lumma | 74eb04510acd0fe398db8b3a961d44f93d665d7e6b3e3ad56e8e011794f2b8f9

Sharing

Copy URL

Twitter E-mail

General

Target

a64d3efdffb5db4a80213b196c336f83.bin
Size

2.4MB
Sample

231230-cbnkeahdg7
MD5

3df32fe10afc70bfe18eccb0e3c7c44a
SHA1

e2e476656756747de47e02492462ed7a86e77899
SHA256

74eb04510acd0fe398db8b3a961d44f93d665d7e6b3e3ad56e8e011794f2b8f9
SHA512

d9fe1d5a86444710bb110c01271b935ed46e4c7665aa8c49c2a4e4178382b2fa6556f11ec57ccb87b441fe775bcb64005b4a5f7bfd5bac05512152584f7e6902
SSDEEP

49152:PpeGOa+gbXNWSf21dL+w+Ql6nfjuKGOe+8lQU1WJsjDI2o2QEbG3ZnrQY:PpeGj+gDNPfcdaKIrNGOPr+0F2Qhdb

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:13856

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Extracted

Family

stealc

http://5.42.66.57

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

lumma

http://soupinterestoe.fun/api

Targets

- Target
  
  b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd.exe
- Size
  
  2.5MB
- MD5
  
  a64d3efdffb5db4a80213b196c336f83
- SHA1
  
  06e844ad84ae392b4663996f8352a2e3923d0515
- SHA256
  
  b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd
- SHA512
  
  8913d10e7a2ea74bf77fa0d057065110ffffa3d4b12f8197240ffc65a1d040cb1cc45262a01c55e61ea0a1abeeb231b5a61a1f7e55d40d4caccf8e5f30bf3eeb
- SSDEEP
  
  49152:iGtKtH2262oFyWcJEgpjlVoyIY04Inxuhbaxzqjxoy0p+pPvT+L0uHEqPpQ5XaWf:PG2+EyWcJEPynNSultYaXT+QmREXaa
Score

10^/10

google collection discovery evasion persistence phishing spyware stealer trojan lumma redline smokeloader stealc zgrat 777 livetraffic up3 backdoor infostealer rat upx
- Detect Lumma Stealer payload V4
- Detect ZGRat V1
- Detected google phishing page
  phishing google
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2