General

  • Target

    07c5c741a4699acffb1cabb19c3da0a236d110c11f4c8c037baaedb5bb33f7ee

  • Size

    210KB

  • Sample

    230115-vayyvsda7x

  • MD5

    caddf40996583dd2cc12824f789a8a2e

  • SHA1

    c175d5bc35b9501e0bf3bc33fd71adeafa6130e3

  • SHA256

    07c5c741a4699acffb1cabb19c3da0a236d110c11f4c8c037baaedb5bb33f7ee

  • SHA512

    e4b333726fbec0e13409d5c84ea046e28d9e0ad739d629a379f2f8d712c88ede93cf20e0e4bb6fa6adb1010e51230e1b962af2faf6dc63c8a95944fb26e3fb43

  • SSDEEP

    3072:3XGXGA/mxa58MBGutVAZfFfWzghUBEW8e2WojOSNKYsi:nFY8utVe1WzghUBD8e2W4H

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Targets

    • Target

      07c5c741a4699acffb1cabb19c3da0a236d110c11f4c8c037baaedb5bb33f7ee

    • Size

      210KB

    • MD5

      caddf40996583dd2cc12824f789a8a2e

    • SHA1

      c175d5bc35b9501e0bf3bc33fd71adeafa6130e3

    • SHA256

      07c5c741a4699acffb1cabb19c3da0a236d110c11f4c8c037baaedb5bb33f7ee

    • SHA512

      e4b333726fbec0e13409d5c84ea046e28d9e0ad739d629a379f2f8d712c88ede93cf20e0e4bb6fa6adb1010e51230e1b962af2faf6dc63c8a95944fb26e3fb43

    • SSDEEP

      3072:3XGXGA/mxa58MBGutVAZfFfWzghUBEW8e2WojOSNKYsi:nFY8utVe1WzghUBD8e2W4H

    • Detects Smokeloader packer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks