Windows Analysis Report
8lvzqcMqGF.exe

Overview

General Information

Sample name: 8lvzqcMqGF.exe
renamed because original name is a hash value
Original sample name: 3c30dbf2e7d57fdb7babdf49b87d8b31.exe
Analysis ID: 1417370
MD5: 3c30dbf2e7d57fdb7babdf49b87d8b31
SHA1: 33e72f2e8e6b93a2ecffccba64650bda87e08e0d
SHA256: 8d2c29f6d94f4375450e54b8d9fcd645beb7642d4240a4137e7c8539a57040d2
Tags: 32exeLummaStealertrojan
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 8lvzqcMqGF.exe Avira: detected
Antivirus detection for URL or domain
Source: edurestunningcrackyow.fun URL Reputation: Label: malware
Source: edurestunningcrackyow.fun URL Reputation: Label: malware
Source: https://colorfulequalugliess.shop/ Avira URL Cloud: Label: phishing
Source: https://turkeyunlikelyofw.shop/api Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/api Avira URL Cloud: Label: malware
Source: colorfulequalugliess.shop Avira URL Cloud: Label: phishing
Source: https://turkeyunlikelyofw.shop/ Avira URL Cloud: Label: malware
Source: https://relevantvoicelesskw.shop/R8 Avira URL Cloud: Label: phishing
Source: https://associationokeo.shop/apiX Avira URL Cloud: Label: malware
Source: https://associationokeo.shop// Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/Ut Avira URL Cloud: Label: malware
Source: relevantvoicelesskw.shop Avira URL Cloud: Label: phishing
Source: https://associationokeo.shop/d Avira URL Cloud: Label: malware
Found malware configuration
Source: 3.2.RegAsm.exe.400000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "turkeyunlikelyofw.shop"], "Build id": "LGNDR1--ketamine"}
Multi AV Scanner detection for domain / URL
Source: colorfulequalugliess.shop Virustotal: Detection: 20% Perma Link
Source: wisemassiveharmonious.shop Virustotal: Detection: 9% Perma Link
Source: https://colorfulequalugliess.shop/ Virustotal: Detection: 20% Perma Link
Source: https://associationokeo.shop/api Virustotal: Detection: 23% Perma Link
Source: colorfulequalugliess.shop Virustotal: Detection: 20% Perma Link
Source: https://turkeyunlikelyofw.shop/ Virustotal: Detection: 20% Perma Link
Source: wisemassiveharmonious.shop Virustotal: Detection: 9% Perma Link
Source: relevantvoicelesskw.shop Virustotal: Detection: 20% Perma Link
Source: https://associationokeo.shop/apiX Virustotal: Detection: 17% Perma Link
Source: https://turkeyunlikelyofw.shop/api Virustotal: Detection: 21% Perma Link
Source: https://pooreveningfuseor.pw/api Virustotal: Detection: 15% Perma Link
Source: https://detectordiscusser.shop/v Virustotal: Detection: 19% Perma Link
Source: https://associationokeo.shop// Virustotal: Detection: 23% Perma Link
Source: https://detectordiscusser.shop/api Virustotal: Detection: 19% Perma Link
Source: https://detectordiscusser.shop/ Virustotal: Detection: 19% Perma Link
Source: relevantvoicelesskw.shop Virustotal: Detection: 20% Perma Link
Source: https://associationokeo.shop/d Virustotal: Detection: 14% Perma Link
Source: https://pooreveningfuseor.pw/ Virustotal: Detection: 17% Perma Link
Source: https://detectordiscusser.shop/apiapi Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for submitted file
Source: 8lvzqcMqGF.exe ReversingLabs: Detection: 91%
Source: 8lvzqcMqGF.exe Virustotal: Detection: 69% Perma Link
Machine Learning detection for sample
Source: 8lvzqcMqGF.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: associationokeo.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: turkeyunlikelyofw.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: pooreveningfuseor.pw
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: edurestunningcrackyow.fun
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: detectordiscusser.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: relevantvoicelesskw.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: colorfulequalugliess.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: wisemassiveharmonious.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: turkeyunlikelyofw.shop
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000003.00000002.1604068994.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: LGNDR1--ketamine
Uses 32bit PE files
Source: 8lvzqcMqGF.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 8lvzqcMqGF.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Newman.pdb source: 8lvzqcMqGF.exe
Source: Binary string: Newman.pdb8 source: 8lvzqcMqGF.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edx, dword ptr [esi+00000A10h] 3_2_004200C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_004350C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edi, eax 3_2_004060B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, eax 3_2_004060B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+40h] 3_2_004131F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0041624E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+00000084h] 3_2_00417270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+0Ch] 3_2_00417270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_004222E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, word ptr [edi+ecx] 3_2_00419290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+08h] 3_2_0041544F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+000000A0h] 3_2_0041B4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 3_2_004094A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edx], cl 3_2_004094A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_00420613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0041624E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_00414795
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ecx-08h], 904D52BCh 3_2_004167A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [esi], 00000000h 3_2_0041983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp edx 3_2_0041983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_0042D8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+5Ch] 3_2_0041F920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+14h] 3_2_0042F920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 3_2_00409930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h 3_2_00431A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp edx 3_2_0040FAA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edx], al 3_2_0041EBD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx eax, byte ptr [esi+ecx] 3_2_0040CBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 3_2_00414BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+0Ch] 3_2_00434BB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edx, dword ptr [esi+0Ch] 3_2_00433C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 3_2_0041FC1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esi+40h], 00000000h 3_2_00411FF4

