lumma | cec9695af44751223a659fcf55a23874aaebfe97e44237bddbc68ee8cd448c9d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 05:57

Target

tmp.exe
Size

454KB
MD5

5abd2bda4e977edcb6ea8bad53084809
SHA1

e0d07424d71edd4945ba9cee7ac972bdef973188
SHA256

cec9695af44751223a659fcf55a23874aaebfe97e44237bddbc68ee8cd448c9d
SHA512

3f3e6d9f2bbb489a25589c9fe3438090e3448afd89763923fc0f1e7b97b4a066d330ebd2b510c229f669c7e20c1f57fa85716de147791ea066b94dc149fa174d
SSDEEP

6144:Wi1tN0iF8jF7xeumh7ktWltF8mM84L+lPLb2/0s6ScZjMfBHNX2J+22:pNPudSs0nlPu0s6SEmBHNj

Score

10^/10

Family

lumma

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/980-0-0x00000000004F0000-0x0000000000562000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 980 set thread context of 4440	980	tmp.exe	92

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 3888	980	tmp.exe	91
PID 980 wrote to memory of 3888	980	tmp.exe	91
PID 980 wrote to memory of 3888	980	tmp.exe	91
PID 980 wrote to memory of 4440	980	tmp.exe	92
PID 980 wrote to memory of 4440	980	tmp.exe	92
PID 980 wrote to memory of 4440	980	tmp.exe	92
PID 980 wrote to memory of 4440	980	tmp.exe	92
PID 980 wrote to memory of 4440	980	tmp.exe	92
PID 980 wrote to memory of 4440	980	tmp.exe	92
PID 980 wrote to memory of 4440	980	tmp.exe	92
PID 980 wrote to memory of 4440	980	tmp.exe	92
PID 980 wrote to memory of 4440	980	tmp.exe	92

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4440

memory/980-0-0x00000000004F0000-0x0000000000562000-memory.dmp

Filesize
456KB

Download
memory/980-1-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/980-2-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/980-9-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/980-11-0x0000000002850000-0x0000000004850000-memory.dmp

Filesize
32.0MB

Download
memory/980-16-0x0000000002850000-0x0000000004850000-memory.dmp

Filesize
32.0MB

Download
memory/4440-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4440-10-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4440-12-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4440-13-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4440-14-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4440-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download