Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Analysis ID: | 1640295 |
| MD5: | f30e34c685fe30cd96083e650fcb70f1 |
| SHA1: | 82664dc39ac325151d4dda923b54585e8ebccee9 |
| SHA256: | 210df8c2bdf091c680e289d7fb9d8ffd90044f5995e08cc5bc94d55865d793b1 |
| Tags: | exeuser-SecuriteInfoCom |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe (PID: 7872 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.PWS .Lumma.181 9.24534.32 219.exe" MD5: F30E34C685FE30CD96083E650FCB70F1)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_4 | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-17T04:17:06.007957+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49720 | 149.154.167.99 | 443 | TCP |
| 2025-03-17T04:17:06.763933+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49721 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:08.533959+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49722 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:09.801771+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49723 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:10.894017+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49724 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:12.355119+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49727 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:13.641728+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49728 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:16.094731+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 0_2_00DAE8FA | |
| Source: | Code function: | 0_2_00DAFD27 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00E24490 | |
| Source: | Code function: | 0_2_00DD6550 | |
| Source: | Code function: | 0_2_00DAE8FA | |
| Source: | Code function: | 0_2_00DC11F0 | |
| Source: | Code function: | 0_2_00DA1745 | |
| Source: | Code function: | 0_2_00DAFD27 | |
| Source: | Code function: | 0_2_00DAFD27 | |
| Source: | Code function: | 0_2_00DBDEE0 | |
| Source: | Code function: | 0_2_00D9A1D0 | |
| Source: | Code function: | 0_2_00D9A1D0 | |
| Source: | Code function: | 0_2_00D9C1C0 | |
| Source: | Code function: | 0_2_00DDE1A0 | |
| Source: | Code function: | 0_2_00DDE1A0 | |
| Source: | Code function: | 0_2_00DDE230 | |
| Source: | Code function: | 0_2_00DDE230 | |
| Source: | Code function: | 0_2_00DE03F0 | |
| Source: | Code function: | 0_2_00DDA5D0 | |
| Source: | Code function: | 0_2_00DAC6A6 | |
| Source: | Code function: | 0_2_00DAC6A6 | |
| Source: | Code function: | 0_2_00DAC6A6 | |
| Source: | Code function: | 0_2_00D9C610 | |
| Source: | Code function: | 0_2_00D9C610 | |
| Source: | Code function: | 0_2_00DC08B0 | |
| Source: | Code function: | 0_2_00DDAC00 | |
| Source: | Code function: | 0_2_00DDAC00 | |
| Source: | Code function: | 0_2_00DACE02 | |
| Source: | Code function: | 0_2_00DA0F90 | |
| Source: | Code function: | 0_2_00DAB3D0 | |
| Source: | Code function: | 0_2_00DAB3D0 | |
| Source: | Code function: | 0_2_00D9B3B0 | |
| Source: | Code function: | 0_2_00DAB300 | |
| Source: | Code function: | 0_2_00D9D4B0 | |
| Source: | Code function: | 0_2_00DDF400 | |
| Source: | Code function: | 0_2_00DAD690 | |
| Source: | Code function: | 0_2_00DD76B0 | |
| Source: | Code function: | 0_2_00DA3886 | |
| Source: | Code function: | 0_2_00DAF908 | |
| Source: | Code function: | 0_2_00D9FBC0 | |
| Source: | Code function: | 0_2_00DDDDF0 | |
| Source: | Code function: | 0_2_00DDDDF0 | |
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00E4C6B8 | |
| Source: | Code function: | 0_2_00E4C650 | |
| Source: | Code function: | 0_2_00E4C634 | |
| Source: | Code function: | 0_2_00E4C7F0 | |
| Source: | Code function: | 0_2_00E4C710 | |
| Source: | Code function: | 0_2_00E4C0B0 | |
| Source: | Code function: | 0_2_00E4C070 | |
| Source: | Code function: | 0_2_00E4C028 | |
| Source: | Code function: | 0_2_00E4C1E0 | |
| Source: | Code function: | 0_2_00E4C180 | |
| Source: | Code function: | 0_2_00E4C2E0 | |
| Source: | Code function: | 0_2_00E4C2C4 | |
| Source: | Code function: | 0_2_00E4C27C | |
| Source: | Code function: | 0_2_00E4C3F4 | |
| Source: | Code function: | 0_2_00E4C36C | |
| Source: | Code function: | 0_2_00E4C338 | |
| Source: | Code function: | 0_2_00E4C4EC | |
| Source: | Code function: | 0_2_00E4C48C | |
| Source: | Code function: | 0_2_00E4C43C | |
| Source: | Code function: | 0_2_00E4C5EC | |
| Source: | Code function: | 0_2_00E4C58C | |
| Source: | Code function: | 0_2_00E4C558 | |
| Source: | Code function: | 0_2_00E4C53C | |
| Source: | Code function: | 0_2_00E4C684 | |
| Source: | Code function: | 0_2_00E4C778 | |
| Source: | Code function: | 0_2_00E4BBE4 | |
| Source: | Code function: | 0_2_00E4BBB0 | |
| Source: | Code function: | 0_2_00E4BB50 | |
| Source: | Code function: | 0_2_00E4BCF8 | |
| Source: | Code function: | 0_2_00E4BCA0 | |
| Source: | Code function: | 0_2_00E4BC50 | |
| Source: | Code function: | 0_2_00E4BDE0 | |
| Source: | Code function: | 0_2_00E4BD8C | |
| Source: | Code function: | 0_2_00E4BD60 | |
| Source: | Code function: | 0_2_00E4BE6C | |
| Source: | Code function: | 0_2_00E4BE14 | |
| Source: | Code function: | 0_2_00E4BFE8 | |
| Source: | Code function: | 0_2_00E4BFB4 | |
| Source: | Code function: | 0_2_00E4BF74 | |
| Source: | Code function: | 0_2_00E4BF54 | |
