Edit tour

Windows Analysis Report
M1gP5m86Gn.exe

Overview

General Information

Sample name:	M1gP5m86Gn.exe renamed because original name is a hash value
Original sample name:	dfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258.exe
Analysis ID:	1636343
MD5:	accdbd5044408c82c19c977829713e4f
SHA1:	070a001ac12139cc1238017d795a2b43ac52770d
SHA256:	dfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

M1gP5m86Gn.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\M1gP5m86Gn.exe" MD5: ACCDBD5044408C82C19C977829713E4F)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["hardswarehub.today", "gadgethgfub.icu", "hardrwarehaven.run", "techmindzs.live", "codxefusion.top", "quietswtreams.life", "techspherxe.top"], "Build id": "6JVBTX--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:21.278822+0100	2028371	3	Unknown Traffic	192.168.2.6	49699	104.73.234.102	443	TCP
2025-03-12T17:04:21.278822+0100	2028371	3	Unknown Traffic	192.168.2.6	49696	172.67.214.226	443	TCP
2025-03-12T17:04:32.359649+0100	2028371	3	Unknown Traffic	192.168.2.6	49694	149.154.167.99	443	TCP
2025-03-12T17:04:34.185170+0100	2028371	3	Unknown Traffic	192.168.2.6	49695	104.21.69.194	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (codxefusion .top in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:34.185170+0100	2060531	1	Domain Observed Used for C2 Detected	192.168.2.6	49695	104.21.69.194	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:21.278822+0100	2060570	1	Domain Observed Used for C2 Detected	192.168.2.6	49696	172.67.214.226	443	TCP
2025-03-12T17:04:21.278822+0100	2060570	1	Domain Observed Used for C2 Detected	192.168.2.6	49697	172.67.214.226	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (codxefusion .top)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:33.633705+0100	2060530	1	Domain Observed Used for C2 Detected	192.168.2.6	55181	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:36.328902+0100	2060412	1	Domain Observed Used for C2 Detected	192.168.2.6	63415	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:33.597605+0100	2060538	1	Domain Observed Used for C2 Detected	192.168.2.6	57995	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hardrwarehaven .run)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:33.611026+0100	2060542	1	Domain Observed Used for C2 Detected	192.168.2.6	51154	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hardswarehub .today)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:33.583307+0100	2060545	1	Domain Observed Used for C2 Detected	192.168.2.6	65257	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:34.189070+0100	2060416	1	Domain Observed Used for C2 Detected	192.168.2.6	51732	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techmindzs .live)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:33.621704+0100	2060565	1	Domain Observed Used for C2 Detected	192.168.2.6	64277	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techspherxe .top)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T17:04:34.201006+0100	2060568	1	Domain Observed Used for C2 Detected	192.168.2.6	50052	1.1.1.1	53	UDP
2025-03-12T17:04:35.209819+0100	2060568	1	Domain Observed Used for C2 Detected	192.168.2.6	50052	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: M1gP5m86Gn.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://techspherxe.top/e/	Avira URL Cloud: Label: malware
Source: https://earthsymphzony.today/C	Avira URL Cloud: Label: malware
Source: https://earthsymphzony.today:443/api	Avira URL Cloud: Label: malware
Source: https://techspherxe.top:443/api	Avira URL Cloud: Label: malware
Source: https://techspherxe.top/api	Avira URL Cloud: Label: malware
Source: https://socialsscesforum.icu/	Avira URL Cloud: Label: malware
Source: https://quietswtreams.life/api	Avira URL Cloud: Label: malware
Source: https://earthsymphzony.today/apip	Avira URL Cloud: Label: malware
Source: https://codxefusion.top/	Avira URL Cloud: Label: malware
Source: https://quietswtreams.life:443/api	Avira URL Cloud: Label: malware
Source: https://gadgethgfub.icu/api	Avira URL Cloud: Label: malware
Source: https://earthsymphzony.today/u	Avira URL Cloud: Label: malware
Source: https://earthsymphzony.today/	Avira URL Cloud: Label: malware
Source: https://quietswtreams.life/	Avira URL Cloud: Label: malware
Source: https://earthsymphzony.today/h	Avira URL Cloud: Label: malware
Source: https://quietswtreams.life/x	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["hardswarehub.today", "gadgethgfub.icu", "hardrwarehaven.run", "techmindzs.live", "codxefusion.top", "quietswtreams.life", "techspherxe.top"], "Build id": "6JVBTX--"}

Multi AV Scanner detection for submitted file

Source: M1gP5m86Gn.exe	ReversingLabs: Detection: 83%
Source: M1gP5m86Gn.exe	Virustotal: Detection: 76%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hardswarehub.today
Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: gadgethgfub.icu
Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hardrwarehaven.run
Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: techmindzs.live
Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: codxefusion.top
Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: quietswtreams.life
Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: techspherxe.top

Source: M1gP5m86Gn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49694 version: TLS 1.2

Source: M1gP5m86Gn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060412 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today) : 192.168.2.6:63415 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060416 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life) : 192.168.2.6:51732 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060545 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hardswarehub .today) : 192.168.2.6:65257 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060530 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (codxefusion .top) : 192.168.2.6:55181 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060565 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techmindzs .live) : 192.168.2.6:64277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techspherxe .top) : 192.168.2.6:50052 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (codxefusion .top in TLS SNI) : 192.168.2.6:49695 -> 104.21.69.194:443
Source: Network traffic	Suricata IDS: 2060542 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hardrwarehaven .run) : 192.168.2.6:51154 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060538 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu) : 192.168.2.6:57995 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.6:49696 -> 172.67.214.226:443
Source: Network traffic	Suricata IDS: 2060570 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI) : 192.168.2.6:49697 -> 172.67.214.226:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hardswarehub.today
Source: Malware configuration extractor	URLs: gadgethgfub.icu
Source: Malware configuration extractor	URLs: hardrwarehaven.run
Source: Malware configuration extractor	URLs: techmindzs.live
Source: Malware configuration extractor	URLs: codxefusion.top
Source: Malware configuration extractor	URLs: quietswtreams.life
Source: Malware configuration extractor	URLs: techspherxe.top

Source: Joe Sandbox View	IP Address: 104.73.234.102 104.73.234.102
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49694 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49695 -> 104.21.69.194:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49699 -> 104.73.234.102:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49696 -> 172.67.214.226:443

Source: global traffic

HTTP traffic detected: GET /socialsscesforum HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: socialsscesforum.icu
Source: global traffic	DNS traffic detected: DNS query: hardswarehub.today
Source: global traffic	DNS traffic detected: DNS query: gadgethgfub.icu
Source: global traffic	DNS traffic detected: DNS query: hardrwarehaven.run
Source: global traffic	DNS traffic detected: DNS query: techmindzs.live
Source: global traffic	DNS traffic detected: DNS query: codxefusion.top
Source: global traffic	DNS traffic detected: DNS query: quietswtreams.life
Source: global traffic	DNS traffic detected: DNS query: techspherxe.top
Source: global traffic	DNS traffic detected: DNS query: earthsymphzony.today
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codxefusion.top/
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://earthsymphzony.today/
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://earthsymphzony.today/C
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://earthsymphzony.today/apip
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://earthsymphzony.today/h
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://earthsymphzony.today/u
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://earthsymphzony.today:443/api
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gadgethgfub.icu/api
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp, M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://quietswtreams.life/
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://quietswtreams.life/api
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://quietswtreams.life/x
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://quietswtreams.life:443/api
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://socialsscesforum.icu/
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/cj
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.00000000017E6000.00000004.00000020.00020000.00000000.sdmp, M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128#j#
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128.36
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.00000000017DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp, M1gP5m86Gn.exe, 00000000.00000002.1385375818.00000000017DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/socialsscesforum
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.00000000017DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/socialsscesforumo
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techspherxe.top/api
Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://techspherxe.top/e/
Source: M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://techspherxe.top:443/api

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49694 version: TLS 1.2

Source: M1gP5m86Gn.exe, 00000000.00000000.1290406336.00000000013D1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCodeBridge.exeH vs M1gP5m86Gn.exe
Source: M1gP5m86Gn.exe, 00000000.00000003.1321837178.00000000030D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodeBridge.exeH vs M1gP5m86Gn.exe
Source: M1gP5m86Gn.exe	Binary or memory string: OriginalFilenameCodeBridge.exeH vs M1gP5m86Gn.exe

Source: M1gP5m86Gn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.winEXE@1/0@12/4

Source: M1gP5m86Gn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\M1gP5m86Gn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: M1gP5m86Gn.exe	ReversingLabs: Detection: 83%
Source: M1gP5m86Gn.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\M1gP5m86Gn.exe

File read: C:\Users\user\Desktop\M1gP5m86Gn.exe

Jump to behavior

Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: fswwa.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\M1gP5m86Gn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: M1gP5m86Gn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: M1gP5m86Gn.exe

Static file information: File size 7974400 > 1048576

Source: M1gP5m86Gn.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x76de00

Source: M1gP5m86Gn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: M1gP5m86Gn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\M1gP5m86Gn.exe TID: 7632

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp, M1gP5m86Gn.exe, 00000000.00000002.1385375818.00000000017DE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\M1gP5m86Gn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
M1gP5m86Gn.exe	83%	ReversingLabs	Win32.Spyware.Lummastealer
M1gP5m86Gn.exe	77%	Virustotal		Browse
M1gP5m86Gn.exe	100%	Avira	TR/AD.Nekark.sbdyl