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2050956 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop) 192.168.2.4:49936 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2051586 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop) 192.168.2.4:54425 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2051587 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop) 192.168.2.4:63226 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2051584 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop) 192.168.2.4:53036 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2050996 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop) 192.168.2.4:57276 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2051473 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun) 192.168.2.4:50877 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2050953 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw) 192.168.2.4:59000 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2050952 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop) 192.168.2.4:61786 -> 1.1.1.1:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: associationokeo.shop
Source: Malware configuration extractor URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor URLs: pooreveningfuseor.pw
Source: Malware configuration extractor URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor URLs: detectordiscusser.shop
Source: Malware configuration extractor URLs: relevantvoicelesskw.shop
Source: Malware configuration extractor URLs: colorfulequalugliess.shop
Source: Malware configuration extractor URLs: wisemassiveharmonious.shop
Source: Malware configuration extractor URLs: turkeyunlikelyofw.shop
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: wisemassiveharmonious.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: turkeyunlikelyofw.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: associationokeo.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: relevantvoicelesskw.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: detectordiscusser.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: colorfulequalugliess.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: edurestunningcrackyow.fun replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: turkeyunlikelyofw.shop
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop//
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/Ut
Source: RegAsm.exe, 00000003.00000002.1604417781.0000000000E5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/api
Source: RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/apiX
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://associationokeo.shop/d
Source: RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://colorfulequalugliess.shop/
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://detectordiscusser.shop/
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://detectordiscusser.shop/api
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://detectordiscusser.shop/apiapi
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://detectordiscusser.shop/v
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw/
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw/api
Source: RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw/api/
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw/api/api~
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pooreveningfuseor.pw/l
Source: RegAsm.exe, 00000003.00000002.1604349090.0000000000E45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://relevantvoicelesskw.shop/R8
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1604349090.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turkeyunlikelyofw.shop/
Source: RegAsm.exe, 00000003.00000002.1604333451.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turkeyunlikelyofw.shop/api
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004294C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004294C0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004294C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004294C0
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042AB4B GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 3_2_0042AB4B