| Source: | Code function: | 0_2_00E4BF04 | |
| Source: | Code function: | 0_2_00EAACA4 | |
| Source: | Code function: | 0_2_00DA6093 | |
| Source: | Code function: | 0_2_00DDA250 | |
| Source: | Code function: | 0_2_00DD6550 | |
| Source: | Code function: | 0_2_00DE0680 | |
| Source: | Code function: | 0_2_00D9E670 | |
| Source: | Code function: | 0_2_00DAE8FA | |
| Source: | Code function: | 0_2_00DE09A0 | |
| Source: | Code function: | 0_2_00DA2A17 | |
| Source: | Code function: | 0_2_00DDEDF0 | |
| Source: | Code function: | 0_2_00DE0EE0 | |
| Source: | Code function: | 0_2_00DC11F0 | |
| Source: | Code function: | 0_2_00DB97B0 | |
| Source: | Code function: | 0_2_00DA1745 | |
| Source: | Code function: | 0_2_00D9B900 | |
| Source: | Code function: | 0_2_00DAFD27 | |
| Source: | Code function: | 0_2_00DBDEE0 | |
| Source: | Code function: | 0_2_00DDFE60 | |
| Source: | Code function: | 0_2_00D9A1D0 | |
| Source: | Code function: | 0_2_00D9C1C0 | |
| Source: | Code function: | 0_2_00DDE1A0 | |
| Source: | Code function: | 0_2_00EAA264 | |
| Source: | Code function: | 0_2_00DB6230 | |
| Source: | Code function: | 0_2_00DDE230 | |
| Source: | Code function: | 0_2_00DA2414 | |
| Source: | Code function: | 0_2_00EF2434 | |
| Source: | Code function: | 0_2_00DBE680 | |
| Source: | Code function: | 0_2_00DAC6A6 | |
| Source: | Code function: | 0_2_00D9C610 | |
| Source: | Code function: | 0_2_00EAA600 | |
| Source: | Code function: | 0_2_00DDA7F0 | |
| Source: | Code function: | 0_2_00D92750 | |
| Source: | Code function: | 0_2_00D94772 | |
| Source: | Code function: | 0_2_00EFC8C4 | |
| Source: | Code function: | 0_2_00DC08B0 | |
| Source: | Code function: | 0_2_00E7882C | |
| Source: | Code function: | 0_2_00EF880C | |
| Source: | Code function: | 0_2_00DDE960 | |
| Source: | Code function: | 0_2_00D92AF0 | |
| Source: | Code function: | 0_2_00EAAA40 | |
| Source: | Code function: | 0_2_00D98A00 | |
| Source: | Code function: | 0_2_00ECAA04 | |
| Source: | Code function: | 0_2_00E5CBB0 | |
| Source: | Code function: | 0_2_00DA2CBB | |
| Source: | Code function: | 0_2_00F04C38 | |
| Source: | Code function: | 0_2_00DDAC00 | |
| Source: | Code function: | 0_2_00E66C0C | |
| Source: | Code function: | 0_2_00D9CDB0 | |
| Source: | Code function: | 0_2_00EFED68 | |
| Source: | Code function: | 0_2_00DA6D3A | |
| Source: | Code function: | 0_2_00DA4EEA | |
| Source: | Code function: | 0_2_00EF0E4C | |
| Source: | Code function: | 0_2_00D98E70 | |
| Source: | Code function: | 0_2_00DACE02 | |
| Source: | Code function: | 0_2_00E34FF0 | |
| Source: | Code function: | 0_2_00EDEFF0 | |
| Source: | Code function: | 0_2_00DA0F90 | |
| Source: | Code function: | 0_2_00D96F76 | |
| Source: | Code function: | 0_2_00D91040 | |
| Source: | Code function: | 0_2_00EFB05C | |
| Source: | Code function: | 0_2_00F03048 | |
| Source: | Code function: | 0_2_00EFF01C | |
| Source: | Code function: | 0_2_00EF913C | |
| Source: | Code function: | 0_2_00DA3297 | |
| Source: | Code function: | 0_2_00DE1230 | |
| Source: | Code function: | 0_2_00DAB3D0 | |
| Source: | Code function: | 0_2_00D993F0 | |
| Source: | Code function: | 0_2_00D9B3B0 | |
| Source: | Code function: | 0_2_00D934F0 | |
| Source: | Code function: | 0_2_00D9D4B0 | |
| Source: | Code function: | 0_2_00EC5498 | |
| Source: | Code function: | 0_2_00DC34A0 | |
| Source: | Code function: | 0_2_00DDF400 | |
| Source: | Code function: | 0_2_00D935E7 | |
| Source: | Code function: | 0_2_00DB5550 | |
| Source: | Code function: | 0_2_00DA7551 | |
| Source: | Code function: | 0_2_00DD76B0 | |
| Source: | Code function: | 0_2_00DC1600 | |
| Source: | Code function: | 0_2_00DC1620 | |
| Source: | Code function: | 0_2_00DB17D0 | |
| Source: | Code function: | 0_2_00DAD70D | |
| Source: | Code function: | 0_2_00DD58D0 | |
| Source: | Code function: | 0_2_00DCD9F0 | |
| Source: | Code function: | 0_2_00DA7990 | |
| Source: | Code function: | 0_2_00E3F97C | |
| Source: | Code function: | 0_2_00EE5958 | |
| Source: | Code function: | 0_2_00DB5910 | |
| Source: | Code function: | 0_2_00EA7AC8 | |
| Source: | Code function: | 0_2_00EC9AC8 | |
| Source: | Code function: | 0_2_00ECDA18 | |
| Source: | Code function: | 0_2_00D9FBC0 | |
| Source: | Code function: | 0_2_00D97CF0 | |
| Source: | Code function: | 0_2_00E87C28 | |
| Source: | Code function: | 0_2_00DA3DC0 | |
| Source: | Code function: | 0_2_00DDDDF0 | |
| Source: | Code function: | 0_2_00DC9DB0 | |
| Source: | Code function: | 0_2_00EA7D94 | |
| Source: | Code function: | 0_2_00D93E90 | |
| Source: | Code function: | 0_2_00ED1EB0 | |
| Source: | Code function: | 0_2_00EE5E80 | |
| Source: | Code function: | 0_2_00F5FF40 | |
| Source: | Code function: | 0_2_00EA7F24 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static file information: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00E99A49 | |
| Source: | Code function: | 0_2_00EA412C | |
| Source: | Code function: | 0_2_00E3C118 | |
| Source: | Code function: | 0_2_00E3C0E0 | |
| Source: | Code function: | 0_2_00E08078 | |
| Source: | Code function: | 0_2_00E1E264 | |
| Source: | Code function: | 0_2_00E401C4 | |
| Source: | Code function: | 0_2_00E741B8 | |
| Source: | Code function: | 0_2_00E82184 | |
| Source: | Code function: | 0_2_00EDC148 | |
| Source: | Code function: | 0_2_00E1E1CF | |
