Loading... Additional Content is being loaded
Windows
Analysis Report
new-riii-1-b.pub.hta
Overview
General Information
| Sample name: | new-riii-1-b.pub.hta |
| Analysis ID: | 1592081 |
| MD5: | 43dd09be1f034e3f7f6232bc7e1d3b80 |
| SHA1: | bf085f00fd0a9cf51e0a580d9819367e345cace4 |
| SHA256: | 3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94 |
| Tags: | FakeCaptchaFakePubhtauser-aachum |
| Infos: |   |
 |
|
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected MSILLoadEncryptedAssembly
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
|
AV Detection |
  |
|---|
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Integrated Neural Analysis Model: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
String decryptor: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
10_2_00424801 | |
| Source: |
Code function: |
10_2_0040E146 | |
| Source: |
Code function: |
10_2_0043F193 | |
| Source: |
Code function: |
10_2_0042E435 | |
| Source: |
Code function: |
10_2_0042E435 | |
| Source: |
Code function: |
10_2_0042E435 | |
| Source: |
Code function: |
10_2_00439FB0 | |
| Source: |
Code function: |
10_2_00437840 | |
| Source: |
Code function: |
10_2_0040A019 | |
| Source: |
Code function: |
10_2_0042A896 | |
| Source: |
Code function: |
10_2_00408100 | |
| Source: |
Code function: |
10_2_0041A910 | |
| Source: |
Code function: |
10_2_004299F3 | |
| Source: |
Code function: |
10_2_004409B0 | |
| Source: |
Code function: |
10_2_004161BC | |
| Source: |
Code function: |
10_2_00427A40 | |
| Source: |
Code function: |
10_2_00429A63 | |
| Source: |
Code function: |
10_2_00429A63 | |
| Source: |
Code function: |
10_2_00402220 | |
| Source: |
Code function: |
10_2_00429A23 | |
| Source: |
Code function: |
10_2_00427A20 | |
| Source: |
Code function: |
10_2_0041C230 | |
| Source: |
Code function: |
10_2_00429230 | |
| Source: |
Code function: |
10_2_0041BAD2 | |
| Source: |
Code function: |
10_2_0040AAE0 | |
| Source: |
Code function: |
10_2_004072E0 | |
| Source: |
Code function: |
10_2_004192E0 | |
| Source: |
Code function: |
10_2_004192E0 | |
| Source: |
Code function: |
10_2_0042A2F3 | |
| Source: |
Code function: |
10_2_00429A8C | |
| Source: |
Code function: |
10_2_00429AA2 | |
| Source: |
Code function: |
10_2_004262BB | |
| Source: |
Code function: |
10_2_004262BB | |
| Source: |
Code function: |
10_2_00418345 | |
| Source: |
Code function: |
10_2_00427B1D | |
| Source: |
Code function: |
10_2_00427B1D | |
| Source: |
Code function: |
10_2_004283E2 | |
| Source: |
Code function: |
10_2_00418BED | |
| Source: |
Code function: |
10_2_0043FBEC | |
| Source: |
Code function: |
10_2_00421BF0 | |
| Source: |
Code function: |
10_2_0041CBA0 | |
| Source: |
Code function: |
10_2_00416C59 | |
| Source: |
Code function: |
10_2_0043FC25 | |
| Source: |
Code function: |
10_2_0042A428 | |
| Source: |
Code function: |
10_2_0042543E | |
| Source: |
Code function: |
10_2_0043D4C0 | |
| Source: |
Code function: |
10_2_0042F4D9 | |
| Source: |
Code function: |
10_2_0042D4B4 | |
| Source: |
Code function: |
10_2_0042E556 | |
| Source: |
Code function: |
10_2_0042E556 | |
| Source: |
Code function: |
10_2_0042E556 | |
| Source: |
Code function: |
10_2_0041ED60 | |
| Source: |
Code function: |
10_2_0042F56D | |
| Source: |
Code function: |
10_2_0043D530 | |
| Source: |
Code function: |
10_2_0043FDC0 | |
| Source: |
Code function: |
10_2_0043FDC0 | |
| Source: |
Code function: |
10_2_00440DF0 | |
| Source: |
Code function: |
10_2_0042ADA0 | |
| Source: |
Code function: |
10_2_00409650 | |
| Source: |
Code function: |
10_2_00409650 | |
| Source: |
Code function: |
10_2_0043F625 | |
| Source: |
Code function: |
10_2_00419E30 | |
| Source: |
Code function: |
10_2_0043DE30 | |
| Source: |
Code function: |
10_2_00428637 | |
| Source: |
Code function: |
10_2_004296EE | |
| Source: |
Code function: |
10_2_0043AEF0 | |
| Source: |
Code function: |
10_2_00408E90 | |
| Source: |
Code function: |
10_2_00417F57 | |
| Source: |
Code function: |
10_2_0042E76A | |
| Source: |
Code function: |
10_2_0040A776 | |
| Source: |
Code function: |
10_2_00421700 | |
| Source: |
Code function: |
10_2_0043FF20 | |
| Source: |
Code function: |
10_2_0043EFE1 | |
| Source: |
Code function: |
10_2_0040CF99 | |
| Source: |
Code function: |
10_2_0040CF99 | |
| Source: |
Code function: |
10_2_00426FA0 | |
Networking |
|
|---|
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
File created: |
||
| Source: |
TCP traffic: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
IP Address: |
||
| Source: |
IP Address: |
||
| Source: |
ASN Name: |
||
| Source: |
ASN Name: |
||
| Source: |
JA3 fingerprint: |
||
| Source: |
JA3 fingerprint: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
UDP traffic detected without corresponding DNS query: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
HTTP traffic detected: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
HTTPS traffic detected: |
||
| Source: |
Code function: |
10_2_00435480 | |
| Source: |
Code function: |
10_2_00435480 | |
| Source: |
Code function: |
10_2_00435D56 | |
System Summary |
|
|---|
| Source: |
Matched rule: |
||
| Source: |
Code function: |
4_2_04E7C370 | |
| Source: |
Code function: |
4_2_085E1840 | |
| Source: |
Code function: |
4_2_085E1834 | |
| Source: |
Code function: |
4_2_085E1DCB | |
| Source: |
Code function: |
4_2_0AA4761B | |
| Source: |
Code function: |
4_2_0AA4F5B8 | |
| Source: |
Code function: |
4_2_0AA4BB90 | |
| Source: |
Code function: |
4_2_0AA4BB98 | |
| Source: |
Code function: |
4_2_0AA43928 | |
| Source: |
Code function: |
4_2_0AA40160 | |
| Source: |
Code function: |
4_2_0AA40170 | |
| Source: |
Code function: |
4_2_0AA4F140 | |
| Source: |
Code function: |
4_2_0AA45C97 | |
| Source: |
Code function: |
4_2_0AA4DCC8 | |
| Source: |
Code function: |
4_2_0AA64BD1 | |
| Source: |
Code function: |
4_2_0AA6794B | |
| Source: |
Code function: |
4_2_0AA67950 | |
| Source: |
Code function: |
4_2_0AA646A0 | |
| Source: |
Code function: |
4_2_0AA64691 | |
| Source: |
Code function: |
10_2_00421000 | |
| Source: |
Code function: |
10_2_00424801 | |
| Source: |
Code function: |
10_2_0040D80A | |
| Source: |
Code function: |
10_2_0042E435 | |
| Source: |
Code function: |
10_2_00412580 | |
| Source: |
Code function: |
10_2_00427670 | |
| Source: |
Code function: |
10_2_00439FB0 | |
| Source: |
Code function: |
10_2_00403850 | |
| Source: |
Code function: |
10_2_00406070 | |
| Source: |
Code function: |
10_2_00405810 | |
| Source: |
Code function: |
10_2_0043082C | |
| Source: |
Code function: |
10_2_00440030 | |
| Source: |
Code function: |
10_2_004310C7 | |
| Source: |
Code function: |
10_2_004400D0 | |
| Source: |
Code function: |
10_2_004118DD | |
| Source: |
Code function: |
10_2_0043F8E8 | |
| Source: |
Code function: |
10_2_004410F0 | |
| Source: |
Code function: |
10_2_0040A0AF | |
| Source: |
Code function: |
10_2_004148B0 | |
| Source: |
Code function: |
10_2_0041214C | |
| Source: |
Code function: |
10_2_0041D950 | |
| Source: |
Code function: |
