Malware Analysis Report

2025-08-11 06:27

Sample ID 230424-yvhn6aec75
Target VersionUnlimited-main.zip
SHA256 63bae6ef7079dc92968fe00d5adebd6488ac116f56364d776f86464fcdf08ea3
Tags
pdf link lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63bae6ef7079dc92968fe00d5adebd6488ac116f56364d776f86464fcdf08ea3

Threat Level: Known bad

The file VersionUnlimited-main.zip was found to be: Known bad.

Malicious Activity Summary

pdf link lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

One or more HTTP URLs in PDF identified

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-24 20:07

Signatures

One or more HTTP URLs in PDF identified

pdf link

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-24 20:06

Reported

2023-04-24 20:10

Platform

win7-20230220-en

Max time kernel

38s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1652 set thread context of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1652 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe

"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 36

Network

Country Destination Domain Proto
NZ 185.99.132.51:80 185.99.132.51 tcp

Files

memory/1744-54-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1744-55-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1744-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-24 20:06

Reported

2023-04-24 20:10

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe

"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2836 -ip 2836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 160

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NZ 185.99.132.51:80 185.99.132.51 tcp
US 8.8.8.8:53 51.132.99.185.in-addr.arpa udp
US 20.44.10.122:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/3464-133-0x0000000000700000-0x0000000000739000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-04-24 20:06

Reported

2023-04-24 20:10

Platform

win7-20230220-en

Max time kernel

15s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\modules.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1736 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1736 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\modules.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1736 -s 92

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-04-24 20:06

Reported

2023-04-24 20:10

Platform

win10v2004-20230220-en

Max time kernel

101s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\modules.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\modules.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 360 -p 1312 -ip 1312

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1312 -s 352

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-04-24 20:06

Reported

2023-04-24 20:10

Platform

win7-20230220-en

Max time kernel

25s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\platforms\qwindows.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\platforms\qwindows.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-04-24 20:06

Reported

2023-04-24 20:10

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\platforms\qwindows.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\platforms\qwindows.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 20.189.173.3:443 tcp
US 8.8.8.8:53 254.128.241.8.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 254.162.241.8.in-addr.arpa udp
US 8.8.8.8:53 126.133.255.8.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
SG 8.241.128.254:80 tcp

Files

N/A