Malware Analysis Report

2025-08-05 10:05

Sample ID 230501-sj5fwsaf2z
Target 0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7.bin
SHA256 0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7
Tags
lumma discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7

Threat Level: Known bad

The file 0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7.bin was found to be: Known bad.

Malicious Activity Summary

lumma discovery spyware stealer

Lumma Stealer

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 15:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 15:10

Reported

2023-05-01 15:20

Platform

win7-20230220-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7.exe"

Signatures

Lumma Stealer

stealer lumma

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7.exe

"C:\Users\Admin\AppData\Local\Temp\0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7.exe"

Network

Country Destination Domain Proto
US 82.117.255.127:80 tcp
RU 193.3.19.154:80 tcp
US 82.117.255.127:80 tcp
US 82.117.255.127:80 tcp
US 82.117.255.127:80 tcp
US 82.117.255.127:80 tcp
US 82.117.255.127:80 tcp
US 82.117.255.127:80 tcp

Files

memory/1368-54-0x0000000001D40000-0x0000000001D79000-memory.dmp

memory/1368-59-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1368-60-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 15:10

Reported

2023-05-01 15:20

Platform

win10v2004-20230220-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7.exe"

Signatures

Lumma Stealer

stealer lumma

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7.exe

"C:\Users\Admin\AppData\Local\Temp\0fda4f105bb07160230e01ad78c1010ac7ab828eb3f0f2724cef1ee93fd5d5f7.exe"

Network

Country Destination Domain Proto
RU 193.3.19.154:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 82.117.255.127:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 82.117.255.127:80 tcp
US 40.125.122.176:443 tcp
US 20.189.173.1:443 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 82.117.255.127:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
NL 8.238.177.126:80 tcp
US 82.117.255.127:80 tcp
US 40.125.122.176:443 tcp
US 82.117.255.127:80 tcp
US 40.125.122.176:443 tcp
US 82.117.255.127:80 tcp
US 40.125.122.176:443 tcp
US 82.117.255.127:80 tcp
US 40.125.122.176:443 tcp

Files

memory/628-133-0x0000000002520000-0x0000000002559000-memory.dmp

memory/628-138-0x0000000000700000-0x0000000000701000-memory.dmp

memory/628-140-0x00000000006E0000-0x00000000006F3000-memory.dmp

memory/628-139-0x0000000000400000-0x0000000000454000-memory.dmp