General

  • Target

    707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk

  • Size

    1KB

  • Sample

    240227-f2e8hahb85

  • MD5

    c7945d1c593363055616d6e427b8e2a2

  • SHA1

    2c5f9b6fc746efb5caad3b31755c801f9ad1ac7b

  • SHA256

    707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50

  • SHA512

    7fb10ad46450b7ceeebdf3e9144447c59c22c67a6c7d026a1dbebcb665ee6bf1588958c5388e0358f18ecf71539dfd67050bb7ffeb516d2904d5cd77a1786d19

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

Extracted

Language
hta
Source
URLs
hta.dropper

https://dl.dropboxusercontent.com/scl/fi/aur0asu195akuhc7q88lq/mlwr?rlkey=ltpi9kve7882q0vksvvb54han

Extracted

Family

lumma

C2

https://executivebrakeji.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Targets

    • Target

      707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50.lnk

    • Size

      1KB

    • MD5

      c7945d1c593363055616d6e427b8e2a2

    • SHA1

      2c5f9b6fc746efb5caad3b31755c801f9ad1ac7b

    • SHA256

      707e623b27d794685b3b0a24d1dafe035274f62535fa67934eb1a4d39d3d9b50

    • SHA512

      7fb10ad46450b7ceeebdf3e9144447c59c22c67a6c7d026a1dbebcb665ee6bf1588958c5388e0358f18ecf71539dfd67050bb7ffeb516d2904d5cd77a1786d19

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • UAC bypass

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks