Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:1.exe
Analysis ID:1585287
MD5:d0598443fa9984227105811e5d89b70f
SHA1:3932d4696f4130658fbf2a16e7f771fc756a63cc
SHA256:fc1595c71b570027b6712c70cafcc075686e14b5702a5a0910f642eb739ac01f
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

LummaC, XRed
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected XRed
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries the installation date of Windows
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files

Classification

  • System is w10x64
  • 1.exe (PID: 2584 cmdline: "C:\Users\user\Desktop\1.exe" MD5: D0598443FA9984227105811E5D89B70F)
    • ._cache_1.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\._cache_1.exe" MD5: 8F02CCF024090E3BD52574174749C778)
    • Synaptics.exe (PID: 2260 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: 065BECDE24188ED65E53BECB09A5A039)
      • WerFault.exe (PID: 5508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 2816 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • EXCEL.EXE (PID: 4540 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["noisycuttej.shop", "tirepublicerj.shop", "framekgirus.shop", "nearycrepso.shop", "cloudewahsj.shop", "wholersorie.shop", "abruptyopsn.shop", "twistforcepo.cfd", "rabidcowse.shop"], "Build id": "sadvnqw3nerasdf--"}
{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}
SourceRuleDescriptionAuthorStrings
1.exeJoeSecurity_XRedYara detected XRedJoe Security
    1.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      SourceRuleDescriptionAuthorStrings
      C:\Users\user\Documents\~$cache1JoeSecurity_XRedYara detected XRedJoe Security
        C:\Users\user\Documents\~$cache1JoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          C:\ProgramData\Synaptics\RCX9CB3.tmpJoeSecurity_XRedYara detected XRedJoe Security
            C:\ProgramData\Synaptics\RCX9CB3.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              C:\ProgramData\Synaptics\Synaptics.exeJoeSecurity_XRedYara detected XRedJoe Security
                Click to see the 1 entries
                SourceRuleDescriptionAuthorStrings
                00000003.00000003.1381263733.00000000007A5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XRedYara detected XRedJoe Security
                  00000001.00000000.1304613100.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_XRedYara detected XRedJoe Security
                    00000001.00000000.1304613100.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                      Process Memory Space: 1.exe PID: 2584JoeSecurity_XRedYara detected XRedJoe Security
                        Process Memory Space: Synaptics.exe PID: 2260JoeSecurity_XRedYara detected XRedJoe Security
                          Click to see the 1 entries
                          SourceRuleDescriptionAuthorStrings
                          1.0.1.exe.400000.0.unpackJoeSecurity_XRedYara detected XRedJoe Security
                            1.0.1.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                              System Summary

                              barindex
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1.exe, ProcessId: 2584, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver
                              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 2260, TargetFilename: C:\Users\user\AppData\Local\Temp\U1NTS3we.xlsm
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-07T13:18:28.735724+010020448871A Network Trojan was detected192.168.2.1149744142.250.185.110443TCP
                              2025-01-07T13:18:28.773157+010020448871A Network Trojan was detected192.168.2.1149745142.250.185.110443TCP
                              2025-01-07T13:18:29.796536+010020448871A Network Trojan was detected192.168.2.1149754142.250.185.110443TCP
                              2025-01-07T13:18:29.799804+010020448871A Network Trojan was detected192.168.2.1149757142.250.185.110443TCP
                              2025-01-07T13:18:30.904201+010020448871A Network Trojan was detected192.168.2.1149768142.250.185.110443TCP
                              2025-01-07T13:18:30.922727+010020448871A Network Trojan was detected192.168.2.1149769142.250.185.110443TCP
                              2025-01-07T13:18:31.948079+010020448871A Network Trojan was detected192.168.2.1149780142.250.185.110443TCP
                              2025-01-07T13:18:31.951596+010020448871A Network Trojan was detected192.168.2.1149781142.250.185.110443TCP
                              2025-01-07T13:18:33.998523+010020448871A Network Trojan was detected192.168.2.1149806142.250.185.110443TCP
                              2025-01-07T13:18:34.040266+010020448871A Network Trojan was detected192.168.2.1149807142.250.185.110443TCP
                              2025-01-07T13:18:35.057851+010020448871A Network Trojan was detected192.168.2.1149818142.250.185.110443TCP
                              2025-01-07T13:18:35.116762+010020448871A Network Trojan was detected192.168.2.1149820142.250.185.110443TCP
                              2025-01-07T13:18:36.130544+010020448871A Network Trojan was detected192.168.2.1149828142.250.185.110443TCP
                              2025-01-07T13:18:36.170403+010020448871A Network Trojan was detected192.168.2.1149829142.250.185.110443TCP
                              2025-01-07T13:18:37.195532+010020448871A Network Trojan was detected192.168.2.1149840142.250.185.110443TCP
                              2025-01-07T13:18:37.222448+010020448871A Network Trojan was detected192.168.2.1149841142.250.185.110443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-07T13:18:29.318163+010028326171Malware Command and Control Activity Detected192.168.2.114975369.42.215.25280TCP