Source	Detection	Scanner	Label
https://techspherxe.top/e/	100%	Avira URL Cloud	malware
https://earthsymphzony.today/C	100%	Avira URL Cloud	malware
https://earthsymphzony.today:443/api	100%	Avira URL Cloud	malware
https://techspherxe.top:443/api	100%	Avira URL Cloud	malware
https://techspherxe.top/api	100%	Avira URL Cloud	malware
https://socialsscesforum.icu/	100%	Avira URL Cloud	malware
https://quietswtreams.life/api	100%	Avira URL Cloud	malware
https://earthsymphzony.today/apip	100%	Avira URL Cloud	malware
https://codxefusion.top/	100%	Avira URL Cloud	malware
https://quietswtreams.life:443/api	100%	Avira URL Cloud	malware
https://gadgethgfub.icu/api	100%	Avira URL Cloud	malware
https://earthsymphzony.today/u	100%	Avira URL Cloud	malware
https://earthsymphzony.today/	100%	Avira URL Cloud	malware
https://quietswtreams.life/	100%	Avira URL Cloud	malware
https://earthsymphzony.today/h	100%	Avira URL Cloud	malware
https://quietswtreams.life/x	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
techspherxe.top	172.67.214.226	true	false	high
codxefusion.top	104.21.69.194	true	false	high
steamcommunity.com	104.73.234.102	true	false	high
t.me	149.154.167.99	true	false	high
quietswtreams.life	unknown	unknown	false	high
earthsymphzony.today	unknown	unknown	false	high
hardswarehub.today	unknown	unknown	false	high
socialsscesforum.icu	unknown	unknown	false	unknown
techmindzs.live	unknown	unknown	true	unknown
gadgethgfub.icu	unknown	unknown	false	high
hardrwarehaven.run	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
techmindzs.live	false	high
gadgethgfub.icu	false	high
quietswtreams.life	false	high
techspherxe.top	false	high
https://t.me/socialsscesforum	false	high
hardswarehub.today	false	high
hardrwarehaven.run	false	high
codxefusion.top	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://techspherxe.top/e/	M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://earthsymphzony.today/C	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/	M1gP5m86Gn.exe, 00000000.00000002.1385375818.00000000017DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://techspherxe.top/api	M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://techspherxe.top:443/api	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199822375128	M1gP5m86Gn.exe, 00000000.00000002.1385375818.00000000017E6000.00000004.00000020.00020000.00000000.sdmp, M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codxefusion.top/	M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/cj	M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199822375128.36	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://earthsymphzony.today:443/api	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://quietswtreams.life/api	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com:443/profiles/76561199822375128	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199822375128#j#	M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://socialsscesforum.icu/	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://earthsymphzony.today/apip	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/socialsscesforumo	M1gP5m86Gn.exe, 00000000.00000002.1385375818.00000000017DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://quietswtreams.life:443/api	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038FC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://gadgethgfub.icu/api	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://earthsymphzony.today/	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://earthsymphzony.today/u	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/	M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://quietswtreams.life/	M1gP5m86Gn.exe, 00000000.00000002.1385375818.000000000180B000.00000004.00000020.00020000.00000000.sdmp, M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://quietswtreams.life/x	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://earthsymphzony.today/h	M1gP5m86Gn.exe, 00000000.00000002.1385604748.00000000038D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.214.226	techspherxe.top	United States	13335	CLOUDFLARENETUS	false
104.21.69.194	codxefusion.top	United States	13335	CLOUDFLARENETUS	false
104.73.234.102	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636343
Start date and time:	2025-03-12 17:03:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	M1gP5m86Gn.exe renamed because original name is a hash value
Original Sample Name:	dfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@1/0@12/4
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:04:33	API Interceptor	4x Sleep call for process: M1gP5m86Gn.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.214.226	nogtpjadthaw.exe	Get hash	malicious	LummaC Stealer	Browse
104.21.69.194	IFwhIemq7R.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, zgRAT	Browse
104.21.69.194	fuck122112.exe	Get hash	malicious	LummaC Stealer	Browse
104.73.234.102	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse
	jthkadktjhja.exe	Get hash	malicious	LummaC Stealer	Browse
	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.1567.5483.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	FORTNITE_MOD_MENU.exe	Get hash	malicious	LummaC Stealer	Browse
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse
	Arly.exe	Get hash	malicious	LummaC Stealer	Browse
149.154.167.99	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	telegram.org/img/emoji/40/F09F9889.png
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	ca703fd579bbcee73544b9b37f8a6469.bin.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	kumori.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	TEDGRQXB.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Nexol.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	YuQuLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	publicpublicpublic.xll.ps1	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
techspherxe.top	nogtpjadthaw.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.214.226
	mQRr8Rkorf.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	172.67.214.226
	T0QdO0l.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.172
steamcommunity.com	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	92.122.104.90
	Nexol.exe	Get hash	malicious	LummaC Stealer	Browse	23.210.122.61
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	nogtpjadthaw.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	jthkadktjhja.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	mvtijadjtrhawd.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	jthkadktjhja.exe	Get hash	malicious	LummaC Stealer	Browse	23.197.127.21
	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
	SecuriteInfo.com.Win32.MalwareX-gen.1567.5483.exe	Get hash	malicious	LummaC Stealer	Browse	104.73.234.102
codxefusion.top	nogtpjadthaw.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.212.102
	fuck122112.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.69.194
	cronikxqqq.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.212.102
	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	104.21.69.194

