Edit tour
Windows
Analysis Report
1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe
Overview
General Information
| Sample name: | 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe |
| Analysis ID: | 1592276 |
| MD5: | 634a3ba433e8504445950eef71067213 |
| SHA1: | 34bc8aae7a71367deee7d9a739c8c005af8f4627 |
| SHA256: | 2d4e103929896a5ba5af03866662aca8b3375383c49c06caa5ddcf2cb12aec64 |
| Tags: | base64-decodedexeuser-abuse_ch |
| Infos: |  |
 | |
Errors
| |
Detection
LummaC
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Uses 32bit PE files
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["immolatechallen.bond", "sobrattyeu.bond", "jarry-fixxer.bond", "crookedfoshe.bond", "jarry-deatile.bond", "stripedre-lot.bond", "strivehelpeu.bond", "growthselec.bond", "pain-temper.bond"], "Build id": "PeL9hR--"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 PowerShell | Path Interception | Path Interception | 1 Deobfuscate/Decode Files or Information | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Crypt.EPACK.Gen2 | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown | |
| true |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1592276 |
| Start date and time: | 2025-01-16 00:40:09 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 45s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe |
| Detection: | MAL |
| Classification: | mal88.troj.evad.winEXE@0/0@0/0 |
| Cookbook Comments: |
|
- No process behavior to analyse as no analysis process or sample was found
- Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
- Exclude process from analysis (whitelisted): dllhost.exe
⊘No simulations
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.86079750829875 |
| TrID: |
|
| File name: | 1736984347371a50bb0db16e949acb4c3af87392a95fb7ecf9fb132043ee481016955a921b361.dat-decoded.exe |
| File size: | 322'255 bytes |
| MD5: | 634a3ba433e8504445950eef71067213 |
| SHA1: | 34bc8aae7a71367deee7d9a739c8c005af8f4627 |
| SHA256: | 2d4e103929896a5ba5af03866662aca8b3375383c49c06caa5ddcf2cb12aec64 |
| SHA512: | 4869419e3f80dbfb43e90cdf057150f53aab797700ec0b2ee8b44c416c15e481992bdffe5027b164b0ae089c837b784ceea37a8dcaac86bad38c59736a5795e0 |
| SSDEEP: | 6144:WKEAn8bD6ieCNF3qAkOpMObNatsxkFzjojsQ:WN/6+NN5aGCusQ |
| TLSH: | F4648C46E76380A1E4CB0D7532AEB77B6E3B661463288DD7CB4CCAA474739D17839D02 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..........................................@..........................P............@..................................+..... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x408680 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6786EB84 [Tue Jan 14 22:56:04 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: |
| Instruction |
|---|
| inc esp |
| and al, 18h |
| mov byte ptr [esi+ebx], al |
| mov eax, dword ptr [esp+14h] |
| pop esi |
| pop edi |
| pop ebx |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebx |
| mov ecx, dword ptr [esp+10h] |
| xor eax, eax |
| test ecx, ecx |
| je 00007F6DC156814Fh |
| mov edx, dword ptr [esp+08h] |
| movzx ebx, byte ptr [esp+0Ch] |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| cmp byte ptr [edx], bl |
| je 00007F6DC1568138h |
| inc edx |
| dec ecx |
| jne 00007F6DC156812Ah |
| pop ebx |
| ret |
| mov eax, edx |
| pop ebx |
| ret |
| int3 |
| int3 |
| mov eax, dword ptr [esp+04h] |
| mov ecx, eax |
| neg ecx |
| mov edx, eax |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| dec ecx |
| cmp byte ptr [edx], 00000000h |
| lea edx, dword ptr [edx+01h] |
| jne 00007F6DC1568129h |
| mov edx, ecx |
| not edx |
| and ecx, eax |
| not eax |
| and eax, edx |
| sub eax, ecx |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push ebp |
| push ebx |
| push edi |
| push esi |
| xor ebp, ebp |
| mov ecx, dword ptr [esp+1Ch] |
| mov edx, dword ptr [esp+18h] |
| mov esi, dword ptr [esp+14h] |
| xor edi, edi |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| cmp ecx, edi |
| je 00007F6DC1568149h |
| movsx ebx, byte ptr [edx+edi] |
| movsx eax, byte ptr [esi+edi] |
| cmp al, bl |
| jne 00007F6DC1568139h |
| inc edi |
| test bl, bl |
| jne 00007F6DC156811Ah |
| cmp byte ptr [ebx], dl |
| lodsd |
| jmp 00007F6DC1568136h |
| sub eax, ebx |
| mov ebp, eax |
| mov eax, ebp |
| pop esi |
| pop edi |
| pop ebx |
| pop ebp |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x42b02 | 0x8c | .relo |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x51000 | 0x3aac | .relo |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x42c3c | 0xac | .relo |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .relo | 0x3a | 0xac000063 | 0x510 | 7d40c5ed9b20e819c1c8355757501337 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_READ |
| @.data | 0xd6 | 0xac000000 | 0x430 | 3826522dd50c9790889790aa42952a82 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_READ |
| .text | 0x1000 | 0x3f3a2 | 0x3f400 | 6f26300667949c75654100418a07da0b | False | 0.5605430150691699 | data | 6.701154158112619 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x41000 | 0x1f71 | 0x2000 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
⊘No statistics
⊘No system behavior
⊘No disassembly