General

  • Target

    b1bc2eb5769d4aac65858a7873e477c87502efa4aafc2c62639dbe27dd951ef5

  • Size

    206KB

  • Sample

    230115-eyc4asdg9s

  • MD5

    8213372d2686414c996068c6f821042c

  • SHA1

    7f9767dd0d71412abcfc5d6c07ceddce5bfe0672

  • SHA256

    b1bc2eb5769d4aac65858a7873e477c87502efa4aafc2c62639dbe27dd951ef5

  • SHA512

    b10fe5f3b5dfec8097b3f591d9503ebcc9591b462314ecb26eac8dd6fdbfd46edc0ecf593c94906724cedcb3e203f6176eee38e9f18778a39674edcb941651eb

  • SSDEEP

    3072:BXtOI2FM5DWWTpi5YyAwbrHOMNpg+RS3xToapb:luFM5DWYeAMuFrp

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Targets

    • Target

      b1bc2eb5769d4aac65858a7873e477c87502efa4aafc2c62639dbe27dd951ef5

    • Size

      206KB

    • MD5

      8213372d2686414c996068c6f821042c

    • SHA1

      7f9767dd0d71412abcfc5d6c07ceddce5bfe0672

    • SHA256

      b1bc2eb5769d4aac65858a7873e477c87502efa4aafc2c62639dbe27dd951ef5

    • SHA512

      b10fe5f3b5dfec8097b3f591d9503ebcc9591b462314ecb26eac8dd6fdbfd46edc0ecf593c94906724cedcb3e203f6176eee38e9f18778a39674edcb941651eb

    • SSDEEP

      3072:BXtOI2FM5DWWTpi5YyAwbrHOMNpg+RS3xToapb:luFM5DWYeAMuFrp

    • Detects Smokeloader packer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks