General

  • Target

    VI3 Operation Guide_tech Info version‮fdp.exe

  • Size

    2.1MB

  • Sample

    240407-xn51faca59

  • MD5

    55f8831a8b5bb5868462b91fadf8f2c4

  • SHA1

    dfa43f0d6ea531d99268635bbb14307464bfdf00

  • SHA256

    ad6e0e24c2791245c085cb50b3722dbad5fc6bc40129e74780dc996d2984317c

  • SHA512

    e9b3fcccbc858b9ae635be9dbc4cbd3d942435fd1bcc25d3b343b1d09e7123110b503c3c1b780389454f8ea4c58c4bc289e2216fe65132510a177311aa90fa88

  • SSDEEP

    3072:ax7eBNaqU17pYkH+wWtai4GlIQZboLRi9ua/aHyvF3d2itMOwwwwsVqWAEaqE9qn:ax6SqUDr75GlVbANOwwwwswWYqEoy

Malware Config

Extracted

Family

lumma

C2

https://appliedgrandyjuiw.shop/api

https://birdpenallitysydw.shop/api

https://cinemaclinicttanwk.shop/api

https://disagreemenywyws.shop/api

https://speedparticipatewo.shop/api

https://fixturewordbakewos.shop/api

https://colorprioritytubbew.shop/api

https://abuselinenaidwjuew.shop/api

https://methodgreenglassdatw.shop/api

Targets

    • Target

      VI3 Operation Guide_tech Info version‮fdp.exe

    • Size

      2.1MB

    • MD5

      55f8831a8b5bb5868462b91fadf8f2c4

    • SHA1

      dfa43f0d6ea531d99268635bbb14307464bfdf00

    • SHA256

      ad6e0e24c2791245c085cb50b3722dbad5fc6bc40129e74780dc996d2984317c

    • SHA512

      e9b3fcccbc858b9ae635be9dbc4cbd3d942435fd1bcc25d3b343b1d09e7123110b503c3c1b780389454f8ea4c58c4bc289e2216fe65132510a177311aa90fa88

    • SSDEEP

      3072:ax7eBNaqU17pYkH+wWtai4GlIQZboLRi9ua/aHyvF3d2itMOwwwwsVqWAEaqE9qn:ax6SqUDr75GlVbANOwwwwswWYqEoy

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks