General

  • Target

    file.exe

  • Size

    210KB

  • Sample

    230116-b4nv7sbd8x

  • MD5

    0d0655ac3327465e342c8643e0aec261

  • SHA1

    3b60b63f926a4ef0821bc359858fec339327517f

  • SHA256

    19533506a74a8fd80ba932ca930c0805d0f69095d5820683ff757785dbb4359e

  • SHA512

    1b00d21f5de948ef4d5be4a5593eb9a83dcccb84d1bd5ded3c2846a606e731f8d14074cfaaa5511c0a57651239de1870bab314ff5f8fea56022c2b3bc878f970

  • SSDEEP

    3072:rMX15/9Gxad5gWGzaBUOxqNk7EWVRS8Nw4i:rIdGxbaBNx5EsSL

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Targets

    • Target

      file.exe

    • Size

      210KB

    • MD5

      0d0655ac3327465e342c8643e0aec261

    • SHA1

      3b60b63f926a4ef0821bc359858fec339327517f

    • SHA256

      19533506a74a8fd80ba932ca930c0805d0f69095d5820683ff757785dbb4359e

    • SHA512

      1b00d21f5de948ef4d5be4a5593eb9a83dcccb84d1bd5ded3c2846a606e731f8d14074cfaaa5511c0a57651239de1870bab314ff5f8fea56022c2b3bc878f970

    • SSDEEP

      3072:rMX15/9Gxad5gWGzaBUOxqNk7EWVRS8Nw4i:rIdGxbaBNx5EsSL

    • Detects Smokeloader packer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks