Malware Analysis Report

2025-08-11 06:28

Sample ID 230424-ytwjmaga5y
Target VersionUnlimited-main.zip
SHA256 63bae6ef7079dc92968fe00d5adebd6488ac116f56364d776f86464fcdf08ea3
Tags
pdf link lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63bae6ef7079dc92968fe00d5adebd6488ac116f56364d776f86464fcdf08ea3

Threat Level: Known bad

The file VersionUnlimited-main.zip was found to be: Known bad.

Malicious Activity Summary

pdf link lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

One or more HTTP URLs in PDF identified

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-24 20:06

Signatures

One or more HTTP URLs in PDF identified

pdf link

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-24 20:05

Reported

2023-04-24 20:10

Platform

win7-20230220-en

Max time kernel

54s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1056 set thread context of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1056 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1056 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1056 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1056 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1056 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1056 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe

"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 36

Network

Country Destination Domain Proto
NZ 185.99.132.51:80 tcp
NZ 185.99.132.51:80 185.99.132.51 tcp

Files

memory/1096-54-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1096-55-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1096-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-24 20:05

Reported

2023-04-24 20:11

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe

"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 852 -ip 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 156

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NZ 185.99.132.51:80 185.99.132.51 tcp
US 8.8.8.8:53 51.132.99.185.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 104.208.16.88:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/4480-133-0x00000000005C0000-0x00000000005F9000-memory.dmp