Overview

overview

10

Static

static

308f667ab1...bb.exe

windows7-x64

10

308f667ab1...bb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb

  • Size

    133KB

  • Sample

    230116-mbhz2ahd4s

  • MD5

    a8919bb8707e1bd3151091d4054792f8

  • SHA1

    0d2fc5fb1704cbe9b0a1e356db39253e239675c4

  • SHA256

    bd4a95599739c3ec1816aeb7ccd54e17a3516587af80884d9798a8efb20a46d6

  • SHA512

    d8c14cb0332a9689acdc6eff776a7b1d818750e2c415230d6fdad5ad059e7fde54c7fff94b2b2ca7713f6fdf7581981f4330c23c27c95922c6b7a0e539ae67f2

  • SSDEEP

    3072:eDBW+Etp01ZsFaeo/Gjjop6WUOjsw9YptAf6lA88w3ZQiE+5Nr:eDBCtuZWaeo+jjvWUKYptccAhw3ZQ341

Score
10/10
lummasmokeloaderbackdoorcollectiondiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Targets

    • Target

      308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb

    • Size

      210KB

    • MD5

      e9090853ebfa9e70a1e0fab65e348bd5

    • SHA1

      eba6b6894ec013d8cc4ce791150de1be61ec9fe0

    • SHA256

      308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb

    • SHA512

      5afd7ca05af9c92c699b33bc4c7e5530cd8b44b5fdaf35b442981ae716b77c74ec0346a0ca452e796a2f2a73227ed6d60827f85368632b36a898b95c7c2a3f3c

    • SSDEEP

      3072:CYXDd+LSr8Gyd5BsGBbzSUOjsw9YptAf6loqZuT8ti:CsWSRPcSUKYptccodT8

    Score
    10/10
    smokeloaderbackdoortrojanlummacollectiondiscoverypersistencespywarestealer

    • Detects Smokeloader packer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks