esp+38h]	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1Fh]	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00418940
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042A970
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-0E5C990Fh]	2_2_0041E902
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D120
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh	2_2_0043D1D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B1h]	2_2_00423250
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_004372C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov dword ptr [esp+04h], edi	2_2_0041E2CC
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042C2D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00426350
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042AB59
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042F36A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_00440B70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_0041F310
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+5261BF7Ah]	2_2_0042DB30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then inc eax	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_00427BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-2D7FD463h]	2_2_0041EBFA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp eax	2_2_00421B80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00427BA8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_0042FC7B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_00429C04
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-07h]	2_2_00428C20
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp dword ptr [00447DC0h]	2_2_0041FC24
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [ecx], bp	2_2_0041FC3A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	2_2_0041FC3A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00424480
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00426490
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+2Ch]	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp al, 2Eh	2_2_00428D29
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+38h]	2_2_0041DE43
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EE1E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then lea esi, dword ptr [ecx-10h]	2_2_0043FE30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042A6C2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ecx], bl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ecx], bl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004246E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEEB
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEFD
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-65ACAA80h]	2_2_00409690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1Fh]	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEA3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-735E2241h]	2_2_0042B6AA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_0042970D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_00429725
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E1h]	2_2_0040C735
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov dword ptr [ecx], 21A62724h	2_2_0040AFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.44.93:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.44.93:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: farewellnzu.icu

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.44.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.44.93:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: farewellnzu.icu

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: farewellnzu.icu

Source: unknown

Source: injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/
Source: injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723364681.000000000336E000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724050465.0000000003371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/api
Source: injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/apis
Source: injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/apiw
Source: injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/sion

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.21.44.93:443 -> 192.168.2.4:49730 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_004345A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004345A0

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_004345A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004345A0

Detected potential crypto function

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEF4D0	0_2_00BEF4D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF34D0	0_2_00BF34D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF15A0	0_2_00BF15A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEF980	0_2_00BEF980
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BE86C0	0_2_00BE86C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BECE70	0_2_00BECE70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00C01FD2	0_2_00C01FD2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BED7F0	0_2_00BED7F0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00408860	2_2_00408860
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439ED0	2_2_00439ED0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040D86B	2_2_0040D86B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042B8C8	2_2_0042B8C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042A0D0	2_2_0042A0D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042F8D5	2_2_0042F8D5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004260E0	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042C8E0	2_2_0042C8E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B8F3	2_2_0041B8F3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B884	2_2_0041B884
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0044088C	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004050AC	2_2_004050AC
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041A0B4	2_2_0041A0B4
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00418940	2_2_00418940
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041C162	2_2_0041C162
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432910	2_2_00432910
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043D1D0	2_2_0043D1D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405990	2_2_00405990
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004341A0	2_2_004341A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004049B0	2_2_004049B0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041CA4F	2_2_0041CA4F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00406A60	2_2_00406A60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043DA00	2_2_0043DA00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00409230	2_2_00409230
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004392D0	2_2_004392D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00442290	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040AAA0	2_2_0040AAA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00426350	2_2_00426350
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00408360	2_2_00408360
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042F36A	2_2_0042F36A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00440B70	2_2_00440B70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041AB32	2_2_0041AB32
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B33C	2_2_0041B33C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00420BD0	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00421B80	2_2_00421B80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00402BA0	2_2_00402BA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00437BB2	2_2_00437BB2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042FC7B	2_2_0042FC7B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439C00	2_2_00439C00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00423C30	2_2_00423C30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405432	2_2_00405432
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042E48F	2_2_0042E48F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00426490	2_2_00426490
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432495	2_2_00432495
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042E488	2_2_0042E488
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00421D60	2_2_00421D60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00407570	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00441D00	2_2_00441D00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00428D29	2_2_00428D29
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439530	2_2_00439530
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004065C0	2_2_004065C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004425D0	2_2_004425D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004035A0	2_2_004035A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00420670	2_2_00420670
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EE1E	2_2_0042EE1E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042A6C2	2_2_0042A6C2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042D6C8	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00418ED3	2_2_00418ED3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004246E0	2_2_004246E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004196E5	2_2_004196E5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEEB	2_2_0042EEEB
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEFD	2_2_0042EEFD
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00409690	2_2_00409690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043A690	2_2_0043A690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00440690	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEA3	2_2_0042EEA3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042B6AA	2_2_0042B6AA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00427EB0	2_2_00427EB0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042AEB5	2_2_0042AEB5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00404F69	2_2_00404F69
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405F00	2_2_00405F00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042970D	2_2_0042970D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00429725	2_2_00429725
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041FFE0	2_2_0041FFE0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004297ED	2_2_004297ED
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040AFF0	2_2_0040AFF0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00441FF4	2_2_00441FF4
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040DFF1	2_2_0040DFF1
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00428780	2_2_00428780
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041EF9C	2_2_0041EF9C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00430FA0	2_2_00430FA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEF980	2_2_00BEF980
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEF4D0	2_2_00BEF4D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF34D0	2_2_00BF34D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF15A0	2_2_00BF15A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BE86C0	2_2_00BE86C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BECE70	2_2_00BECE70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00C01FD2	2_2_00C01FD2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BED7F0	2_2_00BED7F0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00BF8178 appears 36 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00BF55C0 appears 66 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00408170 appears 48 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00418930 appears 54 times

Uses 32bit PE files

Source: injector V2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: injector V2.4.exe

Static PE information: Section: .coS ZLIB complexity 1.0003339213709677

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@1/1

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_00439ED0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00439ED0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03

Source: injector V2.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\injector V2.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: injector V2.4.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\injector V2.4.exe

File read: C:\Users\user\Desktop\injector V2.4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"	Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: injector V2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: injector V2.4.exe	Static PE information: section name: .00cfg
Source: injector V2.4.exe	Static PE information: section name: .coS

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF4BC5 push ecx; ret	0_2_00BF4BD8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004158C1 push 294FAF12h; iretd	2_2_004158C6
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432131 push eax; retf	2_2_0043213A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00436FF2 push ebx; retf	2_2_00436FF3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF4BC5 push ecx; ret	2_2_00BF4BD8

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF4CA2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00BF4CA2

Source: C:\Users\user\Desktop\injector V2.4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\injector V2.4.exe

API coverage: 7.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\injector V2.4.exe TID: 7512	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe TID: 7516	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\injector V2.4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BFC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00BFC7DB

Source: injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_0043F0E0 LdrInitializeThunk,

2_2_0043F0E0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BF5444

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00C0B18D mov edi, dword ptr fs:[00000030h]	0_2_00C0B18D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BECD10 mov eax, dword ptr fs:[00000030h]	0_2_00BECD10
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEBD50 mov edi, dword ptr fs:[00000030h]	0_2_00BEBD50
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BECD10 mov eax, dword ptr fs:[00000030h]	2_2_00BECD10
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEBD50 mov edi, dword ptr fs:[00000030h]	2_2_00BEBD50

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF9F90 GetProcessHeap,

0_2_00BF9F90

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF5438 SetUnhandledExceptionFilter,	0_2_00BF5438
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BF5444
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BF7DCA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BF4AD9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00BF4AD9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF5438 SetUnhandledExceptionFilter,	2_2_00BF5438
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00BF5444
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00BF7DCA

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00C0B18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00C0B18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\injector V2.4.exe

Memory written: C:\Users\user\Desktop\injector V2.4.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\injector V2.4.exe

Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF5200 cpuid

0_2_00BF5200

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\injector V2.4.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF58C5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00BF58C5

Source: C:\Users\user\Desktop\injector V2.4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.44.93	farewellnzu.icu	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
farewellnzu.icu	104.21.44.93	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://farewellnzu.icu/api	true	Avira URL Cloud: safe	unknown
farewellnzu.icu	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["farewellnzu.icu"]}

Multi AV Scanner detection for submitted file

Source: injector V2.4.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.6% probability

Machine Learning detection for sample

Source: injector V2.4.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: farewellnzu.icu
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Uses 32bit PE files

Source: injector V2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.44.93:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: injector V2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BFC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00BFC7DB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402840
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp byte ptr [ebp+ebx+00h], 00000000h	2_2_0042A0D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_0042F8D5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp eax	2_2_0041E8E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ebx, dword ptr [esp+38h]	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1Fh]	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00418940
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042A970
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx-0E5C990Fh]	2_2_0041E902
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D120
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh	2_2_0043D1D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000B1h]	2_2_00423250
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_004372C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov dword ptr [esp+04h], edi	2_2_0041E2CC
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042C2D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00426350
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042AB59
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042F36A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_00440B70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_0041F310
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+5261BF7Ah]	2_2_0042DB30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then inc eax	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	2_2_00427BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-2D7FD463h]	2_2_0041EBFA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp eax	2_2_00421B80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00427BA8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_0042FC7B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_00429C04
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-07h]	2_2_00428C20
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp dword ptr [00447DC0h]	2_2_0041FC24
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [ecx], bp	2_2_0041FC3A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	2_2_0041FC3A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00424480
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then jmp ecx	2_2_00426490
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+2Ch]	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp al, 2Eh	2_2_00428D29
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+38h]	2_2_0041DE43
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EE1E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then lea esi, dword ptr [ecx-10h]	2_2_0043FE30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	2_2_0042A6C2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ecx], bl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ecx], bl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004246E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEEB
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEFD
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-65ACAA80h]	2_2_00409690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1Fh]	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-26h]	2_2_0042EEA3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-735E2241h]	2_2_0042B6AA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_0042970D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	2_2_00429725
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E1h]	2_2_0040C735
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov dword ptr [ecx], 21A62724h	2_2_0040AFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.44.93:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.44.93:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: farewellnzu.icu

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.44.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.44.93:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: farewellnzu.icu

Source: unknown

Source: injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/
Source: injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723364681.000000000336E000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724050465.0000000003371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/api
Source: injector V2.4.exe, 00000002.00000002.1723993426.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/apis
Source: injector V2.4.exe, 00000002.00000002.1723929440.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723386115.00000000032DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/apiw
Source: injector V2.4.exe, 00000002.00000003.1723461568.0000000003315000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000002.1724036986.0000000003363000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000002.00000003.1723511694.0000000003362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://farewellnzu.icu/sion

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.21.44.93:443 -> 192.168.2.4:49730 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_004345A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004345A0

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_004345A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004345A0

Detected potential crypto function

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEF4D0	0_2_00BEF4D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF34D0	0_2_00BF34D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF15A0	0_2_00BF15A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEF980	0_2_00BEF980
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BE86C0	0_2_00BE86C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BECE70	0_2_00BECE70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00C01FD2	0_2_00C01FD2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BED7F0	0_2_00BED7F0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00408860	2_2_00408860
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439ED0	2_2_00439ED0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040D86B	2_2_0040D86B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042B8C8	2_2_0042B8C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042A0D0	2_2_0042A0D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042F8D5	2_2_0042F8D5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004260E0	2_2_004260E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042C8E0	2_2_0042C8E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B8F3	2_2_0041B8F3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B884	2_2_0041B884
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0044088C	2_2_0044088C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004050AC	2_2_004050AC
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041A0B4	2_2_0041A0B4
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00418940	2_2_00418940
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041C162	2_2_0041C162
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432910	2_2_00432910
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043D1D0	2_2_0043D1D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405990	2_2_00405990
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004341A0	2_2_004341A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004049B0	2_2_004049B0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041CA4F	2_2_0041CA4F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00406A60	2_2_00406A60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043DA00	2_2_0043DA00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00409230	2_2_00409230
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004392D0	2_2_004392D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00442290	2_2_00442290
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040AAA0	2_2_0040AAA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00426350	2_2_00426350
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00408360	2_2_00408360
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042F36A	2_2_0042F36A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00440B70	2_2_00440B70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041AB32	2_2_0041AB32
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041B33C	2_2_0041B33C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00420BD0	2_2_00420BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00421B80	2_2_00421B80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00402BA0	2_2_00402BA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00437BB2	2_2_00437BB2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042FC7B	2_2_0042FC7B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439C00	2_2_00439C00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00423C30	2_2_00423C30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405432	2_2_00405432
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042E48F	2_2_0042E48F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00426490	2_2_00426490
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432495	2_2_00432495
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042E488	2_2_0042E488
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00421D60	2_2_00421D60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00407570	2_2_00407570
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00441D00	2_2_00441D00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00428D29	2_2_00428D29
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00439530	2_2_00439530
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004065C0	2_2_004065C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004425D0	2_2_004425D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004035A0	2_2_004035A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00420670	2_2_00420670
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EE1E	2_2_0042EE1E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042A6C2	2_2_0042A6C2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042D6C8	2_2_0042D6C8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00418ED3	2_2_00418ED3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004246E0	2_2_004246E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004196E5	2_2_004196E5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEEB	2_2_0042EEEB
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEFD	2_2_0042EEFD
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00409690	2_2_00409690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0043A690	2_2_0043A690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00440690	2_2_00440690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042EEA3	2_2_0042EEA3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042B6AA	2_2_0042B6AA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00427EB0	2_2_00427EB0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042AEB5	2_2_0042AEB5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00404F69	2_2_00404F69
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00405F00	2_2_00405F00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0042970D	2_2_0042970D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00429725	2_2_00429725
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041FFE0	2_2_0041FFE0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004297ED	2_2_004297ED
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040AFF0	2_2_0040AFF0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00441FF4	2_2_00441FF4
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0040DFF1	2_2_0040DFF1
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00428780	2_2_00428780
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_0041EF9C	2_2_0041EF9C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00430FA0	2_2_00430FA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEF980	2_2_00BEF980
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEF4D0	2_2_00BEF4D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF34D0	2_2_00BF34D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF15A0	2_2_00BF15A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BE86C0	2_2_00BE86C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BECE70	2_2_00BECE70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00C01FD2	2_2_00C01FD2
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BED7F0	2_2_00BED7F0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00BF8178 appears 36 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00BF55C0 appears 66 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00408170 appears 48 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00418930 appears 54 times

Uses 32bit PE files

Source: injector V2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: injector V2.4.exe

Static PE information: Section: .coS ZLIB complexity 1.0003339213709677

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@1/1

Source: C:\Users\user\Desktop\injector V2.4.exe

2_2_00439ED0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03

Source: injector V2.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\injector V2.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: injector V2.4.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\injector V2.4.exe

File read: C:\Users\user\Desktop\injector V2.4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"	Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: injector V2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: injector V2.4.exe	Static PE information: section name: .00cfg
Source: injector V2.4.exe	Static PE information: section name: .coS

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF4BC5 push ecx; ret	0_2_00BF4BD8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_004158C1 push 294FAF12h; iretd	2_2_004158C6
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00432131 push eax; retf	2_2_0043213A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00436FF2 push ebx; retf	2_2_00436FF3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF4BC5 push ecx; ret	2_2_00BF4BD8

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\injector V2.4.exe

0_2_00BF4CA2

Source: C:\Users\user\Desktop\injector V2.4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\injector V2.4.exe

API coverage: 7.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\injector V2.4.exe TID: 7512	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe TID: 7516	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\injector V2.4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BFC7DB FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00BFC7DB

Binary or memory string: Hyper-V RAW

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 2_2_0043F0E0 LdrInitializeThunk,

2_2_0043F0E0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BF5444

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00C0B18D mov edi, dword ptr fs:[00000030h]	0_2_00C0B18D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BECD10 mov eax, dword ptr fs:[00000030h]	0_2_00BECD10
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BEBD50 mov edi, dword ptr fs:[00000030h]	0_2_00BEBD50
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BECD10 mov eax, dword ptr fs:[00000030h]	2_2_00BECD10
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BEBD50 mov edi, dword ptr fs:[00000030h]	2_2_00BEBD50

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF9F90 GetProcessHeap,

0_2_00BF9F90

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF5438 SetUnhandledExceptionFilter,	0_2_00BF5438
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BF5444
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BF7DCA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00BF4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BF4AD9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF4AD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00BF4AD9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF5438 SetUnhandledExceptionFilter,	2_2_00BF5438
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF5444 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00BF5444
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 2_2_00BF7DCA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00BF7DCA

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\injector V2.4.exe

0_2_00C0B18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\injector V2.4.exe

Memory written: C:\Users\user\Desktop\injector V2.4.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\injector V2.4.exe

Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF5200 cpuid

0_2_00BF5200

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\injector V2.4.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00BF58C5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00BF58C5

Source: C:\Users\user\Desktop\injector V2.4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.injector V2.4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1723613247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683104241.000000000071E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

ID:	1561471
Product:	CloudBasic
Start time:	14:13:36
Start date:	23.11.2024
Sample:	injector V2.4.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ad5bf840b79922950cbcd853a3e56134
SHA1:	5fe0ffa06bc526355af0ca520aa1750aee6499ef
SHA256:	5dc32a33db2f76834c6e96336d4bbbf276bc0b6b6cc9c02ad004607008dbe91a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
injector V2.4.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report injector V2.4.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
injector V2.4.exe