10_2_00440170 | |
| Source: |
Code function: |
10_2_00408100 | |
| Source: |
Code function: |
10_2_0041F100 | |
| Source: |
Code function: |
10_2_00433100 | |
| Source: |
Code function: |
10_2_0041A110 | |
| Source: |
Code function: |
10_2_0043B1E4 | |
| Source: |
Code function: |
10_2_00409180 | |
| Source: |
Code function: |
10_2_0042FA40 | |
| Source: |
Code function: |
10_2_00435240 | |
| Source: |
Code function: |
10_2_0041D260 | |
| Source: |
Code function: |
10_2_00439A70 | |
| Source: |
Code function: |
10_2_00404200 | |
| Source: |
Code function: |
10_2_00427A20 | |
| Source: |
Code function: |
10_2_0041BAD2 | |
| Source: |
Code function: |
10_2_0040AAE0 | |
| Source: |
Code function: |
10_2_004072E0 | |
| Source: |
Code function: |
10_2_004192E0 | |
| Source: |
Code function: |
10_2_0042CAE0 | |
| Source: |
Code function: |
10_2_00408A90 | |
| Source: |
Code function: |
10_2_00440A90 | |
| Source: |
Code function: |
10_2_00402AB0 | |
| Source: |
Code function: |
10_2_004262BB | |
| Source: |
Code function: |
10_2_0043AB50 | |
| Source: |
Code function: |
10_2_0040B367 | |
| Source: |
Code function: |
10_2_0042DB0E | |
| Source: |
Code function: |
10_2_00427B1D | |
| Source: |
Code function: |
10_2_00404B30 | |
| Source: |
Code function: |
10_2_004413D0 | |
| Source: |
Code function: |
10_2_004283E2 | |
| Source: |
Code function: |
10_2_0042C3E0 | |
| Source: |
Code function: |
10_2_00431BEC | |
| Source: |
Code function: |
10_2_00421BF0 | |
| Source: |
Code function: |
10_2_0043E3F5 | |
| Source: |
Code function: |
10_2_0041CBA0 | |
| Source: |
Code function: |
10_2_00423475 | |
| Source: |
Code function: |
10_2_00428C1C | |
| Source: |
Code function: |
10_2_0042543E | |
| Source: |
Code function: |
10_2_00405CD0 | |
| Source: |
Code function: |
10_2_00439490 | |
| Source: |
Code function: |
10_2_004404A0 | |
| Source: |
Code function: |
10_2_00406500 | |
| Source: |
Code function: |
10_2_00415613 | |
| Source: |
Code function: |
10_2_0043D530 | |
| Source: |
Code function: |
10_2_004165C0 | |
| Source: |
Code function: |
10_2_0043FDC0 | |
| Source: |
Code function: |
10_2_00432DD0 | |
| Source: |
Code function: |
10_2_004385DB | |
| Source: |
Code function: |
10_2_00440DF0 | |
| Source: |
Code function: |
10_2_00424DA0 | |
| Source: |
Code function: |
10_2_00437E48 | |
| Source: |
Code function: |
10_2_00409650 | |
| Source: |
Code function: |
10_2_00402E50 | |
| Source: |
Code function: |
10_2_00415613 | |
| Source: |
Code function: |
10_2_00419E30 | |
| Source: |
Code function: |
10_2_00428637 | |
| Source: |
Code function: |
10_2_004296EE | |
| Source: |
Code function: |
10_2_004396F0 | |
| Source: |
Code function: |
10_2_0041D6A0 | |
| Source: |
Code function: |
10_2_0042CEBE | |
| Source: |
Code function: |
10_2_00417F57 | |
| Source: |
Code function: |
10_2_00421700 | |
| Source: |
Code function: |
10_2_0041CF10 | |
| Source: |
Code function: |
10_2_0043FF20 | |
| Source: |
Code function: |
10_2_0041B730 | |
| Source: |
Code function: |
10_2_004187C4 | |
| Source: |
Code function: |
10_2_00434FD0 | |
| Source: |
Code function: |
10_2_0040CF99 | |
| Source: |
Code function: |
10_2_00426FA0 | |
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Matched rule: |
||
| Source: |
Classification label: |
||
| Source: |
Code function: |
10_2_00439FB0 | |
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Mutant created: |
||
| Source: |
Mutant created: |
||
| Source: |
Mutant created: |
||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: | |||