| Source: | Code function: | 0_2_00E60314 | |
| Source: | Code function: | 0_2_00E602BB | |
| Source: | Code function: | 0_2_00E103F8 | |
| Source: | Code function: | 0_2_00EDE3C4 | |
| Source: | Code function: | 0_2_00ED6434 | |
| Source: | Code function: | 0_2_00E603D7 | |
| Source: | Code function: | 0_2_00EA83B8 | |
| Source: | Code function: | 0_2_00EDE38C | |
| Source: | Code function: | 0_2_00E60380 | |
| Source: | Code function: | 0_2_00EA24C0 | |
| Source: | Code function: | 0_2_00EF8452 | |
| Source: | Code function: | 0_2_00E225E8 | |
| Source: | Code function: | 0_2_00E1059C | |
| Source: | Code function: | 0_2_00E5E57D | |
| Source: | Code function: | 0_2_00E805AE | |
| Source: | Code function: | 0_2_00F64573 | |
| Source: | Code function: | 0_2_00E8873F | |
| Source: | Code function: | 0_2_00E0E744 | |
| Source: | Code function: | 0_2_00E10687 | |
| Source: | Code function: | 0_2_00E10667 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | WMI Queries: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00E24490 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_00DDC210 | |
| Source: | Code function: | 0_2_02DA7F33 | |
| Source: | Code function: | 0_2_02DA7F35 | |
| Source: | Code function: | 0_2_02DA7C5F | |
| Source: | Code function: | 0_2_02DA7C61 | |
| Source: | Code function: | 0_2_00EA9268 | |
| Source: | Code function: | 0_2_00F5B208 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00E4ACC0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 321 Security Software Discovery | Remote Desktop Protocol | 41 Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 4 Obfuscated Files or Information | Security Account Manager | 31 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 12 Software Packing | NTDS | 1 Process Discovery | Distributed Component Object Model | Input Capture | 14 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 11 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 41 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 78% | ReversingLabs | Win32.Trojan.LummaStealer | ||
| 64% | Virustotal | Browse | ||
| 100% | Avira | HEUR/AGEN.1314134 |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| t.me | 149.154.167.99 | true | false | high | |
| caliberc.life | 104.21.48.1 | true | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high | ||
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | unknown | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.48.1 | caliberc.life | United States | 13335 | CLOUDFLARENETUS | false | |
| 149.154.167.99 | t.me | United Kingdom | 62041 | TELEGRAMRU | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1640295 |
| Start date and time: | 2025-03-17 04:16:10 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 39s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@1/0@2/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.12.23.50
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 23:17:05 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 104.21.48.1 | Get hash | malicious | DBatLoader, FormBook | Browse |
| |
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | Lokibot | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| 149.154.167.99 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Cinoshi Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| t.me | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer, RHADAMANTHYS | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| TELEGRAMRU | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | DCRat, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Python Stealer, Braodo | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Globeimposter | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
| ||
| Get hash | malicious | MSIL Logger, MassLogger RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GhostRat, Mimikatz, Nitol | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Latrodectus, LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | CobaltStrike | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.988384234072992 |
| TrID: |
|
| File name: | SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| File size: | 1'315'328 bytes |
| MD5: | f30e34c685fe30cd96083e650fcb70f1 |
| SHA1: | 82664dc39ac325151d4dda923b54585e8ebccee9 |
| SHA256: | 210df8c2bdf091c680e289d7fb9d8ffd90044f5995e08cc5bc94d55865d793b1 |
| SHA512: | 5356a4002da934e228e7de3d3e6ddb97a1c88683aae65fd6492899a5f4a538c5e0699068e56790e5165911b7e54b2831236c76f9491d4bfa17cbc140f5763227 |
| SSDEEP: | 24576:HfOM1rXq19WPe7p3p4QvBmF2tBl5wisq3ubb1M4C5+fTCPee0ol37RReGak:HfOM1re/CQUgldf3U1MFQQrcS |
| TLSH: | 60553328E005912BFBE334354696BEF03E7A4F323179906D9D6DC5A98A91015AFB1F33 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.g.............................5............@...........................<...........@................................. `..... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x4035e7 |
| Entrypoint Section: | |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67D03415 [Tue Mar 11 13:01:09 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 71cc5af9daad65e58c6f29c42cdf9201 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFF0h |
| mov eax, 00401000h |
| call 00007FAD40800506h |
| call far 5DE5h : 8B10C483h |
| jmp 00007FAD40BC6E32h |
| js 00007FAD40800533h |
| sbb esp, dword ptr [ebp+61A248A0h] |
| insd |
| retf |
| das |
| arpl word ptr [ebp-2A6F86DAh], dx |
| jno 00007FAD40800554h |
| add eax, 4D01F7F6h |
| push esi |
| clc |
| enter 63B1h, 02h |
| mov cl, 3Bh |
| xor dword ptr [ecx-50336360h], edx |
| cmc |
| inc ebx |
| retf |
| and byte ptr [esp+esi*2], 0000001Eh |
| sub esp, ebp |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2e6020 | 0x214 | .data |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2e6000 | 0xc | .data |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| 0x1000 | 0x51000 | 0x29a00 | 512d3d551597b7161629b58077fa8ec7 | False | 1.0003577796546546 | data | 7.99889700577149 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x52000 | 0x3000 | 0x1000 | b6717a02af6ebd7c55a864fa0986dad4 | False | 1.000732421875 | data | 7.941818540153546 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x55000 | 0xe000 | 0x3200 | 9516e05851c280d8032e974b8c014bfa | False | 0.97109375 | data | 7.913671463478191 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x63000 | 0x4000 | 0x2200 | 377010cf2de49560727dde4e9f4375aa | False | 1.0012637867647058 | data | 7.977822899513002 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| 0x67000 | 0x27f000 | 0x2ba00 | 4353c9737927d55ffc1958e9ef6c0c53 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
| .data | 0x2e6000 | 0xe6000 | 0xe5600 | 69370175886edcd5f78d434cab93ed41 | False | 0.9967387602179837 | data | 7.978649088354937 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| kernel32.dll | GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA |
| user32.dll | MessageBoxA |
| advapi32.dll | RegCloseKey |
| oleaut32.dll | SysFreeString |
| gdi32.dll | CreateFontA |
| shell32.dll | ShellExecuteA |
| version.dll | GetFileVersionInfoA |
| ole32.dll | CoCreateInstance |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-17T04:17:06.007957+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49720 | 149.154.167.99 | 443 | TCP |
| 2025-03-17T04:17:06.763933+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49721 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:08.533959+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49722 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:09.801771+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49723 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:10.894017+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49724 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:12.355119+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49727 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:13.641728+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49728 | 104.21.48.1 | 443 | TCP |
| 2025-03-17T04:17:16.094731+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 17, 2025 04:17:05.372288942 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:05.372339010 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:05.372431993 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:05.375848055 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:05.375866890 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.007762909 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.007956982 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:06.015307903 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:06.015341997 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.015542030 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.056890011 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:06.065571070 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:06.112325907 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.264983892 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.265012026 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.265019894 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.265054941 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.265124083 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.265177965 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:06.265252113 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:06.268208981 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:06.268234968 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.268245935 CET | 49720 | 443 | 192.168.2.4 | 149.154.167.99 |
| Mar 17, 2025 04:17:06.268253088 CET | 443 | 49720 | 149.154.167.99 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.304178953 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:06.304214001 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.304279089 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:06.304702997 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:06.304713964 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.763819933 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.763932943 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:06.859838963 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:06.859869003 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.860188007 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.861404896 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:06.861429930 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:06.861470938 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520018101 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520062923 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520090103 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520123005 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.520132065 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520140886 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520179033 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.520190001 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520235062 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.520246983 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520742893 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520767927 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520787954 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.520792961 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.520837069 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.524534941 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.572491884 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.572518110 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.619340897 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.774673939 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.774753094 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.774873018 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.775017977 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.775037050 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:07.775048971 CET | 49721 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:07.775053978 CET | 443 | 49721 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:08.080504894 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:08.080538988 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:08.080610037 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:08.080975056 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:08.080982924 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:08.533888102 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:08.533958912 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:08.535546064 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:08.535554886 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:08.535757065 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:08.537205935 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:08.537439108 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:08.537466049 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:08.537530899 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:08.537539005 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.244021893 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.244127035 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.244227886 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.244581938 CET | 49722 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.244602919 CET | 443 | 49722 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.325390100 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.325443983 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.325529099 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.325886965 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.325901985 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.801685095 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.801770926 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.812943935 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.812968969 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.813287973 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:09.825375080 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.825501919 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:09.825529099 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.255064964 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.255162954 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.255369902 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.255495071 CET | 49723 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.255517960 CET | 443 | 49723 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.426249027 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.426295996 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.426371098 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.426784039 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.426796913 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.893851995 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.894016981 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.901732922 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.901758909 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.901999950 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.903275967 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.903399944 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.903433084 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.903507948 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.903507948 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:10.903521061 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:10.944334030 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:11.458971977 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:11.459083080 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:11.459145069 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:11.459253073 CET | 49724 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:11.459268093 CET | 443 | 49724 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:11.872844934 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:11.872903109 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:11.872978926 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:11.873334885 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:11.873349905 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:12.355031967 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:12.355118990 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:12.356489897 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:12.356503963 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:12.356745958 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:12.358736038 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:12.358860016 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:12.358885050 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:12.770551920 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:12.770661116 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:12.770914078 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:12.770955086 CET | 49727 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:12.770973921 CET | 443 | 49727 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.166033983 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.166079998 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.166172981 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.166568041 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.166583061 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.641578913 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.641727924 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.649399996 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.649420023 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.649663925 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.650974989 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.651726961 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.651755095 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.651859999 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.651897907 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.652014971 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.652059078 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.652192116 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.652223110 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.652358055 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.652398109 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.652520895 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.652553082 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.652585030 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.652599096 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.652719021 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.652749062 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.652774096 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.652920961 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.652952909 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.663065910 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.663207054 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.663233995 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.663255930 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.663284063 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:13.663294077 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.663310051 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:13.663341045 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:15.601413965 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:15.601527929 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:15.601576090 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:15.601732016 CET | 49728 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:15.601746082 CET | 443 | 49728 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:15.637945890 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:15.637976885 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:15.638046980 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:15.638513088 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:15.638525009 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:16.094649076 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:16.094731092 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:16.096173048 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:16.096185923 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:16.096430063 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:16.098298073 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:16.098326921 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:16.098372936 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:16.528358936 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:16.528434038 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:16.528882980 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:16.528969049 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:16.528984070 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:16.529001951 CET | 49731 | 443 | 192.168.2.4 | 104.21.48.1 |
| Mar 17, 2025 04:17:16.529006958 CET | 443 | 49731 | 104.21.48.1 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Mar 17, 2025 04:17:05.359153032 CET | 58141 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 17, 2025 04:17:05.365916014 CET | 53 | 58141 | 1.1.1.1 | 192.168.2.4 |
| Mar 17, 2025 04:17:06.290911913 CET | 58194 | 53 | 192.168.2.4 | 1.1.1.1 |
| Mar 17, 2025 04:17:06.303128004 CET | 53 | 58194 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Mar 17, 2025 04:17:05.359153032 CET | 192.168.2.4 | 1.1.1.1 | 0x5467 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Mar 17, 2025 04:17:06.290911913 CET | 192.168.2.4 | 1.1.1.1 | 0xfeca | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Mar 17, 2025 04:17:05.365916014 CET | 1.1.1.1 | 192.168.2.4 | 0x5467 | No error (0) | 149.154.167.99 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 04:17:06.303128004 CET | 1.1.1.1 | 192.168.2.4 | 0xfeca | No error (0) | 104.21.48.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 04:17:06.303128004 CET | 1.1.1.1 | 192.168.2.4 | 0xfeca | No error (0) | 104.21.64.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 04:17:06.303128004 CET | 1.1.1.1 | 192.168.2.4 | 0xfeca | No error (0) | 104.21.32.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 04:17:06.303128004 CET | 1.1.1.1 | 192.168.2.4 | 0xfeca | No error (0) | 104.21.16.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 04:17:06.303128004 CET | 1.1.1.1 | 192.168.2.4 | 0xfeca | No error (0) | 104.21.96.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 04:17:06.303128004 CET | 1.1.1.1 | 192.168.2.4 | 0xfeca | No error (0) | 104.21.112.1 | A (IP address) | IN (0x0001) | false | ||
| Mar 17, 2025 04:17:06.303128004 CET | 1.1.1.1 | 192.168.2.4 | 0xfeca | No error (0) | 104.21.80.1 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49720 | 149.154.167.99 | 443 | 7872 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 03:17:06 UTC | 67 | OUT | |
| 2025-03-17 03:17:06 UTC | 512 | IN | |
| 2025-03-17 03:17:06 UTC | 12409 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49721 | 104.21.48.1 | 443 | 7872 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 03:17:06 UTC | 265 | OUT | |
| 2025-03-17 03:17:06 UTC | 41 | OUT | |
| 2025-03-17 03:17:07 UTC | 776 | IN | |
| 2025-03-17 03:17:07 UTC | 593 | IN | |
| 2025-03-17 03:17:07 UTC | 1369 | IN | |
| 2025-03-17 03:17:07 UTC | 1369 | IN | |
| 2025-03-17 03:17:07 UTC | 1369 | IN | |
| 2025-03-17 03:17:07 UTC | 1369 | IN | |
| 2025-03-17 03:17:07 UTC | 1369 | IN | |
| 2025-03-17 03:17:07 UTC | 1369 | IN | |
| 2025-03-17 03:17:07 UTC | 1369 | IN | |
| 2025-03-17 03:17:07 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49722 | 104.21.48.1 | 443 | 7872 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 03:17:08 UTC | 284 | OUT | |
| 2025-03-17 03:17:08 UTC | 15331 | OUT | |
| 2025-03-17 03:17:08 UTC | 4285 | OUT | |
| 2025-03-17 03:17:09 UTC | 810 | IN | |
| 2025-03-17 03:17:09 UTC | 74 | IN | |
| 2025-03-17 03:17:09 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49723 | 104.21.48.1 | 443 | 7872 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 03:17:09 UTC | 273 | OUT | |
| 2025-03-17 03:17:09 UTC | 8723 | OUT | |
| 2025-03-17 03:17:10 UTC | 808 | IN | |
| 2025-03-17 03:17:10 UTC | 74 | IN | |
| 2025-03-17 03:17:10 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49724 | 104.21.48.1 | 443 | 7872 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 03:17:10 UTC | 276 | OUT | |
| 2025-03-17 03:17:10 UTC | 15331 | OUT | |
| 2025-03-17 03:17:10 UTC | 5055 | OUT | |
| 2025-03-17 03:17:11 UTC | 805 | IN | |
| 2025-03-17 03:17:11 UTC | 74 | IN | |
| 2025-03-17 03:17:11 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49727 | 104.21.48.1 | 443 | 7872 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 03:17:12 UTC | 276 | OUT | |
| 2025-03-17 03:17:12 UTC | 2517 | OUT | |
| 2025-03-17 03:17:12 UTC | 811 | IN | |
| 2025-03-17 03:17:12 UTC | 74 | IN | |
| 2025-03-17 03:17:12 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49728 | 104.21.48.1 | 443 | 7872 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 03:17:13 UTC | 281 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:13 UTC | 15331 | OUT | |
| 2025-03-17 03:17:15 UTC | 272 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 7 | 192.168.2.4 | 49731 | 104.21.48.1 | 443 | 7872 | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-03-17 03:17:16 UTC | 265 | OUT | |
| 2025-03-17 03:17:16 UTC | 79 | OUT | |
| 2025-03-17 03:17:16 UTC | 771 | IN | |
| 2025-03-17 03:17:16 UTC | 43 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 23:17:04 |
| Start date: | 16/03/2025 |
| Path: | C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.24534.32219.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd90000 |
| File size: | 1'315'328 bytes |
| MD5 hash: | F30E34C685FE30CD96083E650FCB70F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |