General

  • Target

    a4bdf08099f23da066d81eddb1c229d1

  • Size

    119KB

  • Sample

    240225-2a4yfaea97

  • MD5

    a4bdf08099f23da066d81eddb1c229d1

  • SHA1

    bcd16532c813e5ba009d4d3cd246796d3ffb7a45

  • SHA256

    6a3faf643c2c33f48b0e59c9edb14baebbf9ce1678aed83727106b739f0cafcb

  • SHA512

    b5cca53eab5ff8db14cb53262de2dda2730f8149b51366a55bd4bef3c4501e594000edc4695ca61154e768609be0333898a9586f2840df6a23aaa54cd0abc69e

  • SSDEEP

    3072:hIZopSB/iLm7CEdYVgfIYCBP04+i6Hz3qFlhH0ytpAGf:VpSBt7CE+gfIhM4l6Hz3qFlJ0cei

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      a4bdf08099f23da066d81eddb1c229d1

    • Size

      119KB

    • MD5

      a4bdf08099f23da066d81eddb1c229d1

    • SHA1

      bcd16532c813e5ba009d4d3cd246796d3ffb7a45

    • SHA256

      6a3faf643c2c33f48b0e59c9edb14baebbf9ce1678aed83727106b739f0cafcb

    • SHA512

      b5cca53eab5ff8db14cb53262de2dda2730f8149b51366a55bd4bef3c4501e594000edc4695ca61154e768609be0333898a9586f2840df6a23aaa54cd0abc69e

    • SSDEEP

      3072:hIZopSB/iLm7CEdYVgfIYCBP04+i6Hz3qFlhH0ytpAGf:VpSBt7CE+gfIhM4l6Hz3qFlJ0cei

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Looks for VMWare Tools registry key

    • Modifies Installed Components in the registry

    • Modifies Windows Firewall

    • Deletes itself

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks