Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe

Overview

General Information

Sample Name:bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe
Analysis ID:717227
MD5:4c22c20fd816c11a3670100a40ac9dc0
SHA1:19b937654065f5ee8baee95026f6ea7466ee2322
SHA256:f33a6585faa522f1f03b4bacbd77cb5adc0d1ad54223b89dc8f6ebb05edfe000
Infos:

Detection

LummaC Stealer
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected LummaC Stealer
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Contains functionality to detect virtual machines (IN, VMware)
Uses 32bit PE files
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "http://evetesttech.net"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
    bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
    • 0x26674:$s1: JohnDoe
    • 0x2666c:$s2: HAL9TH

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.247884434.00000000013E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
      00000000.00000000.233236555.00000000013E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
        00000000.00000000.239152017.00000000013E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
          00000000.00000000.238633219.00000000013E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            Process Memory Space: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe PID: 5764JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.0.unpackJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x26674:$s1: JohnDoe
                • 0x2666c:$s2: HAL9TH
                0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.1.unpackJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                  0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.1.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                  • 0x26674:$s1: JohnDoe
                  • 0x2666c:$s2: HAL9TH
                  0.2.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.0.unpackJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                    Click to see the 3 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeReversingLabs: Detection: 76%
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeMetadefender: Detection: 33%Perma Link
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeVirustotal: Detection: 65%Perma Link
                    Antivirus detection for URL or domain
                    Source: http://evetesttech.netAvira URL Cloud: Label: malware
                    Source: http://evetesttech.net/lib/sqlite3.dllMetaMasknkbihfbeogaeaoehlefnkodbefgpgknnTronLinkibnejdfjmmkpcnAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: evetesttech.netVirustotal: Detection: 15%Perma Link
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeMalware Configuration Extractor: LummaC {"C2 url": "http://evetesttech.net"}
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C3BCB CryptStringToBinaryA,CryptUnprotectData,0_2_013C3BCB
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C98BE CryptStringToBinaryA,0_2_013C98BE
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C3C6D CryptUnprotectData,0_2_013C3C6D
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\User\source\repos\LummaC\Release\LummaC.pdb source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C4303 FindFirstFileA,__fread_nolock,FindNextFileA,0_2_013C4303
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C9D14 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,0_2_013C9D14
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013D9C1B FindFirstFileExW,0_2_013D9C1B
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C4E17 ExpandEnvironmentStringsW,lstrcatW,lstrcatW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,__fread_nolock,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,0_2_013C4E17

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://evetesttech.net
                    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeString found in binary or memory: http://evetesttech.net
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeString found in binary or memory: http://evetesttech.net/lib/sqlite3.dllMetaMasknkbihfbeogaeaoehlefnkodbefgpgknnTronLinkibnejdfjmmkpcn
                    Source: unknownDNS traffic detected: queries for: evetesttech.net
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C5204 InternetOpenA,InternetOpenUrlA,InternetReadFile,0_2_013C5204

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe, type: SAMPLEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: 0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: 0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: 0.2.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: 0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: 0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: 0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: 0.2.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: 0.0.bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe.13c0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 1180
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C112D0_2_013C112D
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C91FF0_2_013C91FF
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C89FB0_2_013C89FB
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013E101E0_2_013E101E
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013D03B00_2_013D03B0
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013CE3E80_2_013CE3E8
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C62E90_2_013C62E9
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013DED8D0_2_013DED8D
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C858A0_2_013C858A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C84270_2_013C8427
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C6C730_2_013C6C73
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C54FA0_2_013C54FA
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013C27220_2_013C2722
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: 0_2_013CA6B70_2_013CA6B7
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCode function: String function: 013CB030 appears 49 times
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeReversingLabs: Detection: 76%
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeMetadefender: Detection: 33%
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeVirustotal: Detection: 65%
                    Source: bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exe
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 1180
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5764
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCommand line argument: Chrome0_2_013C951A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCommand line argument: Chromium0_2_013C951A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCommand line argument: Edge0_2_013C951A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCommand line argument: Kometa0_2_013C951A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCommand line argument: Vivaldi0_2_013C951A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCommand line argument: Brave0_2_013C951A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCommand line argument: Firefox0_2_013C951A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f8671d358540201eb200f613fd80b62291f0_unpacked.exeCommand line argument: Waterfox0_2_013C951A
                    Source: C:\Users\user\Desktop\bfd72bdd4ab311acd0e05211cb01f86