Edit tour
Windows
Analysis Report
13w4NM6mPa.exe
Overview
General Information
| Sample name: | 13w4NM6mPa.exe (renamed file extension from none to exe, renamed because original name is a hash value) |
| Original sample name: | 7058f9c58a4724f83bdc42c386e10471898503e6f46706bf269996350deabe5a |
| Analysis ID: | 1428517 |
| MD5: | 76761104aad9e5fa6b474d9e5cf667be |
| SHA1: | b171274d11b496eac726d4a093a304fc1ac09479 |
| SHA256: | 7058f9c58a4724f83bdc42c386e10471898503e6f46706bf269996350deabe5a |
| Infos: |  |
 | |
Detection
LummaC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Self deletion via cmd or bat file
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
AV process strings found (often used to terminate AV products)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Drops PE files
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Classification
- System is w10x64
13w4NM6mPa.exe (PID: 6704 cmdline: "C:\Users\ user\Deskt op\13w4NM6 mPa.exe" MD5: 76761104AAD9E5FA6B474D9E5CF667BE) 
conhost.exe (PID: 6684 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - lWjPtDoy2N.exe (PID: 3368 cmdline:
lWjPtDoy2N .exe MD5: 912799971263C4B4415C40071C065EEB) - cmd.exe (PID: 3236 cmdline:
cmd.exe "s tart /min cmd.exe "/ c timeout /t 3 /nobr eak & del "C:\Users\ user\Deskt op\lWjPtDo y2N.exe""" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
timeout.exe (PID: 3180 cmdline: timeout /t 3 /nobrea k MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - cmd.exe (PID: 2800 cmdline:
"C:\Window s\system32 \cmd.exe" /c ping 12 7.0.0.1 && del "C:\U sers\user\ Desktop\13 w4NM6mPa.e xe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 4476 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Lumma Stealer, LummaC2 Stealer | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. | No Attribution |
{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "poledoverglazedkilio.shop"], "Build id": "MeDNN1--NEW"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_2 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 04/19/24-04:57:50.350432 |
| SID: | 2839343 |
| Source Port: | 49732 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | Potentially Bad Traffic |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | String decryptor: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | URLs: | ||
| Source: | File created: | ||
| Source: | Process created: | ||
| Source: | HTTP traffic detected: | ||