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	ca703fd579bbcee73544b9b37f8a6469.bin.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	WizClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	kumori.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEDGRQXB.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Nexol.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	#U0420#U0430#U0442#U043a#U0430.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	https://nr.chadwickbarros.cl/	Get hash	malicious	Unknown	Browse	149.154.167.220
CLOUDFLARENETUS	svchost.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	Cherokee Brick_Vnote_GUHFIOE.svg	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.25.14
	https://insprocks.com/Insprock289.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	Play_VM-NowPhishingAudiowav011.html	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://my.audinate.com/system/files/release-gated/DanteController-4.14.2.1_windows.exe	Get hash	malicious	Unknown	Browse	104.26.5.38
	Play_VM-NowSpammerlameAudiowav011.html	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://tfxluum7zobs.dippitydo.net?nczk=amFtaWUuYmVkbmFyQGNvdGVycmEuY29t	Get hash	malicious	Unknown	Browse	104.18.95.41
	ATT09550.svg	Get hash	malicious	HTMLPhisher	Browse	172.67.158.181
	_BACS-PaymentReceipt11-PaymentConfirmation-10.htm	Get hash	malicious	Unknown	Browse	104.21.89.218
	http://chromewebb.com	Get hash	malicious	Unknown	Browse	104.17.25.14
AKAMAI-ASUS	40 TC02.docx	Get hash	malicious	Unknown	Browse	23.60.203.209
	http://americanlibertywatch.com	Get hash	malicious	Unknown	Browse	2.19.100.239
	https://fub.direct/1/PuarxmDlLw5n8ijdKl9HKODPZsVqUALxgrby4SKLG2MH97VUT8TKqN1Xrn2npxT-7HSwoBuyJCGuzeeEpdOtnA/https/ator.com.mx/g63a0/	Get hash	malicious	ScreenConnect Tool	Browse	23.60.203.209
	https://na4.docusign.net/Signing/EmailStart.aspx?a=98613b3e-4358-4628-9b7d-41ec67471533&acct=c0dc35b2-63fe-4f1c-a73a-e32c0fbf9ad5&er=57612189-98c9-4115-b187-cb70a302a3ee	Get hash	malicious	Unknown	Browse	2.16.202.57
	.svg	Get hash	malicious	HTMLPhisher	Browse	92.123.12.11
	resgod.mips.elf	Get hash	malicious	Mirai	Browse	104.78.21.167
	ATT48234.svg	Get hash	malicious	HTMLPhisher	Browse	92.123.12.139
	Tetrix.exe	Get hash	malicious	Unknown	Browse	23.206.208.172
	Tetrix.exe	Get hash	malicious	Unknown	Browse	23.206.208.172
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	92.122.104.90
CLOUDFLARENETUS	svchost.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	Cherokee Brick_Vnote_GUHFIOE.svg	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.25.14
	https://insprocks.com/Insprock289.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	Play_VM-NowPhishingAudiowav011.html	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://my.audinate.com/system/files/release-gated/DanteController-4.14.2.1_windows.exe	Get hash	malicious	Unknown	Browse	104.26.5.38
	Play_VM-NowSpammerlameAudiowav011.html	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	104.17.25.14
	https://tfxluum7zobs.dippitydo.net?nczk=amFtaWUuYmVkbmFyQGNvdGVycmEuY29t	Get hash	malicious	Unknown	Browse	104.18.95.41
	ATT09550.svg	Get hash	malicious	HTMLPhisher	Browse	172.67.158.181
	_BACS-PaymentReceipt11-PaymentConfirmation-10.htm	Get hash	malicious	Unknown	Browse	104.21.89.218
	http://chromewebb.com	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.17087.14702.xlsx	Get hash	malicious	Unknown	Browse	149.154.167.99
	ca703fd579bbcee73544b9b37f8a6469.bin.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	kumori.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	149.154.167.99
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	149.154.167.99
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	149.154.167.99
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Nexol.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.852022474951185
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	M1gP5m86Gn.exe
File size:	7'974'400 bytes
MD5:	accdbd5044408c82c19c977829713e4f
SHA1:	070a001ac12139cc1238017d795a2b43ac52770d
SHA256:	dfa2ab0714c9f234b63fd1295ce468bd247465701a90b8a9ab9eb3d6d032d258
SHA512:	34fe4ec1307e7d45080b6e0fb093eb8f1d43fb71a3e3411e32a5798f9cacc69ea1b82d56fcf9e503dd22c51e9af92fde7c149ac5882af4daab5c3cb906cdeb85
SSDEEP:	98304:fYRhnYdlvIib45D+ZicbrZRutIvD0wi9Q1Tjr+RTO7EC5pqQ5eoQQMgX3Q6jEd8O:5H8QK2GcJL
TLSH:	76866260D0179442E9D2387C9B403ADAF42A28F62E574970760E7E2CFC99918E7F9F17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...s...s...s...b...r...8...v...s...o.......r.....k.r.......r...Richs...................PE..L......g...............+..v........

File Icon


Icon Hash:	0f2b397453112b0f

Static PE Info

General

Entrypoint:	0x4014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C510AF [Mon Mar 3 02:15:11 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2b3730cda46affc8837a7df18591704a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000418h
call 00007F60A87B88E7h
movzx eax, al
test eax, eax
jne 00007F60A87B889Bh
push 00000001h
call dword ptr [00B6F028h]
nop
call 00007F60A87B8542h
push 00000104h
lea ecx, dword ptr [ebp-0000020Ch]
push ecx
push 00000000h
call dword ptr [00B6F038h]
lea edx, dword ptr [ebp-00000418h]
push edx
push 00000104h
call dword ptr [00B6F008h]
call 00007F60A87CC6B7h
push 00000001h
call dword ptr [00B6F028h]
nop
mov esp, ebp
pop ebp
retn 0010h
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 2Ch
lea eax, dword ptr [ebp-2Ch]
push eax
call dword ptr [00B6F02Ch]
mov ecx, dword ptr [ebp-18h]
mov dword ptr [ebp-04h], ecx
cmp dword ptr [ebp-04h], 02h
jnc 00007F60A87B8896h
xor al, al
jmp 00007F60A87B88E3h
push 00B6F078h
push 00B6F088h
call dword ptr [00B6F03Ch]
push eax
call dword ptr [00B6F040h]
test eax, eax
je 00007F60A87B8896h
xor al, al
jmp 00007F60A87B88C4h
push 00B6F0A4h
call dword ptr [00B6F044h]
mov dword ptr [ebp-08h], eax
cmp dword ptr [ebp-08h], 00000000h
je 00007F60A87B8896h
xor al, al
jmp 00007F60A87B88ACh
push 000007D0h
call 00007F60A87B85A4h
add esp, 04h
movzx edx, al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x76f214	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x771000	0x2b4b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x79d000	0xcbc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x76f0b8	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x76f000	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x76dd2b	0x76de00	f1cb89fa5c9e46045f02e8c15276e5e6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x76f000	0x4d6	0x600	feca90569e92c8e8352a08729f6e2a54	False	0.4537760416666667	data	4.3084225799617855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x770000	0x50	0x200	a6ce571490641746fab3ed64bebe94ea	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x771000	0x2b4b0	0x2b600	f24ea25e3a9c418791d2c53d4feebfcd	False	0.13140534942363113	data	4.41940658954128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x79d000	0xcbc	0xe00	ea896715c57611e7b02ea0df87211b1c	False	0.47293526785714285	data	3.89339994868857	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x772f20	0x13e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9901729559748428
RT_ICON	0x774300	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.04153850703892109
RT_ICON	0x784b28	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.07649253731343283
RT_ICON	0x78dfd0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.09658040665434381
RT_ICON	0x793458	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.08904109589041095
RT_ICON	0x797680	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.15435684647302905
RT_ICON	0x799c28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.1925422138836773
RT_ICON	0x79acd0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.3094262295081967
RT_ICON	0x79b658	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4370567375886525
RT_MENU	0x771630	0x274	data	0.5509554140127388
RT_MENU	0x7718a8	0x368	data	0.551605504587156
RT_MENU	0x771c10	0x416	data	0.5296367112810707
RT_MENU	0x772028	0x288	data	0.5694444444444444
RT_MENU	0x7722b0	0x2c6	Matlab v4 mat-file (little endian) Y, numeric, rows 5242896, columns 7340119, imaginary	0.5535211267605634
RT_MENU	0x772578	0x300	data	0.5455729166666666
RT_MENU	0x772878	0x2f0	data	0.5558510638297872
RT_MENU	0x772b68	0x1d6	data	0.6063829787234043
RT_DIALOG	0x772d40	0x114	data	0.7282608695652174
RT_STRING	0x79bff0	0x92	data	0.7465753424657534
RT_STRING	0x79c088	0x17e	data	0.6596858638743456
RT_STRING	0x79c208	0x1a2	data	0.6435406698564593
RT_STRING	0x79c3b0	0xfa	data	0.676
RT_ACCELERATOR	0x772e58	0x30	data	0.8958333333333334
RT_ACCELERATOR	0x772e88	0x20	data	1.0625
RT_ACCELERATOR	0x772ea8	0x20	data	1.0625
RT_ACCELERATOR	0x772ec8	0x28	data	0.925
RT_ACCELERATOR	0x772ef0	0x30	data	0.8958333333333334
RT_GROUP_ICON	0x79bac0	0x84	data	0.7272727272727273
RT_VERSION	0x79bb48	0x4a4	data	0.4057239057239057

Imports

DLL	Import
KERNEL32.dll	GetCommandLineA, GetEnvironmentStringsW, GetTempPathW, GetLastError, HeapAlloc, HeapFree, GetProcessHeap, SetCriticalSectionSpinCount, Sleep, GetCurrentProcess, ExitProcess, GetSystemInfo, GetVersion, GetTickCount, GetModuleFileNameW, GetModuleHandleW, GetProcAddress, LoadLibraryW, GlobalAlloc, GlobalFree, MultiByteToWideChar, ConvertDefaultLocale
USER32.dll	IsWindowVisible, GetWindowContextHelpId, MessageBoxA, GetWindowLongW, IsDialogMessageW, RegisterClassW

Version Infos

Description	Data
Comments	This program's analytics tools provide valuable insights into my performance
CompanyName	TechSphere Enterprises Technologies.
FileDescription	This program's analytics tools provide valuable insights into my performance
FileVersion	9.1.22.897
InternalName	TaskForgeApp
LegalCopyright	Copyright (C) 2022-2025 by TechSphere Enterprises Technologies.
OriginalFilename	CodeBridge.exe
ProductName	Task Manager DeLuxe
ProductVersion	9.1.22.897
Translation	0x0409 0x04b0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-12T17:04:21.278822+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49699	104.73.234.102	443	TCP
2025-03-12T17:04:21.278822+0100	2060570	ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI)	1	192.168.2.6	49696	172.67.214.226	443	TCP
2025-03-12T17:04:21.278822+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49696	172.67.214.226	443	TCP
2025-03-12T17:04:21.278822+0100	2060570	ET MALWARE Observed Win32/Lumma Stealer Related Domain (techspherxe .top in TLS SNI)	1	192.168.2.6	49697	172.67.214.226	443	TCP
2025-03-12T17:04:32.359649+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49694	149.154.167.99	443	TCP
2025-03-12T17:04:33.583307+0100	2060545	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hardswarehub .today)	1	192.168.2.6	65257	1.1.1.1	53	UDP
2025-03-12T17:04:33.597605+0100	2060538	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gadgethgfub .icu)	1	192.168.2.6	57995	1.1.1.1	53	UDP
2025-03-12T17:04:33.611026+0100	2060542	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hardrwarehaven .run)	1	192.168.2.6	51154	1.1.1.1	53	UDP
2025-03-12T17:04:33.621704+0100	2060565	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techmindzs .live)	1	192.168.2.6	64277	1.1.1.1	53	UDP
2025-03-12T17:04:33.633705+0100	2060530	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (codxefusion .top)	1	192.168.2.6	55181	1.1.1.1	53	UDP
2025-03-12T17:04:34.185170+0100	2060531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (codxefusion .top in TLS SNI)	1	192.168.2.6	49695	104.21.69.194	443	TCP
2025-03-12T17:04:34.185170+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49695	104.21.69.194	443	TCP
2025-03-12T17:04:34.189070+0100	2060416	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life)	1	192.168.2.6	51732	1.1.1.1	53	UDP
2025-03-12T17:04:34.201006+0100	2060568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techspherxe .top)	1	192.168.2.6	50052	1.1.1.1	53	UDP
2025-03-12T17:04:35.209819+0100	2060568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (techspherxe .top)	1	192.168.2.6	50052	1.1.1.1	53	UDP
2025-03-12T17:04:36.328902+0100	2060412	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today)	1	192.168.2.6	63415	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 17:04:30.253824949 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:30.253876925 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:30.253947973 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:30.257812023 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:30.257837057 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:32.359585047 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:32.359648943 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:32.381828070 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:32.381838083 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:32.382039070 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:32.435075045 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:32.707916021 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:32.748367071 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557496071 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557518959 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557526112 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557544947 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557554007 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557578087 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:33.557581902 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557599068 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557611942 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.557641983 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:33.557667017 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:33.560419083 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:33.560425043 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.560444117 CET	49694	443	192.168.2.6	149.154.167.99
Mar 12, 2025 17:04:33.560448885 CET	443	49694	149.154.167.99	192.168.2.6
Mar 12, 2025 17:04:33.646728992 CET	49695	443	192.168.2.6	104.21.69.194
Mar 12, 2025 17:04:33.646760941 CET	443	49695	104.21.69.194	192.168.2.6
Mar 12, 2025 17:04:33.646837950 CET	49695	443	192.168.2.6	104.21.69.194
Mar 12, 2025 17:04:33.647176027 CET	49695	443	192.168.2.6	104.21.69.194
Mar 12, 2025 17:04:33.647192955 CET	443	49695	104.21.69.194	192.168.2.6
Mar 12, 2025 17:04:34.185169935 CET	49695	443	192.168.2.6	104.21.69.194
Mar 12, 2025 17:04:35.415209055 CET	49696	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:35.415246010 CET	443	49696	172.67.214.226	192.168.2.6
Mar 12, 2025 17:04:35.415317059 CET	49696	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:35.415662050 CET	49696	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:35.415678024 CET	443	49696	172.67.214.226	192.168.2.6
Mar 12, 2025 17:04:36.324410915 CET	443	49696	172.67.214.226	192.168.2.6
Mar 12, 2025 17:04:36.324955940 CET	49697	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:36.324987888 CET	443	49697	172.67.214.226	192.168.2.6
Mar 12, 2025 17:04:36.325062990 CET	49697	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:36.325930119 CET	49697	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:36.325942993 CET	443	49697	172.67.214.226	192.168.2.6
Mar 12, 2025 17:04:36.326447964 CET	443	49697	172.67.214.226	192.168.2.6
Mar 12, 2025 17:04:36.326782942 CET	49698	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:36.326798916 CET	443	49698	172.67.214.226	192.168.2.6
Mar 12, 2025 17:04:36.326859951 CET	49698	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:36.327536106 CET	49698	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:36.327568054 CET	443	49698	172.67.214.226	192.168.2.6
Mar 12, 2025 17:04:36.327625036 CET	49698	443	192.168.2.6	172.67.214.226
Mar 12, 2025 17:04:36.349157095 CET	49699	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.349183083 CET	443	49699	104.73.234.102	192.168.2.6
Mar 12, 2025 17:04:36.349256992 CET	49699	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.349512100 CET	49699	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.349531889 CET	443	49699	104.73.234.102	192.168.2.6
Mar 12, 2025 17:04:36.349937916 CET	443	49699	104.73.234.102	192.168.2.6
Mar 12, 2025 17:04:36.350300074 CET	49700	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.350331068 CET	443	49700	104.73.234.102	192.168.2.6
Mar 12, 2025 17:04:36.350392103 CET	49700	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.350653887 CET	49700	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.350668907 CET	443	49700	104.73.234.102	192.168.2.6
Mar 12, 2025 17:04:36.351015091 CET	443	49700	104.73.234.102	192.168.2.6
Mar 12, 2025 17:04:36.351310015 CET	49701	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.351324081 CET	443	49701	104.73.234.102	192.168.2.6
Mar 12, 2025 17:04:36.351450920 CET	49701	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.351512909 CET	49701	443	192.168.2.6	104.73.234.102
Mar 12, 2025 17:04:36.351527929 CET	443	49701	104.73.234.102	192.168.2.6
Mar 12, 2025 17:04:36.351568937 CET	49701	443	192.168.2.6	104.73.234.102

