General

  • Target

    8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486

  • Size

    2.4MB

  • Sample

    240201-hx8qcsfhhl

  • MD5

    331286ccfef0f9d93edce15d5ab89f23

  • SHA1

    f569d725f16d033dbd6479cbde513ee4003492c0

  • SHA256

    8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486

  • SHA512

    e9b476430ee65b61df079096d8f94097522aacffc96a8faee6e8ed809790012dac0cb67be5739d7b1c51b403b63f1abc5a015200702affd688ca710786c3e49c

  • SSDEEP

    49152:SLzYog2T2VZh0g/WKxprHwn9+I/9ut7M8hwJ5FPmynogyRwf:qVgxPh0g/WkpMFjqOP3ogyRs

Malware Config

Targets

    • Target

      8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486

    • Size

      2.4MB

    • MD5

      331286ccfef0f9d93edce15d5ab89f23

    • SHA1

      f569d725f16d033dbd6479cbde513ee4003492c0

    • SHA256

      8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486

    • SHA512

      e9b476430ee65b61df079096d8f94097522aacffc96a8faee6e8ed809790012dac0cb67be5739d7b1c51b403b63f1abc5a015200702affd688ca710786c3e49c

    • SSDEEP

      49152:SLzYog2T2VZh0g/WKxprHwn9+I/9ut7M8hwJ5FPmynogyRwf:qVgxPh0g/WkpMFjqOP3ogyRs

    • Detect Lumma Stealer payload V4

    • Detected google phishing page

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Modifies Windows Defender Real-time Protection settings

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks