General
-
Target
test.txt
-
Size
2B
-
Sample
230529-e23hcsaa2t
-
MD5
d784fa8b6d98d27699781bd9a7cf19f0
-
SHA1
dd122581c8cd44d0227f9c305581ffcb4b6f1b46
-
SHA256
e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700
-
SHA512
f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0
Static task
static1
Behavioral task
behavioral1
Sample
test.txt
Resource
win7-20230220-en
Malware Config
Extracted
lumma
195.123.227.138
Targets
-
-
Target
test.txt
-
Size
2B
-
MD5
d784fa8b6d98d27699781bd9a7cf19f0
-
SHA1
dd122581c8cd44d0227f9c305581ffcb4b6f1b46
-
SHA256
e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700
-
SHA512
f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-