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 17:04:30.226650953 CET	49725	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:30.233383894 CET	53	49725	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:33.566355944 CET	52045	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:33.577639103 CET	53	52045	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:33.583307028 CET	65257	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:33.595252037 CET	53	65257	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:33.597604990 CET	57995	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:33.608712912 CET	53	57995	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:33.611026049 CET	51154	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:33.619754076 CET	53	51154	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:33.621704102 CET	64277	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:33.631753922 CET	53	64277	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:33.633704901 CET	55181	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:33.646111012 CET	53	55181	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:34.189069986 CET	51732	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:34.198514938 CET	53	51732	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:34.201005936 CET	50052	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:35.209819078 CET	50052	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:35.413199902 CET	53	50052	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:35.423259974 CET	53	50052	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:36.328902006 CET	63415	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:36.337958097 CET	53	63415	1.1.1.1	192.168.2.6
Mar 12, 2025 17:04:36.339066982 CET	61382	53	192.168.2.6	1.1.1.1
Mar 12, 2025 17:04:36.348562956 CET	53	61382	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 12, 2025 17:04:30.226650953 CET	192.168.2.6	1.1.1.1	0xab38	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.566355944 CET	192.168.2.6	1.1.1.1	0xff07	Standard query (0)	socialsscesforum.icu	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.583307028 CET	192.168.2.6	1.1.1.1	0xf6ea	Standard query (0)	hardswarehub.today	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.597604990 CET	192.168.2.6	1.1.1.1	0x8782	Standard query (0)	gadgethgfub.icu	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.611026049 CET	192.168.2.6	1.1.1.1	0x211e	Standard query (0)	hardrwarehaven.run	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.621704102 CET	192.168.2.6	1.1.1.1	0xdadc	Standard query (0)	techmindzs.live	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.633704901 CET	192.168.2.6	1.1.1.1	0x744a	Standard query (0)	codxefusion.top	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:34.189069986 CET	192.168.2.6	1.1.1.1	0x7a5c	Standard query (0)	quietswtreams.life	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:34.201005936 CET	192.168.2.6	1.1.1.1	0xc36	Standard query (0)	techspherxe.top	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:35.209819078 CET	192.168.2.6	1.1.1.1	0xc36	Standard query (0)	techspherxe.top	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:36.328902006 CET	192.168.2.6	1.1.1.1	0xc040	Standard query (0)	earthsymphzony.today	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:36.339066982 CET	192.168.2.6	1.1.1.1	0x9a3b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 12, 2025 17:04:30.233383894 CET	1.1.1.1	192.168.2.6	0xab38	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.577639103 CET	1.1.1.1	192.168.2.6	0xff07	Name error (3)	socialsscesforum.icu	none	none	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.595252037 CET	1.1.1.1	192.168.2.6	0xf6ea	Name error (3)	hardswarehub.today	none	none	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.608712912 CET	1.1.1.1	192.168.2.6	0x8782	Name error (3)	gadgethgfub.icu	none	none	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.619754076 CET	1.1.1.1	192.168.2.6	0x211e	Name error (3)	hardrwarehaven.run	none	none	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.631753922 CET	1.1.1.1	192.168.2.6	0xdadc	Name error (3)	techmindzs.live	none	none	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.646111012 CET	1.1.1.1	192.168.2.6	0x744a	No error (0)	codxefusion.top		104.21.69.194	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:33.646111012 CET	1.1.1.1	192.168.2.6	0x744a	No error (0)	codxefusion.top		172.67.212.102	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:34.198514938 CET	1.1.1.1	192.168.2.6	0x7a5c	Name error (3)	quietswtreams.life	none	none	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:35.413199902 CET	1.1.1.1	192.168.2.6	0xc36	No error (0)	techspherxe.top		172.67.214.226	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:35.413199902 CET	1.1.1.1	192.168.2.6	0xc36	No error (0)	techspherxe.top		104.21.16.172	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:35.423259974 CET	1.1.1.1	192.168.2.6	0xc36	No error (0)	techspherxe.top		172.67.214.226	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:35.423259974 CET	1.1.1.1	192.168.2.6	0xc36	No error (0)	techspherxe.top		104.21.16.172	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:36.337958097 CET	1.1.1.1	192.168.2.6	0xc040	Name error (3)	earthsymphzony.today	none	none	A (IP address)	IN (0x0001)	false
Mar 12, 2025 17:04:36.348562956 CET	1.1.1.1	192.168.2.6	0x9a3b	No error (0)	steamcommunity.com		104.73.234.102	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49694	149.154.167.99	443	7532	C:\Users\user\Desktop\M1gP5m86Gn.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 16:04:32 UTC	195	OUT	GET /socialsscesforum HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: t.me
2025-03-12 16:04:33 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 12 Mar 2025 16:04:32 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12447 Connection: close Set-Cookie: stel_ssid=b65726e001036d7b60_1282171109530161900; expires=Thu, 13 Mar 2025 16:04:32 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-03-12 16:04:33 UTC	12447	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 73 6f 63 69 61 6c 73 73 63 65 73 66 6f 72 75 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @socialsscesforum</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){win

Target ID:	0
Start time:	12:04:26
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\M1gP5m86Gn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\M1gP5m86Gn.exe"
Imagebase:	0xc60000
File size:	7'974'400 bytes
MD5 hash:	ACCDBD5044408C82C19C977829713E4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1385228681.000000000173E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report M1gP5m86Gn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Windows Analysis Report
M1gP5m86Gn.exe