Windows Analysis Report
XTN21MDFrg.exe

Overview

General Information

Sample name: XTN21MDFrg.exe
renamed because original name is a hash value
Original sample name: 962c5a8ed8af958eb0168b57c08cea04.exe
Analysis ID: 1561757
MD5: 962c5a8ed8af958eb0168b57c08cea04
SHA1: 33755435c11251f9ef63aabf3a81a80a89bd8844
SHA256: 249d5278ba7c7d8057bf3437cb5f36d63f8ee047ce8068e26e250ee4e3d776ed
Tags: exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: XTN21MDFrg.exe Malware Configuration Extractor: LummaC {"C2 url": ["3xc1aimbl0w.sbs", "300snails.sbs", "thicktoys.sbs", "faintbl0w.sbs"]}
Multi AV Scanner detection for submitted file
Source: XTN21MDFrg.exe ReversingLabs: Detection: 68%
Machine Learning detection for sample
Source: XTN21MDFrg.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: XTN21MDFrg.exe String decryptor: faintbl0w.sbs
Source: XTN21MDFrg.exe String decryptor: 300snails.sbs
Source: XTN21MDFrg.exe String decryptor: 3xc1aimbl0w.sbs
Source: XTN21MDFrg.exe String decryptor: thicktoys.sbs
Source: XTN21MDFrg.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: XTN21MDFrg.exe String decryptor: TeslaBrowser/5.5
Source: XTN21MDFrg.exe String decryptor: - Screen Resoluton:
Source: XTN21MDFrg.exe String decryptor: - Physical Installed Memory:
Source: XTN21MDFrg.exe String decryptor: Workgroup: -
Uses 32bit PE files
Source: XTN21MDFrg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: XTN21MDFrg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h 0_2_00AE1050
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov word ptr [ebx], dx 0_2_00AB8890
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h 0_2_00AC68D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 0_2_00ACE03F
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-2FEE79D7h] 0_2_00AAD80D
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_00ACC81E
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx ecx, byte ptr [esp+esi+04h] 0_2_00AC3850
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov byte ptr [edi], bl 0_2_00AA91B0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h 0_2_00AE11E0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edx, byte ptr [esi+ecx+5F30FA22h] 0_2_00AAB1D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then jmp eax 0_2_00AC51D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+000001ADh] 0_2_00AB990C
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movsx eax, byte ptr [esi] 0_2_00AE02F0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov ebx, edx 0_2_00ABC225
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movsx eax, byte ptr [esi] 0_2_00AE0210
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov byte ptr [edx], al 0_2_00ACE3BE
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov ecx, eax 0_2_00ABEB80
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_00ABEB80
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_00ABEB80
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-42FFC5DBh] 0_2_00AAD392
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx eax, byte ptr [esi+edx+00000420h] 0_2_00ACC3D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov byte ptr [ebx], dl 0_2_00ACC3D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-5B418B08h] 0_2_00ADC3D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh 0_2_00ADC3D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov ecx, eax 0_2_00ABD330
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+000000E8h] 0_2_00AAE4AF
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax] 0_2_00AE1480
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov ecx, eax 0_2_00AC6C90
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00ACB4E0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00AD5CC0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then jmp eax 0_2_00AC5440
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx ebx, bx 0_2_00AC55A4
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov dword ptr [ebp-10h], edx 0_2_00AC4DA1
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-0CA2BA0Eh] 0_2_00AACDB0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx eax, byte ptr [edi] 0_2_00ADFDE0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movsx eax, byte ptr [esi] 0_2_00ADFDE0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00AC35F0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 0_2_00ACEDCA
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then jmp eax 0_2_00AC55D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edx, byte ptr [eax+ecx] 0_2_00AAAD20
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 0_2_00ACED09
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-7269D38Fh] 0_2_00AB8E83
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 32F24C0Bh 0_2_00ADBE60
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h 0_2_00ADBFA0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00ABFF90
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov edx, ecx 0_2_00AAC795
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov ebx, ecx 0_2_00AA77D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then movzx edx, word ptr [eax] 0_2_00AE1720
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then mov dword ptr [ecx], edi 0_2_00AAB769
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 9C142CDAh 0_2_00AE0F70
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 4x nop then jmp dword ptr [00AE6898h] 0_2_00AB9744

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 3xc1aimbl0w.sbs
Source: Malware configuration extractor URLs: 300snails.sbs
Source: Malware configuration extractor URLs: thicktoys.sbs
Source: Malware configuration extractor URLs: faintbl0w.sbs
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD3A50 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00AD3A50
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD3A50 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00AD3A50
Detected potential crypto function
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA8A70 0_2_00AA8A70
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD88B0 0_2_00AD88B0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC90B1 0_2_00AC90B1
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA4880 0_2_00AA4880
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD0082 0_2_00AD0082
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC88F8 0_2_00AC88F8
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACE0CB 0_2_00ACE0CB
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA98C0 0_2_00AA98C0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC88DD 0_2_00AC88DD
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD3820 0_2_00AD3820
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACE03F 0_2_00ACE03F
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA6830 0_2_00AA6830
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA6180 0_2_00AA6180
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACC9E3 0_2_00ACC9E3
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABB1FA 0_2_00ABB1FA
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACC1F0 0_2_00ACC1F0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC51D0 0_2_00AC51D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AB990C 0_2_00AB990C
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AAE911 0_2_00AAE911
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA5917 0_2_00AA5917
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA5917 0_2_00AA5917
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC4957 0_2_00AC4957
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AE02F0 0_2_00AE02F0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACFAD8 0_2_00ACFAD8
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AACA3F 0_2_00AACA3F
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACA235 0_2_00ACA235
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AE0210 0_2_00AE0210
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA2A70 0_2_00AA2A70
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACAA59 0_2_00ACAA59
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD9250 0_2_00AD9250
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC13AD 0_2_00AC13AD
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACE3BE 0_2_00ACE3BE
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABEB80 0_2_00ABEB80
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ADCB80 0_2_00ADCB80
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACAB83 0_2_00ACAB83
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACD304 0_2_00ACD304
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABF3C0 0_2_00ABF3C0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACC3D0 0_2_00ACC3D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ADC3D0 0_2_00ADC3D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABE304 0_2_00ABE304
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABC4BC 0_2_00ABC4BC
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AE1CB0 0_2_00AE1CB0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA3490 0_2_00AA3490
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA6CC0 0_2_00AA6CC0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA5CC0 0_2_00AA5CC0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA9410 0_2_00AA9410
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD0C61 0_2_00AD0C61
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC5440 0_2_00AC5440
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC55A4 0_2_00AC55A4
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD35B0 0_2_00AD35B0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACB580 0_2_00ACB580
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABCDE0 0_2_00ABCDE0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ADFDE0 0_2_00ADFDE0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACEDCA 0_2_00ACEDCA
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC55D0 0_2_00AC55D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AAAD20 0_2_00AAAD20
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACED09 0_2_00ACED09
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC2D10 0_2_00AC2D10
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC7D61 0_2_00AC7D61
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC8D61 0_2_00AC8D61
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABFD50 0_2_00ABFD50
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABDEB6 0_2_00ABDEB6
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AB8E83 0_2_00AB8E83
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC0EF0 0_2_00AC0EF0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AB9ECF 0_2_00AB9ECF
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD8ED0 0_2_00AD8ED0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA9E21 0_2_00AA9E21
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA8670 0_2_00AA8670
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA3E70 0_2_00AA3E70
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD8650 0_2_00AD8650
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABA783 0_2_00ABA783
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC6F9E 0_2_00AC6F9E
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABFF90 0_2_00ABFF90
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD1790 0_2_00AD1790
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ABAFC2 0_2_00ABAFC2
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ACC7C6 0_2_00ACC7C6
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC77C0 0_2_00AC77C0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AA77D0 0_2_00AA77D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC97D0 0_2_00AC97D0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AC3F26 0_2_00AC3F26
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AE1720 0_2_00AE1720
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AAB769 0_2_00AAB769
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: String function: 00AA8450 appears 43 times
Uses 32bit PE files
Source: XTN21MDFrg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00AD19E0 CoCreateInstance, 0_2_00AD19E0
Source: XTN21MDFrg.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: XTN21MDFrg.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\XTN21MDFrg.exe File read: C:\Users\user\Desktop\XTN21MDFrg.exe Jump to behavior
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Section loaded: wldp.dll Jump to behavior
Source: XTN21MDFrg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\XTN21MDFrg.exe API coverage: 6.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\XTN21MDFrg.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\XTN21MDFrg.exe Code function: 0_2_00ADE420 LdrInitializeThunk, 0_2_00ADE420
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: XTN21MDFrg.exe, 00000000.00000000.2114730785.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: faintbl0w.sbs
Source: XTN21MDFrg.exe, 00000000.00000000.2114730785.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: 300snails.sbs
Source: XTN21MDFrg.exe, 00000000.00000000.2114730785.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: 3xc1aimbl0w.sbs
Source: XTN21MDFrg.exe, 00000000.00000000.2114730785.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: thicktoys.sbs

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561757 Sample: XTN21MDFrg.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 80 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected LummaC Stealer 2->12 14 3 other signatures 2->14 5 XTN21MDFrg.exe 2->5         started        process3 signatures4 16 LummaC encrypted strings found 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
thicktoys.sbs false
    		high
    300snails.sbs false
      		high
      faintbl0w.sbs false
        		high
        3xc1aimbl0w.sbs false
          		high