Resubmissions

30/03/2024, 14:33

240330-rxab8shb28 8

01/05/2023, 11:52

230501-n15e1ahb8s 10

21/03/2023, 09:18

230321-k9l38she38 1

General

  • Target

    pcworldx64installer.zip

  • Size

    11.3MB

  • Sample

    230501-n15e1ahb8s

  • MD5

    9ac2d6a90b5fad415a589907dd5ea7ea

  • SHA1

    bd41eb8d00f88972812752bbe3a3be91d986d73f

  • SHA256

    13716fdf716aa8479df57501ce208cae4fc31e5a5bb9f483764ba76fdbea4b0d

  • SHA512

    bb19610fe3dcd940e81d09ad65523b784bab2162609d960166528e40bbd998ff8eed275dd888b59052e70b18766621c092ea5fc388d39bea4a7f694190c9379f

  • SSDEEP

    196608:4DiDSy66GIbqTpOSLRfyvA8QRGqtgA9aHPa4eAYwKbacjTy1tdW9Rd+PrLv+8Otp:4DQQZFh8Qb6VHPd8wKbacjTy1O9RkfWj

Malware Config

Extracted

Family

lumma

C2

82.118.23.50

Targets

    • Target

      Setup_x64.exe.lnk

    • Size

      1KB

    • MD5

      b1b6eb2189e0f3d7ecfea63baafca452

    • SHA1

      af279896cf4ec2c487e5599759cee19bdd0d84b6

    • SHA256

      0bbeb529931ee10f4cde96b33689c45b0406b3b33a55d4a0341fac2e67749b55

    • SHA512

      b1dbf2144f13d08b7a62a7fc24681f6c8c324b56eb4048da64836ab2d83efed80c80acc9f06e44de02ddcdb31a4eefa9f244447b128d1d73cacf583eb17f66a2

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks