lumma | 18f17375402cffe877271fdeedb0e78ebf492ba954da3bfcbc742fd5fd567492

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 05:15

Target

40dd510795e82f9a51301896809c2d95.exe
Size

468KB
MD5

40dd510795e82f9a51301896809c2d95
SHA1

5bc4f3a04dae16cd6c69dd442551a795c9caa9ef
SHA256

18f17375402cffe877271fdeedb0e78ebf492ba954da3bfcbc742fd5fd567492
SHA512

c2fa10356790136e1bacbf0bc26eb015d6ceae49d2fb953fc80cb3085375d050000b2672cf15bc97fd633a31e6012e0fe47e282f31a614192840f85624b693c8
SSDEEP

6144:sR0tQjTAMFGf1nAB9/huXDttKkDklFuktsferJ/f7UF3HfuXeZWquoQ:sRK1y5IDnKkDxkme5f6HfuurHQ

Score

10^/10

Family

lumma

https://associationokeo.shop/api

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5092-1-0x0000000000DC0000-0x0000000000E36000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

40dd510795e82f9a51301896809c2d95.exe

description pid process target process

PID 5092 set thread context of 3104 5092 40dd510795e82f9a51301896809c2d95.exe RegAsm.exe

description	pid	process	target process
PID 5092 set thread context of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

40dd510795e82f9a51301896809c2d95.exe

description	pid	process	target process
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe
PID 5092 wrote to memory of 3104	5092	40dd510795e82f9a51301896809c2d95.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4112

memory/3104-15-0x0000000001350000-0x0000000001382000-memory.dmp

Filesize
200KB

Download
memory/3104-13-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/3104-17-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3104-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3104-9-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3104-16-0x0000000001350000-0x0000000001382000-memory.dmp

Filesize
200KB

Download
memory/3104-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3104-14-0x0000000001350000-0x0000000001382000-memory.dmp

Filesize
200KB

Download
memory/5092-11-0x0000000003320000-0x0000000005320000-memory.dmp

Filesize
32.0MB

Download
memory/5092-0-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/5092-1-0x0000000000DC0000-0x0000000000E36000-memory.dmp

Filesize
472KB

Download
memory/5092-10-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/5092-2-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/5092-18-0x0000000003320000-0x0000000005320000-memory.dmp

Filesize
32.0MB

Download