lumma | 42f6ed3f3f25e52787a9e43dec53306eb63e581d87882f3fbc4756685714e39a

Resubmissions

07-01-2024 18:26

240107-w3ameabffn 10

Analysis

max time kernel
66s
max time network
109s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samples 6/c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe
Size

4.5MB
MD5

d165d4e09ea0624e62fd5bd90fe68c96
SHA1

9a95939bdfface20125f497c54eda3f3d421e790
SHA256

c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e
SHA512

95d2d8ef66c8d5203398048279f1bb250faccf362359e51e364974ea00d88aceec9d9883a47176b9dc2ba1dd1a81232f4318a61b7b14aa643394873c4cce6ec1
SSDEEP

98304:LhX2dkgF2fKzz5du5XdYQokRicv/f6qzT0rh:LhX2dZF275XdZYcvHvvch

Score

10^/10

lumma zgrat rat stealer

Malware Config

Extracted

Family

lumma

http://zamesblack.fun/api

Signatures

Detect Lumma Stealer payload V4 6 IoCs

resource	yara_rule
behavioral3/memory/2412-29-0x0000000000400000-0x0000000000486000-memory.dmp	family_lumma_v4
behavioral3/memory/2412-35-0x0000000000400000-0x0000000000486000-memory.dmp	family_lumma_v4
behavioral3/memory/2412-33-0x0000000000400000-0x0000000000486000-memory.dmp	family_lumma_v4
behavioral3/memory/2412-37-0x0000000000400000-0x0000000000486000-memory.dmp	family_lumma_v4
behavioral3/memory/2412-38-0x0000000000400000-0x0000000000486000-memory.dmp	family_lumma_v4
behavioral3/memory/2412-50-0x0000000000400000-0x0000000000486000-memory.dmp	family_lumma_v4

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral3/memory/2140-0-0x0000000000AB0000-0x0000000000F26000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30
PID 2140 wrote to memory of 2412	2140	c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe	30

C:\Users\Admin\AppData\Local\Temp\Samples 6\c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe
"C:\Users\Admin\AppData\Local\Temp\Samples 6\c6befd3879040aeca88afd9b461177c9a3fc830f2020f2878696ddca0cea994e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:2412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/2140-41-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-45-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-3-0x00000000009D0000-0x00000000009EA000-memory.dmp

Filesize
104KB

Download
memory/2140-4-0x00000000052D0000-0x0000000005462000-memory.dmp

Filesize
1.6MB

Download
memory/2140-1-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-9-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-10-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-11-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/2140-12-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-13-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-14-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-15-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-20-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-49-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-18-0x00000000058B0000-0x00000000059B0000-memory.dmp

Filesize
1024KB

Download
memory/2140-48-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-46-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-44-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-47-0x00000000058B0000-0x00000000059B0000-memory.dmp

Filesize
1024KB

Download
memory/2140-2-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-19-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-43-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-42-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-0-0x0000000000AB0000-0x0000000000F26000-memory.dmp

Filesize
4.5MB

Download
memory/2140-40-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-17-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-16-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2140-39-0x0000000005290000-0x00000000052D0000-memory.dmp

Filesize
256KB

Download
memory/2412-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-27-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-38-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-35-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-37-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-29-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2412-33-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2412-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download