General
-
Target
expressvpn_windows_install_pass1234.zip
-
Size
48.5MB
-
Sample
230322-jy1ltahe8z
-
MD5
88f51bb2c544d11cdf493c6082a7eabd
-
SHA1
78b9942ed7c81312df12d232379fa2412ea7913e
-
SHA256
25bedb839070a35a6195fec683ca363d031fb265e10ddc9d5537199be60c4fab
-
SHA512
7449b9129d5d207f24b428735e140478afa8e0de7f49649f520010918726556ced4a3ca5edd32e4e6f8b2ada89d4ebef7368de4c8c9ca1e04f1076921a0863d3
-
SSDEEP
786432:kOjgCSRBYxWy0WXMGMVcvPKI0+mOafSmyEXa0Lsn7kEGYEKbKjGHV7/ijz8p:fkRBf6LwcKyafY+a0ukEmjGHdp
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_install.7z
Resource
win7-20230220-en
Malware Config
Extracted
lumma
82.117.255.80
Targets
-
-
Target
expressvpn_windows_install.7z
-
Size
45.5MB
-
MD5
453d0bcc246d8f9def6d542fd846c3d4
-
SHA1
5e35087c69cbd0425c02ce7edc5192feea82722a
-
SHA256
f6be94dd7fa4acd3775553af020ed4bd07bdd8070383926b3e2ad62c3c30a9ae
-
SHA512
e674fbd76f5919436780d9bf75918b1202dffcf279708aad0a000ae7bd489a9bdf55d6f7a2b4f7b738a66080a59b18403c702e43d58d3c764b22f848e6752c61
-
SSDEEP
786432:IOjgCSRBYxWy0WXMGMVcvPKI0+mOafSmyEXa0Lsn7kEGYEKbKjGHV7/ijz/:DkRBf6LwcKyafY+a0ukEmjGHO
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-