Analysis Overview
SHA256
81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21
Threat Level: Known bad
The file 81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.bin was found to be: Known bad.
Malicious Activity Summary
Detect Lumma Stealer payload V2
Lumma family
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-30 21:42
Signatures
Detect Lumma Stealer payload V2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-30 21:42
Reported
2023-04-30 22:02
Platform
win10v2004-20230221-en
Max time kernel
257s
Max time network
324s
Command Line
Signatures
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Processes
C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe
"C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.6:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| AT | 77.73.134.68:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| AT | 77.73.134.68:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| AT | 77.73.134.68:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| AT | 77.73.134.68:80 | tcp | |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| AT | 77.73.134.68:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.135.241.8.in-addr.arpa | udp |
| AT | 77.73.134.68:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-30 21:42
Reported
2023-04-30 21:58
Platform
win7-20230220-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Processes
C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe
"C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe"
Network
| Country | Destination | Domain | Proto |
| AT | 77.73.134.68:80 | tcp | |
| AT | 77.73.134.68:80 | tcp | |
| RU | 193.3.19.154:80 | tcp | |
| AT | 77.73.134.68:80 | tcp | |
| AT | 77.73.134.68:80 | tcp | |
| AT | 77.73.134.68:80 | tcp | |
| AT | 77.73.134.68:80 | tcp | |
| AT | 77.73.134.68:80 | tcp |