Windows Analysis Report
lfY08S61Ig.exe

Overview

General Information

Sample name: lfY08S61Ig.exe
renamed because original name is a hash value
Original sample name: c33191b6acc759b04279cfe144307df5.exe
Analysis ID: 1434703
MD5: c33191b6acc759b04279cfe144307df5
SHA1: 5506845f558298c407fb5a18b20416708e3e6a25
SHA256: f5354184d3b3097f88065284fbe9570e5d9a72972ae5134f0b496dac18a6b713
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: lfY08S61Ig.exe Avira: detected
Found malware configuration
Source: 0.2.lfY08S61Ig.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "stiffraspyofkwsl.shop"], "Build id": "P6Mk0M--superstar"}
Multi AV Scanner detection for submitted file
Source: lfY08S61Ig.exe ReversingLabs: Detection: 73%
Source: lfY08S61Ig.exe Virustotal: Detection: 53% Perma Link
Machine Learning detection for sample
Source: lfY08S61Ig.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: boredimperissvieos.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: holicisticscrarws.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: sweetsquarediaslw.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: plaintediousidowsko.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: miniaturefinerninewjs.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: zippyfinickysofwps.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: obsceneclassyjuwks.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: acceptabledcooeprs.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: stiffraspyofkwsl.shop
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000003.1442680982.00000000036D0000.00000004.00001000.00020000.00000000.sdmp String decryptor: P6Mk0M--superstar

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Unpacked PE file: 0.2.lfY08S61Ig.exe.400000.0.unpack
Uses 32bit PE files
Source: lfY08S61Ig.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\lfY08S61Ig.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.81.139:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: Binary string: ZvcC:\coyajoxamuyudu\coyelu\vebehumagizege-vutaja.pdb source: lfY08S61Ig.exe
Source: Binary string: C:\coyajoxamuyudu\coyelu\vebehumagizege-vutaja.pdb source: lfY08S61Ig.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], CCC8066Ah 0_2_0043C461
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_0043E8D0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00427059
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esi+00000090h] 0_2_00413038
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_0043E09F
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_004350A0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then lea eax, dword ptr [edi+04h] 0_2_0042213D
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 0_2_0042213D
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx ecx, word ptr [esi] 0_2_0043D265
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp eax 0_2_0041D35E
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp edx 0_2_0041D35E
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then inc ebx 0_2_00415470
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+10h] 0_2_00424478
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+10h] 0_2_00424478
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+20h] 0_2_00428410
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov dword ptr [esi+20h], 00000000h 0_2_00411419
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_0043C436
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_0043D4E8
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_0043D48A
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+20h] 0_2_00416555
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], CCC8066Ah 0_2_0043C571
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+0Ch] 0_2_0043C571
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 0_2_0040D650
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_00402650
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 5C3924FCh 0_2_0043C615
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 0_2_004226BD
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 0_2_00422760
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_004097F0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_004258B0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00426948
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov dword ptr [esi+7Ch], ecx 0_2_00426953
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_0043A930
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+20h] 0_2_004279F5
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [00447EE8h] 0_2_00424982
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx edi, cx 0_2_00428A13
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp dword ptr [ebx+ecx*8], FB49C974h 0_2_00439A20
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_0043EAF0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00417ABA
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_0041DB00
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 9EDBE8FEh 0_2_0041DB00
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000090h] 0_2_00414D32
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov edx, eax 0_2_0041DDC7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov esi, dword ptr [esp+0Ch] 0_2_0040FE47
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 0_2_00411E13
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp edx 0_2_0043DE9C
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp edx 0_2_0043DEB1
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov edx, eax 0_2_0041DF3A
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx esi, ch 0_2_0043DFE0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp edx 0_2_01BFE118
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp edx 0_2_01BFE103
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov esi, dword ptr [esp+0Ch] 0_2_01BD00AE
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov edx, eax 0_2_01BDE02E
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 0_2_01BD207A
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_01BF5307
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_01BFE306
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esi+00000090h] 0_2_01BD329F
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_01BE72C0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx esi, ch 0_2_01BFE247
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 0_2_01BE25E5
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then lea eax, dword ptr [edi+04h] 0_2_01BE2488
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx ecx, word ptr [esi] 0_2_01BFD4CC
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+20h] 0_2_01BD67BC
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_01BFD74F
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_01BFC69D
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov dword ptr [esi+20h], 00000000h 0_2_01BD1680
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp eax 0_2_01BDD6F9
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_01BFD6F1
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+10h] 0_2_01BE46DF
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+10h] 0_2_01BE46DF
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then inc ebx 0_2_01BD56D7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], CCC8066Ah 0_2_01BFC6C8
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+20h] 0_2_01BE8677
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 0_2_01BCD8B7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_01BC28B7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esi+48h] 0_2_01BE088D
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov dword ptr [esi+7Ch], ecx 0_2_01BE6BBA
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_01BE6BAF
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_01BE5B17
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_01BFAB97
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [00447EE8h] 0_2_01BE4BE9
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_01BFEB37
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_01BE5B17
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_01BC9A57
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_01BD7D21
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_01BFED57
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then cmp dword ptr [ebx+ecx*8], FB49C974h 0_2_01BF9C87
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then movzx edi, cx 0_2_01BE8C7A
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+20h] 0_2_01BE7C5C
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp edx 0_2_01BDDC57
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000090h] 0_2_01BD4F99
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 4x nop then jmp ecx 0_2_01BDDE8D

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: boredimperissvieos.shop
Source: Malware configuration extractor URLs: holicisticscrarws.shop
Source: Malware configuration extractor URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor URLs: plaintediousidowsko.shop
Source: Malware configuration extractor URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor URLs: stiffraspyofkwsl.shop
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stiffraspyofkwsl.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: stiffraspyofkwsl.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stiffraspyofkwsl.shop
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001C75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stiffraspyofkwsl.shop/
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001CAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stiffraspyofkwsl.shop/api
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001CAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stiffraspyofkwsl.shop/api6X
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001C75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stiffraspyofkwsl.shop/apieO
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001CAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stiffraspyofkwsl.shop/b
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001CAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stiffraspyofkwsl.shop/h
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001CAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stiffraspyofkwsl.shop/jOT
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001CAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stiffraspyofkwsl.shop/p
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 104.21.81.139:443 -> 192.168.2.8:49705 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00430520 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00430520
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00430520 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00430520
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00431CAA GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 0_2_00431CAA

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1565418562.0000000001C45000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1565312688.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00437090 0_2_00437090
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_004080A0 0_2_004080A0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00404160 0_2_00404160
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_0042112E 0_2_0042112E
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_0042213D 0_2_0042213D
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_0043F190 0_2_0043F190
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_0041D35E 0_2_0041D35E
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00403360 0_2_00403360
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00410390 0_2_00410390
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00406480 0_2_00406480
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_0043F500 0_2_0043F500
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00403750 0_2_00403750
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00405720 0_2_00405720
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_004017B0 0_2_004017B0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00422840 0_2_00422840
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_0042C85E 0_2_0042C85E
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_004218A0 0_2_004218A0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00406A50 0_2_00406A50
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00428AC0 0_2_00428AC0
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00425B50 0_2_00425B50
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00404B30 0_2_00404B30
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00402D10 0_2_00402D10
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_0043EE70 0_2_0043EE70
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00439E10 0_2_00439E10
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BFF0D7 0_2_01BFF0D7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BFA077 0_2_01BFA077
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BFF3F7 0_2_01BFF3F7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC43C7 0_2_01BC43C7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC8307 0_2_01BC8307
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BF72F7 0_2_01BF72F7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BD05F7 0_2_01BD05F7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC35C7 0_2_01BC35C7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BFF767 0_2_01BFF767
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC66E7 0_2_01BC66E7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC39B7 0_2_01BC39B7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC5987 0_2_01BC5987
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BE1B07 0_2_01BE1B07
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BECAC5 0_2_01BECAC5
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BE5DB7 0_2_01BE5DB7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC4D97 0_2_01BC4D97
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BE8D27 0_2_01BE8D27
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC6CB7 0_2_01BC6CB7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: String function: 01BC8D57 appears 56 times
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: String function: 00408AF0 appears 52 times
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: String function: 00410520 appears 194 times
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: String function: 01BD0787 appears 194 times
One or more processes crash
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1504
Sample file is different than original file name gathered from version info
Source: lfY08S61Ig.exe, 00000000.00000002.1565192168.0000000001A13000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesFirezer. vs lfY08S61Ig.exe
Source: lfY08S61Ig.exe Binary or memory string: OriginalFilenamesFirezer. vs lfY08S61Ig.exe
Uses 32bit PE files
Source: lfY08S61Ig.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1565418562.0000000001C45000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1565312688.0000000001BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/5@1/1
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C4678E CreateToolhelp32Snapshot,Module32First, 0_2_01C4678E
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00430169 CoCreateInstance, 0_2_00430169
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7580
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5655c469-167a-4833-a1b9-adaf75e37cfd Jump to behavior
Source: lfY08S61Ig.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: lfY08S61Ig.exe ReversingLabs: Detection: 73%
Source: lfY08S61Ig.exe Virustotal: Detection: 53%
Source: C:\Users\user\Desktop\lfY08S61Ig.exe File read: C:\Users\user\Desktop\lfY08S61Ig.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\lfY08S61Ig.exe "C:\Users\user\Desktop\lfY08S61Ig.exe"
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1504
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\lfY08S61Ig.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: lfY08S61Ig.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ZvcC:\coyajoxamuyudu\coyelu\vebehumagizege-vutaja.pdb source: lfY08S61Ig.exe
Source: Binary string: C:\coyajoxamuyudu\coyelu\vebehumagizege-vutaja.pdb source: lfY08S61Ig.exe

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Unpacked PE file: 0.2.lfY08S61Ig.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Unpacked PE file: 0.2.lfY08S61Ig.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_004337E3 push esp; iretd 0_2_004337E7
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00444D61 push esp; retf 0_2_00444D69
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_00444DC9 push esp; retf 0_2_00444D69
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BD4925 push edx; retf 0_2_01BD4931
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BF3A4A push esp; iretd 0_2_01BF3A4E
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C4A0F0 push edi; retf 0_2_01C4A107
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C47804 pushad ; retf 0_2_01C47805
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C47A4E push ebp; ret 0_2_01C47A4F
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C49A16 push 89C102E8h; iretd 0_2_01C49A1B
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C4AC8C push es; ret 0_2_01C4ACC2
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C4AC5A push es; ret 0_2_01C4ACC2
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C48E1D pushfd ; iretd 0_2_01C48E28
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C4B480 rdtsc 0_2_01C4B480
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\lfY08S61Ig.exe TID: 7680 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001C75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001CAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: lfY08S61Ig.exe, 00000000.00000002.1565455317.0000000001CAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C4B480 rdtsc 0_2_01C4B480
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_0043B550 LdrInitializeThunk, 0_2_0043B550
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC092B mov eax, dword ptr fs:[00000030h] 0_2_01BC092B
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01BC0D90 mov eax, dword ptr fs:[00000030h] 0_2_01BC0D90
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Code function: 0_2_01C4606B push dword ptr fs:[00000030h] 0_2_01C4606B

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: lfY08S61Ig.exe String found in binary or memory: boredimperissvieos.shop
Source: lfY08S61Ig.exe String found in binary or memory: holicisticscrarws.shop
Source: lfY08S61Ig.exe String found in binary or memory: sweetsquarediaslw.shop
Source: lfY08S61Ig.exe String found in binary or memory: plaintediousidowsko.shop
Source: lfY08S61Ig.exe String found in binary or memory: miniaturefinerninewjs.shop
Source: lfY08S61Ig.exe String found in binary or memory: zippyfinickysofwps.shop
Source: lfY08S61Ig.exe String found in binary or memory: obsceneclassyjuwks.shop
Source: lfY08S61Ig.exe String found in binary or memory: acceptabledcooeprs.shop
Source: lfY08S61Ig.exe String found in binary or memory: stiffraspyofkwsl.shop
Source: C:\Users\user\Desktop\lfY08S61Ig.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1434703 Sample: lfY08S61Ig.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 13 stiffraspyofkwsl.shop 2->13 17 Found malware configuration 2->17 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 6 other signatures 2->23 7 lfY08S61Ig.exe 2->7         started        signatures3 process4 dnsIp5 15 stiffraspyofkwsl.shop 104.21.81.139, 443, 49705, 49706 CLOUDFLARENETUS United States 7->15 25 Detected unpacking (changes PE section rights) 7->25 27 Detected unpacking (overwrites its own PE header) 7->27 11 WerFault.exe 22 16 7->11         started        signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.81.139
 stiffraspyofkwsl.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
stiffraspyofkwsl.shop 104.21.81.139 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
plaintediousidowsko.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
acceptabledcooeprs.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
zippyfinickysofwps.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
boredimperissvieos.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
obsceneclassyjuwks.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
stiffraspyofkwsl.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
sweetsquarediaslw.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://stiffraspyofkwsl.shop/api false
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
holicisticscrarws.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
miniaturefinerninewjs.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown