lumma | 20609025c17c188b73fef9ef02e672440b96da91fafa994497d69d76ed017826

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 17:38

Target

freedom.v1.11/spoofer.exe
Size

451KB
MD5

9b8580dda1d8a365381b4921392aaef5
SHA1

fb730478dd40d95dd86cfc59bbae668f8139683c
SHA256

a2b9fbbf50e309eca6543567b4c1b1b82bbfb6c344104445bc5b8d7c88ee0008
SHA512

82cc7ef2408de93f4d5c293d6da00c83adea9ffbf3435a565697e8ea1e488f2a247facc7387123259839f5f1bc67cf15080d8881b40958f25ff160b5be6990f9
SSDEEP

6144:i0n6v/63f938FCQzovvLx9Yg5fSLL32bTp9XT7tIRS3BMs2VCG:NlPV8FCQz6YCfLzHqyBMnVL

Score

10^/10

Family

lumma

https://wisemassiveharmonious.shop/api

https://colorfulequalugliess.shop/api

https://relevantvoicelesskw.shop/api

https://associationokeo.shop/api

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral4/memory/2068-0-0x0000000000040000-0x00000000000B8000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 1992	2068	spoofer.exe	92

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92
PID 2068 wrote to memory of 1992	2068	spoofer.exe	92

C:\Users\Admin\AppData\Local\Temp\freedom.v1.11\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\freedom.v1.11\spoofer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1992

memory/1992-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1992-9-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1992-12-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/1992-13-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/1992-14-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1992-15-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2068-0-0x0000000000040000-0x00000000000B8000-memory.dmp

Filesize
480KB

Download
memory/2068-1-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/2068-2-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2068-10-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/2068-11-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download
memory/2068-16-0x00000000024A0000-0x00000000044A0000-memory.dmp

Filesize
32.0MB

Download