Malware Analysis Report

2025-08-06 00:52

Sample ID 230430-s8vb8aab74
Target Rust Hack.exe
SHA256 5cdd0a29b95fbd0317a39f8d1f3cc4465731e60a6e4dae8c2362a28e05ffc251
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cdd0a29b95fbd0317a39f8d1f3cc4465731e60a6e4dae8c2362a28e05ffc251

Threat Level: Known bad

The file Rust Hack.exe was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-30 15:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-30 15:48

Reported

2023-04-30 15:50

Platform

win7-20230220-en

Max time kernel

27s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1236 set thread context of 928 N/A C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe

"C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

Network

Country Destination Domain Proto
US 82.117.255.127:80 82.117.255.127 tcp

Files

memory/928-55-0x0000000000400000-0x0000000000439000-memory.dmp

memory/928-56-0x0000000000400000-0x0000000000439000-memory.dmp

memory/928-62-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-30 15:48

Reported

2023-04-30 15:50

Platform

win10v2004-20230221-en

Max time kernel

73s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4224 set thread context of 840 N/A C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe

"C:\Users\Admin\AppData\Local\Temp\Rust Hack.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 117.18.232.240:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 82.117.255.127:80 82.117.255.127 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 127.255.117.82.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.182.143.208:443 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp

Files

memory/840-134-0x0000000000400000-0x0000000000439000-memory.dmp