System Summary
barindex
.NET source code contains very large array initializations
Source: 8lvzqcMqGF.exe, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 290816
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00433161 NtOpenSection, 3_2_00433161
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004331CB NtMapViewOfSection, 3_2_004331CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436230 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043328A NtClose, 3_2_0043328A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00433408 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00433408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004144F0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004144F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004329E6 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004329E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00435E60 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00435E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436050 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419060 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00419060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00432100 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00432100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004371D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004371D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041520E NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041520E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00418221 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00418221
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004222E6 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004222E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419290 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00419290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436360 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041E380 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041E380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042242C NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0042242C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436490 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004365C0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004365C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004225A4 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004225A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004335B2 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004335B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414639 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00414639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004316C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004316C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041A690 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041A690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004116A7 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004116A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436740 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004167A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_004167A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00415845 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00415845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00417805 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00417805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042F810 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0042F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041983E NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041192A NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041192A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414639 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00414639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436A60 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431A10 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00410A37 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00410A37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041FAE9 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041FAE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041CAA0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00416BB7 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00416BB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041ABBC NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041ABBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041CC35 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041CC35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041ACB8 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041ACB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431DB0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436E00 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00436E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431EC0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414E82 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00414E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00431FF0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_00431FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041DFB0 NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041DFB0
Detected potential crypto function
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Code function: 0_2_023823FF 0_2_023823FF
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Code function: 0_2_02381CF0 0_2_02381CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041407C 3_2_0041407C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004060B0 3_2_004060B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00426207 3_2_00426207
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004032D0 3_2_004032D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00405350 3_2_00405350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004225A4 3_2_004225A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042F5B0 3_2_0042F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042264C 3_2_0042264C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00420613 3_2_00420613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00404770 3_2_00404770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004267DE 3_2_004267DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00401790 3_2_00401790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041983E 3_2_0041983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436A60 3_2_00436A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00423B45 3_2_00423B45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00407D20 3_2_00407D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00403D90 3_2_00403D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00436E00 3_2_00436E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00402EF0 3_2_00402EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040FF60 3_2_0040FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00411FF4 3_2_00411FF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041DFB0 3_2_0041DFB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00408F00 appears 155 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00408780 appears 42 times
Sample file is different than original file name gathered from version info
Source: 8lvzqcMqGF.exe, 00000000.00000002.1595858670.000000000060E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 8lvzqcMqGF.exe
Source: 8lvzqcMqGF.exe Binary or memory string: OriginalFilenameNewman.exe8 vs 8lvzqcMqGF.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Uses 32bit PE files
Source: 8lvzqcMqGF.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 8lvzqcMqGF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/1@8/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042759F CoCreateInstance, 3_2_0042759F
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8lvzqcMqGF.exe.log Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: 8lvzqcMqGF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 8lvzqcMqGF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 8lvzqcMqGF.exe ReversingLabs: Detection: 91%
Source: 8lvzqcMqGF.exe Virustotal: Detection: 69%
Source: unknown Process created: C:\Users\user\Desktop\8lvzqcMqGF.exe "C:\Users\user\Desktop\8lvzqcMqGF.exe"
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: 8lvzqcMqGF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 8lvzqcMqGF.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 8lvzqcMqGF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Newman.pdb source: 8lvzqcMqGF.exe
Source: Binary string: Newman.pdb8 source: 8lvzqcMqGF.exe
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041983E NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041983E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Code function: 0_2_023836B7 push ebx; iretd 0_2_023836DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043C628 push ecx; ret 3_2_0043C642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004267D8 push cs; ret 3_2_004267DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0043BAE1 push FFFFFFC9h; iretd 3_2_0043BAE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00427E1E push esp; iretd 3_2_00427E26
Source: 8lvzqcMqGF.exe Static PE information: section name: .text entropy: 7.933098445579858
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory allocated: 2380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory allocated: 23B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory allocated: 43B0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 9.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe TID: 7488 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7528 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7528 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000003.00000002.1604292736.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041983E NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,LoadLibraryW,GetProcAddress,GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory, 3_2_0041983E
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Code function: 0_2_023B545D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 0_2_023B545D
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: associationokeo.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: turkeyunlikelyofw.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: pooreveningfuseor.pw
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: edurestunningcrackyow.fun
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: detectordiscusser.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: relevantvoicelesskw.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: colorfulequalugliess.shop
Source: 8lvzqcMqGF.exe, 00000000.00000002.1596823256.00000000033B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: wisemassiveharmonious.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000 Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 446000 Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8DF008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\8lvzqcMqGF.exe Queries volume information: C:\Users\user\Desktop\8lvzqcMqGF.exe VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417370 Sample: 8lvzqcMqGF.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 16 wisemassiveharmonious.shop 2->16 18 turkeyunlikelyofw.shop 2->18 20 6 other IPs or domains 2->20 22 Snort IDS alert for network traffic 2->22 24 Multi AV Scanner detection for domain / URL 2->24 26 Found malware configuration 2->26 28 8 other signatures 2->28 7 8lvzqcMqGF.exe 2 2->7         started        signatures3 process4 signatures5 30 Contains functionality to inject code into remote processes 7->30 32 Writes to foreign memory regions 7->32 34 Allocates memory in foreign processes 7->34 36 2 other signatures 7->36 10 conhost.exe 7->10         started        12 RegAsm.exe 7->12         started        14 RegAsm.exe 7->14         started        process6
No contacted IP infos

Contacted Domains

Name IP Active
edurestunningcrackyow.fun unknown unknown
turkeyunlikelyofw.shop unknown unknown
detectordiscusser.shop unknown unknown
relevantvoicelesskw.shop unknown unknown
pooreveningfuseor.pw unknown unknown
wisemassiveharmonious.shop unknown unknown
associationokeo.shop unknown unknown
colorfulequalugliess.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
edurestunningcrackyow.fun true
    		unknown
    pooreveningfuseor.pw true
      		unknown
      associationokeo.shop true
        		unknown
        colorfulequalugliess.shop true
        • 20%, Virustotal, Browse
        • Avira URL Cloud: phishing
        		 unknown
        turkeyunlikelyofw.shop true
          		unknown
          detectordiscusser.shop true
            		unknown
            wisemassiveharmonious.shop true
            • 10%, Virustotal, Browse
            • Avira URL Cloud: safe
            		 unknown
            relevantvoicelesskw.shop true
            • 20%, Virustotal, Browse
            • Avira URL Cloud: phishing
            		 unknown