Windows Analysis Report
1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe

Overview

General Information

Sample name: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe
Analysis ID: 1592276
MD5: 634a3ba433e8504445950eef71067213
SHA1: 34bc8aae7a71367deee7d9a739c8c005af8f4627
SHA256: 2d4e103929896a5ba5af03866662aca8b3375383c49c06caa5ddcf2cb12aec64
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

LummaC
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Avira: detected
Found malware configuration
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Malware Configuration Extractor: LummaC {"C2 url": ["immolatechallen.bond", "sobrattyeu.bond", "jarry-fixxer.bond", "crookedfoshe.bond", "jarry-deatile.bond", "stripedre-lot.bond", "strivehelpeu.bond", "growthselec.bond", "pain-temper.bond"], "Build id": "PeL9hR--"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 80.8% probability
Machine Learning detection for sample
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: jarry-fixxer.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: pain-temper.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: jarry-deatile.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: growthselec.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: stripedre-lot.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: immolatechallen.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: crookedfoshe.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: strivehelpeu.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: sobrattyeu.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: TeslaBrowser/5.5
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: - Screen Resoluton:
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: - Physical Installed Memory:
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: Workgroup: -
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String decryptor: PeL9hR--
Uses 32bit PE files
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: immolatechallen.bond
Source: Malware configuration extractor URLs: sobrattyeu.bond
Source: Malware configuration extractor URLs: jarry-fixxer.bond
Source: Malware configuration extractor URLs: crookedfoshe.bond
Source: Malware configuration extractor URLs: jarry-deatile.bond
Source: Malware configuration extractor URLs: stripedre-lot.bond
Source: Malware configuration extractor URLs: strivehelpeu.bond
Source: Malware configuration extractor URLs: growthselec.bond
Source: Malware configuration extractor URLs: pain-temper.bond

System Summary
barindex
PE file contains section with special chars
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: section name: @.data
PE file does not import any functions
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: No import functions for PE file found
PE file overlay found
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: Data appended to the last section found
Uses 32bit PE files
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal88.troj.evad.winEXE@0/0@0/0
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: section name: .relo
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe Static PE information: section name: @.data

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String found in binary or memory: growthselec.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String found in binary or memory: immolatechallen.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String found in binary or memory: crookedfoshe.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String found in binary or memory: strivehelpeu.bond
Source: 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe String found in binary or memory: sobrattyeu.bond

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1592276 Sample: 1736984347371a50bb0db16e949... Startdate: 16/01/2025 Architecture: WINDOWS Score: 88 5 Found malware configuration 2->5 7 Antivirus / Scanner detection for submitted sample 2->7 9 Yara detected LummaC Stealer 2->9 11 6 other signatures 2->11
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
pain-temper.bond true
  • Avira URL Cloud: safe
 unknown
jarry-deatile.bond true
  • Avira URL Cloud: safe
 unknown
immolatechallen.bond true
  • Avira URL Cloud: safe
 unknown
crookedfoshe.bond true
  • Avira URL Cloud: safe
 unknown
stripedre-lot.bond true
  • Avira URL Cloud: safe
 unknown
jarry-fixxer.bond true
  • Avira URL Cloud: safe
 unknown
growthselec.bond true
  • Avira URL Cloud: safe
 unknown
sobrattyeu.bond true
  • Avira URL Cloud: safe
 unknown
strivehelpeu.bond true
  • Avira URL Cloud: safe
 unknown