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Source: 1.exeAvira: detected
                              Source: 1.exeAvira: detected
                              Source: http://xred.site50.net/syn/SUpdate.iniH)Avira URL Cloud: Label: malware
                              Source: http://xred.site50.net/syn/SSLLibrary.dlpAvira URL Cloud: Label: malware
                              Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: TR/Dldr.Agent.SH
                              Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                              Source: C:\ProgramData\Synaptics\RCX9CB3.tmpAvira: detection malicious, Label: TR/Dldr.Agent.SH
                              Source: C:\ProgramData\Synaptics\RCX9CB3.tmpAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                              Source: C:\Users\user\Documents\~$cache1Avira: detection malicious, Label: TR/Dldr.Agent.SH
                              Source: C:\Users\user\Documents\~$cache1Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                              Source: 1.exeMalware Configuration Extractor: LummaC {"C2 url": ["noisycuttej.shop", "tirepublicerj.shop", "framekgirus.shop", "nearycrepso.shop", "cloudewahsj.shop", "wholersorie.shop", "abruptyopsn.shop", "twistforcepo.cfd", "rabidcowse.shop"], "Build id": "sadvnqw3nerasdf--"}
                              Source: 1.exeMalware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}
                              Source: C:\ProgramData\Synaptics\Synaptics.exeReversingLabs: Detection: 86%
                              Source: 1.exeVirustotal: Detection: 84%Perma Link
                              Source: 1.exeReversingLabs: Detection: 86%
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
                              Source: C:\ProgramData\Synaptics\Synaptics.exeJoe Sandbox ML: detected
                              Source: C:\ProgramData\Synaptics\RCX9CB3.tmpJoe Sandbox ML: detected
                              Source: C:\Users\user\Documents\~$cache1Joe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\._cache_1.exeJoe Sandbox ML: detected
                              Source: 1.exeJoe Sandbox ML: detected
                              Source: 1.exeString decryptor: cloudewahsj.shop
                              Source: 1.exeString decryptor: rabidcowse.shop
                              Source: 1.exeString decryptor: noisycuttej.shop
                              Source: 1.exeString decryptor: tirepublicerj.shop
                              Source: 1.exeString decryptor: framekgirus.shop
                              Source: 1.exeString decryptor: wholersorie.shop
                              Source: 1.exeString decryptor: abruptyopsn.shop
                              Source: 1.exeString decryptor: nearycrepso.shop
                              Source: 1.exeString decryptor: twistforcepo.cfd
                              Source: 1.exeString decryptor: lid=%s&j=%s&ver=4.0
                              Source: 1.exeString decryptor: TeslaBrowser/5.5
                              Source: 1.exeString decryptor: - Screen Resoluton:
                              Source: 1.exeString decryptor: - Physical Installed Memory:
                              Source: 1.exeString decryptor: Workgroup: -
                              Source: 1.exeString decryptor: sadvnqw3nerasdf--</