lumma | 79d4128136a7e40b9ea839b1ddd1576bc3d46f97c88968591a0dbcdd0f51408b

General

Target

e7d2e3ef308b65887cfe3fc9012c012a.bin
Size

2.4MB
Sample

240101-cszc8scff6
MD5

f1adeafd33a76da29c58185d71c1afaf
SHA1

d40d1c94d3c370ad54e3b0ba6c1454abda6d01f8
SHA256

79d4128136a7e40b9ea839b1ddd1576bc3d46f97c88968591a0dbcdd0f51408b
SHA512

04777afac9332264b7d1a206aa037bf8d2b364392ccd85404d1baaa46d1418e45fc758e76e9888aa49445888348ca2342adeb0171fe263d6dd0d41fd2c639406
SSDEEP

49152:mpCDuVjw/UddtOuDljSN1Nnt8RUaSyVIwgFEm87fQWgOIG:Dcc/ILQ1NntwU98UF6oWgOIG

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTrafic

C2

20.79.30.95:13856

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

777

C2

195.20.16.103:20440

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

Targets

- Target
  
  53bda5daab1582c7b7ca077deb0b3f3bbf3a4611fe92d136ceecab70eaa64d9a.exe
- Size
  
  2.5MB
- MD5
  
  e7d2e3ef308b65887cfe3fc9012c012a
- SHA1
  
  1aab721e4a346677b97f069dcf40d21490deb5f5
- SHA256
  
  53bda5daab1582c7b7ca077deb0b3f3bbf3a4611fe92d136ceecab70eaa64d9a
- SHA512
  
  89ec30bdb2846668391ecd1d0e206e999ac7ab88c70374bdf2b0305cf117a6dc158f029c982dd2012702f6f49c8a320e48180b44b57edfd62f85b1025b750899
- SSDEEP
  
  49152:i/JOpJYNxT2b2Dd87gp3HQTBDfocvOx7C8yA9GcPmxneb5Mf:IIp0TpB87gp3wTeMpJi9keb5o
Score

10^/10

google evasion persistence phishing trojan lumma redline smokeloader 777 livetrafic up3 backdoor collection discovery infostealer spyware stealer
- Detect Lumma Stealer payload V4
- Detected google phishing page
  phishing google
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2