Overview

overview

10

Static

static

db53d1d270...dd.exe

windows7-x64

10

db53d1d270...dd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    37c3ae28ca121fcfab6d67fbaded71bd.bin

  • Size

    139KB

  • Sample

    230116-jhjy5afe3y

  • MD5

    b913746d0ad3e1ffa20e8b9005b70036

  • SHA1

    ec84a08a22b141b9a1b079ba4dc560667217062d

  • SHA256

    3cf53784f9b2e28697c85914904080fb6f815bd1e45e62c164878777cd0494ba

  • SHA512

    6ee49a9c1d32566dc4ac402b4372ee593f030d082a721a09d37118cadfbbad26f0e4667f37ac021511dff7ed36fb2a00590798bb3770575f3b06aa26607640bf

  • SSDEEP

    3072:kBYlOZW2UJYp2UD1bhfNUlNKHWxC2RpBX4naa6r8G2Lj:CkYpPHfNUljxC2boDLj

Score
10/10
lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Targets

    • Target

      db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd.exe

    • Size

      225KB

    • MD5

      37c3ae28ca121fcfab6d67fbaded71bd

    • SHA1

      cf239854e511823772c378f53ba5b0aeec8f55b8

    • SHA256

      db53d1d27093b52d6771611aad71594c6dae516160f5e559f6972e9b438203dd

    • SHA512

      7ff4c72d865ba0220d4788d59e33c8bc977bdc1f714e7ae81bfdd648a4bf8d4043a217ca7efd8aaf14a3343151a638c11561cfc66d261cf6c66e33bfa4a7b06d

    • SSDEEP

      3072:D58L2AmKZNw1YF4qU67HPB/tHGWzlXPH8oSuBy79Y3Ox6qQo3:d8L201F4169/tHFN8o7BW9Hk5o

    Score
    10/10
    smokeloaderbackdoortrojanlummacollectiondiscoverypersistencespywarestealer

    • Detects Smokeloader packer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks