Malware Analysis Report

2025-08-05 10:05

Sample ID 230430-1kh82scf82
Target 81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.bin
SHA256 81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21
Tags
spyware stealer lumma discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21

Threat Level: Known bad

The file 81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.bin was found to be: Known bad.

Malicious Activity Summary

spyware stealer lumma discovery

Detect Lumma Stealer payload V2

Lumma family

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-30 21:42

Signatures

Detect Lumma Stealer payload V2

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-30 21:42

Reported

2023-04-30 22:02

Platform

win10v2004-20230221-en

Max time kernel

257s

Max time network

324s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Processes

C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe

"C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe"

Network

Country Destination Domain Proto
US 20.189.173.6:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
AT 77.73.134.68:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
AT 77.73.134.68:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
AT 77.73.134.68:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
AT 77.73.134.68:80 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
AT 77.73.134.68:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 254.135.241.8.in-addr.arpa udp
AT 77.73.134.68:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-30 21:42

Reported

2023-04-30 21:58

Platform

win7-20230220-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe

"C:\Users\Admin\AppData\Local\Temp\81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21.exe"

Network

Country Destination Domain Proto
AT 77.73.134.68:80 tcp
AT 77.73.134.68:80 tcp
RU 193.3.19.154:80 tcp
AT 77.73.134.68:80 tcp
AT 77.73.134.68:80 tcp
AT 77.73.134.68:80 tcp
AT 77.73.134.68:80 tcp
AT 77.73.134.68:80 tcp

Files

N/A