Malware Analysis Report

2024-11-30 05:03

Sample ID 240229-hqlx1shg73
Target 468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212
SHA256 468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212

Threat Level: Known bad

The file 468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212 was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Blocklisted process makes network request

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-29 06:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 06:56

Reported

2024-02-29 07:00

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 06:56

Reported

2024-02-29 07:00

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

156s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-29 06:56

Reported

2024-02-29 07:00

Platform

win7-20240221-en

Max time kernel

146s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lSetup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2372 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe C:\Windows\SysWOW64\cmd.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\cmd.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\lSetup.exe

"C:\Users\Admin\AppData\Local\Temp\lSetup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 172

Network

N/A

Files

memory/2372-0-0x00000000747E0000-0x0000000074954000-memory.dmp

memory/2372-1-0x00000000773A0000-0x0000000077549000-memory.dmp

memory/2372-10-0x00000000747E0000-0x0000000074954000-memory.dmp

memory/2372-11-0x00000000747E0000-0x0000000074954000-memory.dmp

memory/2604-13-0x00000000747E0000-0x0000000074954000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\258ab0fc

MD5 7fd88099181641cba6f7238bab84d5f7
SHA1 79d04c79fe33b0c47072b9a3cff79a3d36ecee0e
SHA256 95f9ddd26f810ae4aec328134d5459494423a171b30957722b4c1bbaebb64ec5
SHA512 c7dc64602b17fa3bec5e616fb18fa64d5bd94fc2cfddc0ee04d03038d6d43cb551e68617c8dfd748df81dedcabb2cd441871110ffc268931af9798f81d82f491

memory/2604-15-0x00000000773A0000-0x0000000077549000-memory.dmp

memory/2604-16-0x00000000729D0000-0x0000000073A32000-memory.dmp

memory/2604-20-0x00000000747E0000-0x0000000074954000-memory.dmp

memory/2604-21-0x0000000000370000-0x0000000000371000-memory.dmp

memory/2604-22-0x00000000729D0000-0x0000000073A32000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-29 06:56

Reported

2024-02-29 07:00

Platform

win10v2004-20240226-en

Max time kernel

124s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lSetup.exe"

Signatures

Lumma Stealer

stealer lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4348 set thread context of 952 N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe C:\Windows\SysWOW64\cmd.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\cmd.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4348 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\lSetup.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\lSetup.exe

"C:\Users\Admin\AppData\Local\Temp\lSetup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 952 -ip 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1188

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 joystickempiricalhirpw.site udp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 104.21.35.143:443 qualifiedbehaviorrykej.site tcp
US 8.8.8.8:53 143.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4348-0-0x0000000074A90000-0x0000000074C0B000-memory.dmp

memory/4348-1-0x00007FFB1C310000-0x00007FFB1C505000-memory.dmp

memory/4348-10-0x0000000074A90000-0x0000000074C0B000-memory.dmp

memory/4348-11-0x0000000074A90000-0x0000000074C0B000-memory.dmp

memory/952-13-0x0000000074A90000-0x0000000074C0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8c17e83d

MD5 b00f8ca79f974c0e92558e637bffcd0d
SHA1 e4591697f842b6b6200dcefa6eeaeeedab672236
SHA256 b475aa4713df9f63a4f7c8298bec00900ec072865d53760dde9168c0486b3067
SHA512 b90df2453e454cc5bae8d40b6fc226b6eae0cddbfb3e3534e4ec368dea7abac7ec48743accccc7222411e13da19a84058f62587c3672ad522ed1179e320a9a7d

memory/952-15-0x00007FFB1C310000-0x00007FFB1C505000-memory.dmp

memory/952-16-0x0000000073530000-0x0000000074784000-memory.dmp

memory/952-20-0x0000000074A90000-0x0000000074C0B000-memory.dmp

memory/952-21-0x0000000073530000-0x0000000074784000-memory.dmp