lumma | d160705c870ec3a76eb6626440d20a0101b972149561c6f27ef5e7f0958ce1a3

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 07:17

Target

13ba54cd51054b82cc24cb5dfbdc1256.exe
Size

3.9MB
MD5

13ba54cd51054b82cc24cb5dfbdc1256
SHA1

94ef4fad3c22b764fd6dc5a90490ca07aec25401
SHA256

d160705c870ec3a76eb6626440d20a0101b972149561c6f27ef5e7f0958ce1a3
SHA512

703141ed1a5999806810cc224c907dfef4f9570226205ba68b34d2d2334b3618bafa2a5bcb1cea012d77f2d222a23cb920c11cfc59a71e118f81fddfa5af3c8f
SSDEEP

98304:iuSkCqdCgvipkZezOcuNLxZOVogKAEYOe/t9nQsc4KxqzEqw:i1dqdWdzVMxonAYOeDnpc46Nt

Score

10^/10

Family

lumma

https://associationokeo.shop/api

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4224-0-0x0000000000120000-0x00000000001A6000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96
PID 4224 wrote to memory of 4228	4224	13ba54cd51054b82cc24cb5dfbdc1256.exe	96

C:\Users\Admin\AppData\Local\Temp\13ba54cd51054b82cc24cb5dfbdc1256.exe
"C:\Users\Admin\AppData\Local\Temp\13ba54cd51054b82cc24cb5dfbdc1256.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:3472

memory/4224-0-0x0000000000120000-0x00000000001A6000-memory.dmp

Filesize
536KB

Download
memory/4224-1-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/4224-2-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4224-8-0x00000000026B0000-0x00000000046B0000-memory.dmp

Filesize
32.0MB

Download
memory/4224-11-0x0000000075100000-0x00000000758B0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4228-10-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4228-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4228-13-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4228-14-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4228-15-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4228-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download