Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874

  • Size

    210KB

  • Sample

    230116-e7874ahc79

  • MD5

    92bb8675d4eedd4d50603597ce85dbbf

  • SHA1

    618f820d738a192c3e70875b01a612df48c03698

  • SHA256

    8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874

  • SHA512

    22ef20a9f4110f5718dacbc81f75dd94c96756b60b34c9d4058d78e68b58d0e4ce7bfb717b996ff26eb1c8dcabd30dbe3a641491a4c57f74a1ce89a9a2e4c564

  • SSDEEP

    3072:1MXWFheF3d56wEZf+iV9uAw7Xw3c249xSqQNqi:1InFapZfMAb3Fh

Score
10/10
lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Targets

    • Target

      8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874

    • Size

      210KB

    • MD5

      92bb8675d4eedd4d50603597ce85dbbf

    • SHA1

      618f820d738a192c3e70875b01a612df48c03698

    • SHA256

      8df105affac7a3c0348efdb7c5f1f159acceda0c13d5f318e611e5528e82d874

    • SHA512

      22ef20a9f4110f5718dacbc81f75dd94c96756b60b34c9d4058d78e68b58d0e4ce7bfb717b996ff26eb1c8dcabd30dbe3a641491a4c57f74a1ce89a9a2e4c564

    • SSDEEP

      3072:1MXWFheF3d56wEZf+iV9uAw7Xw3c249xSqQNqi:1InFapZfMAb3Fh

    Score
    10/10
    lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

    • Detects Smokeloader packer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks