Windows Analysis Report
payload.exe

Overview

General Information

Sample name: payload.exe
Analysis ID: 1436577
MD5: ce50f943a26c5cb2baf73d051ce6e8fc
SHA1: 8ddbd6b36ecb62ebe2925d212af13cbc786a6d35
SHA256: a83a24e2219d14f4448a837d638b007c9404d893dd035bdf67fbde220e3c4ced
Tags: exe
Infos:

Detection

LummaC
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: payload.exe Avira: detected
Found malware configuration
Source: payload.exe Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "pearcyworkeronej.shop"], "Build id": "uYY3NI--"}
Multi AV Scanner detection for domain / URL
Source: sweetsquarediaslw.shop Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: payload.exe Virustotal: Detection: 47% Perma Link
Machine Learning detection for sample
Source: payload.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: payload.exe String decryptor: boredimperissvieos.shop
Source: payload.exe String decryptor: holicisticscrarws.shop
Source: payload.exe String decryptor: sweetsquarediaslw.shop
Source: payload.exe String decryptor: plaintediousidowsko.shop
Source: payload.exe String decryptor: miniaturefinerninewjs.shop
Source: payload.exe String decryptor: zippyfinickysofwps.shop
Source: payload.exe String decryptor: obsceneclassyjuwks.shop
Source: payload.exe String decryptor: acceptabledcooeprs.shop
Source: payload.exe String decryptor: pearcyworkeronej.shop
Source: payload.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: payload.exe String decryptor: TeslaBrowser/5.5
Source: payload.exe String decryptor: - Screen Resoluton:
Source: payload.exe String decryptor: - Physical Installed Memory:
Source: payload.exe String decryptor: Workgroup: -
Source: payload.exe String decryptor: uYY3NI--
Uses 32bit PE files
Source: payload.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: payload.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], CCC8066Ah 0_2_0040C461
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 5C3924FCh 0_2_0040C615
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_0040E8D0
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov eax, dword ptr [esi+00000090h] 0_2_003E3038
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_003F7059
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp ecx 0_2_0040E09F
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_004050A0
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then lea eax, dword ptr [edi+04h] 0_2_003F213D
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 0_2_003F213D
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then movzx ecx, word ptr [esi] 0_2_0040D265
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp eax 0_2_003ED35E
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp edx 0_2_003ED35E
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov dword ptr [esi+20h], 00000000h 0_2_003E1419
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov ecx, dword ptr [esi+20h] 0_2_003F8410
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov ecx, dword ptr [esi+10h] 0_2_003F4478
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov ecx, dword ptr [esi+10h] 0_2_003F4478
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then inc ebx 0_2_003E5470
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp ecx 0_2_0040C436
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp ecx 0_2_0040D4E8
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp ecx 0_2_0040D48A
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], CCC8066Ah 0_2_0040C571
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov ecx, dword ptr [esi+0Ch] 0_2_0040C571
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov eax, dword ptr [esp+20h] 0_2_003E6555
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 0_2_003DD650
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_003D2650
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 0_2_003F26BD
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 0_2_003F2760
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_003D97F0
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_003F58B0
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov dword ptr [esi+7Ch], ecx 0_2_003F6953
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 0_2_0040A930
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_003F6948
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov eax, dword ptr [00417EE8h] 0_2_003F4982
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov ecx, dword ptr [esi+20h] 0_2_003F79F5
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then movzx edi, cx 0_2_003F8A13
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then cmp dword ptr [ebx+ecx*8], FB49C974h 0_2_00409A20
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_003E7ABA
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_0040EAF0
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp ecx 0_2_003EDB00
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 9EDBE8FEh 0_2_003EDB00
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000090h] 0_2_003E4D32
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov edx, eax 0_2_003EDDC7
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 0_2_003E1E13
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov esi, dword ptr [esp+0Ch] 0_2_003DFE47
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp edx 0_2_0040DE9C
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then jmp edx 0_2_0040DEB1
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then mov edx, eax 0_2_003EDF3A
Source: C:\Users\user\Desktop\payload.exe Code function: 4x nop then movzx esi, ch 0_2_0040DFE0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: boredimperissvieos.shop
Source: Malware configuration extractor URLs: holicisticscrarws.shop
Source: Malware configuration extractor URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor URLs: plaintediousidowsko.shop
Source: Malware configuration extractor URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor URLs: pearcyworkeronej.shop
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_00400520 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00400520
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_00400520 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_00400520
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_00401CAA GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 0_2_00401CAA
Detected potential crypto function
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003D80A0 0_2_003D80A0
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_00407090 0_2_00407090
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003F213D 0_2_003F213D
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003F112E 0_2_003F112E
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003D4160 0_2_003D4160
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_0040F190 0_2_0040F190
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003D3360 0_2_003D3360
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003ED35E 0_2_003ED35E
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003E0390 0_2_003E0390
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003D6480 0_2_003D6480
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_0040F500 0_2_0040F500
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003D5720 0_2_003D5720
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003D17B0 0_2_003D17B0
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003FC85E 0_2_003FC85E
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003F2840 0_2_003F2840
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003F18A0 0_2_003F18A0
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003F8AC0 0_2_003F8AC0
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003D4B30 0_2_003D4B30
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003F5B50 0_2_003F5B50
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_003D2D10 0_2_003D2D10
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_0040EE70 0_2_0040EE70
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_00409E10 0_2_00409E10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\payload.exe Code function: String function: 003D8AF0 appears 52 times
Source: C:\Users\user\Desktop\payload.exe Code function: String function: 003E0520 appears 194 times
Uses 32bit PE files
Source: payload.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal96.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_00400169 CoCreateInstance, 0_2_00400169
Source: payload.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\payload.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: payload.exe Virustotal: Detection: 47%
Source: C:\Users\user\Desktop\payload.exe File read: C:\Users\user\Desktop\payload.exe Jump to behavior
Source: C:\Users\user\Desktop\payload.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\payload.exe Section loaded: winhttp.dll Jump to behavior
Source: payload.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_004037E3 push esp; iretd 0_2_004037E7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\payload.exe Code function: 0_2_0040B550 LdrInitializeThunk, 0_2_0040B550
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: boredimperissvieos.shop
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: holicisticscrarws.shop
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: sweetsquarediaslw.shop
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: plaintediousidowsko.shop
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: miniaturefinerninewjs.shop
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: zippyfinickysofwps.shop
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: obsceneclassyjuwks.shop
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: acceptabledcooeprs.shop
Source: payload.exe, 00000000.00000002.2882443595.0000000000410000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: pearcyworkeronej.shop

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436577 Sample: payload.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 96 8 Multi AV Scanner detection for domain / URL 2->8 10 Found malware configuration 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 5 other signatures 2->14 5 payload.exe 2->5         started        process3 signatures4 16 LummaC encrypted strings found 5->16
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
sweetsquarediaslw.shop true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
plaintediousidowsko.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
acceptabledcooeprs.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
zippyfinickysofwps.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
pearcyworkeronej.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
boredimperissvieos.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
holicisticscrarws.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
miniaturefinerninewjs.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
obsceneclassyjuwks.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown