Overview

overview

10

Static

static

10

0490e8427a...c7.elf

ubuntu-18.04-amd64

0490e8427a...c7.elf

debian-9-armhf

0490e8427a...c7.elf

debian-9-mips

0490e8427a...c7.elf

debian-9-mipsel

068428a4ac...26.exe

windows7-x64

1

068428a4ac...26.exe

windows10-2004-x64

1

087421ac22...94.elf

debian-9-mipsel

10

0c4791a6b4...ea.elf

debian-9-armhf

10

0d9bd2ae2e...ea.exe

windows7-x64

10

0d9bd2ae2e...ea.exe

windows10-2004-x64

7

0fa00d4f4f...70.dll

windows7-x64

1

0fa00d4f4f...70.dll

windows10-2004-x64

1

10de02fec8...d1.bat

windows7-x64

1

10de02fec8...d1.bat

windows10-2004-x64

8

1157191701...32.exe

windows7-x64

7

1157191701...32.exe

windows10-2004-x64

10

16e81343ec...a5.exe

windows7-x64

7

16e81343ec...a5.exe

windows10-2004-x64

7

17691f0962...b7.elf

debian-9-mipsel

7

17c24104e8...12.exe

windows7-x64

3

17c24104e8...12.exe

windows10-2004-x64

3

$PLUGINSDI...ol.dll

windows7-x64

3

$PLUGINSDI...ol.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

CommandPost.exe

windows7-x64

3

CommandPost.exe

windows10-2004-x64

3

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

1816cd993d...28.exe

windows7-x64

7

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Analysis

  • max time kernel
    129s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe

  • Size

    14.4MB

  • MD5

    ecaa6f88c3b6594914a8ffde04fd5d84

  • SHA1

    885e4370299d369f7285ba5f2c544cbcd70a5fd0

  • SHA256

    11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432

  • SHA512

    94712c9ceddc1e2abd7ec19dc39bf2cbea54d3430f66887e2e0861c2cdb4c4ee24c39d3140c9374e826049516b814c3fcfcf4c49402bc5c2335d87bc0ee67f83

  • SSDEEP

    393216:hp8QGQCKH9iqYCfy8tW5MrYR0aioa4CMRmrrCZRBkyQzy:v8QGrK5GXR9ioaJMRmrrdysy

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://interferencesandyshiw.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
    "C:\Users\Admin\AppData\Local\Temp\11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Users\Admin\AppData\Local\Temp\GUBootService.exe
      "C:\Users\Admin\AppData\Local\Temp\GUBootService.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\SysWOW64\more.com
        C:\Windows\SysWOW64\more.com
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Users\Admin\AppData\Local\Temp\Fahu.au3
          C:\Users\Admin\AppData\Local\Temp\Fahu.au3
          4⤵
          • Loads dropped DLL
          PID:4796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1ee5a6d3
    Filesize

    2.0MB

    MD5

    d2235aeb97c1be6fbdd13517579bcbf9

    SHA1

    335abcda67ceab10c96bf4855642e031d65aa282

    SHA256

    fa699bcb14ae008a91105ab5ba25744e1f16420b95c628ce21329b285cee511a

    SHA512

    e4fcedf30de47a134d77ebd245c1e4036c8cdffdea84a44dad982e5c62346fc8ff304266e8b62d190159c5c6619d1bf5dc1ff8d70e73f78d56015d6f661c2041

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\22bf6e08
    Filesize

    1.8MB

    MD5

    710b93096180db83add608f7457c2450

    SHA1

    1f69cb72a7a92e9787f946d76de7b87ef488cc3b

    SHA256

    261442bb47bc1b9ec139fd11efa7fefeab65a7df9d312251f403c33f34d8622a

    SHA512

    ec1f7851f6c4bd3f8e77e6b4ae49eaf7d2830db28593fc439c8684eeb015d2643e077a1bf7d0a9a578c8aac51d4027cf0a0b9b08c6eba7619fd0ebf15d3ec6ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Fahu.au3
    Filesize

    925KB

    MD5

    0162a97ed477353bc35776a7addffd5c

    SHA1

    10db8fe20bbce0f10517c510ec73532cf6feb227

    SHA256

    15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

    SHA512

    9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GUBootService.exe
    Filesize

    11.5MB

    MD5

    4a053e8f03eba1dd6fcd28aeea8dc05f

    SHA1

    080d5f4b1c1e892658672aded073b70dfd14f7de

    SHA256

    6a5cc7a1803b002e91129d9317fa8f2d79fc07775ded7163c38d41569f8068ed

    SHA512

    32e3cc6fbb5db6b38c5aa18b3bb077c9e03e218d3698d6a30a6e62bfcba2692d4b625b286df0604637a5a7488d8215406c46f337f8ca908081b300a58945de3d

    Download Submit

  • memory/2120-119-0x00007FF9DE0D0000-0x00007FF9DE2C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2120-125-0x0000000073680000-0x00000000737FB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2120-122-0x0000000073680000-0x00000000737FB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2120-121-0x0000000073680000-0x00000000737FB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2120-117-0x0000000073680000-0x00000000737FB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3460-114-0x0000000073680000-0x00000000737FB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3460-115-0x0000000073680000-0x00000000737FB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3460-113-0x00007FF9DE0D0000-0x00007FF9DE2C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3460-112-0x0000000073680000-0x00000000737FB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3460-106-0x0000000000400000-0x000000000081A000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4796-127-0x00007FF9DE0D0000-0x00007FF9DE2C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4796-128-0x0000000000220000-0x000000000026D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/4796-130-0x0000000000E20000-0x0000000000F0B000-memory.dmp

    Filesize

    940KB

    Download

  • memory/4796-131-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4796-133-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4796-134-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4796-132-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4796-135-0x0000000000220000-0x000000000026D000-memory.dmp

    Filesize

    308KB

    Download