General

  • Target

    c585972249de4ca2326bd4176c3d4705

  • Size

    445KB

  • Sample

    240313-lfhz6abf43

  • MD5

    c585972249de4ca2326bd4176c3d4705

  • SHA1

    0d03ffce979aba7f93a3871b3f544fbe206a8dcf

  • SHA256

    aa0f1369161e91188db4de8519b0b7ba4801f8f2693ff3b8a30565a3272c85c8

  • SHA512

    498ab5df94ea5157b995112024b6e34d965d848804139a69d2b6f43c10d1abd536b9f062f894c866813abacf5bc83f2a20b313a25429a583512449f193e9a918

  • SSDEEP

    12288:S4C7lGik2XbR68ri58LYN3aBOVuFYy3qviH:olHTbQ8GGLYNq9H

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      c585972249de4ca2326bd4176c3d4705

    • Size

      445KB

    • MD5

      c585972249de4ca2326bd4176c3d4705

    • SHA1

      0d03ffce979aba7f93a3871b3f544fbe206a8dcf

    • SHA256

      aa0f1369161e91188db4de8519b0b7ba4801f8f2693ff3b8a30565a3272c85c8

    • SHA512

      498ab5df94ea5157b995112024b6e34d965d848804139a69d2b6f43c10d1abd536b9f062f894c866813abacf5bc83f2a20b313a25429a583512449f193e9a918

    • SSDEEP

      12288:S4C7lGik2XbR68ri58LYN3aBOVuFYy3qviH:olHTbQ8GGLYNq9H

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Looks for VMWare Tools registry key

    • Modifies Installed Components in the registry

    • Modifies Windows Firewall

    • Deletes itself

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks