Overview

overview

10

Static

static

3

FоrtniteH...ck.exe

windows10-2004-x64

10

FоrtniteH...-8.dll

windows10-2004-x64

1

FоrtniteH...16.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    593s
  • max time network
    601s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FоrtniteHack/FоrtniteHack/FоrtniteHack.exe

  • Size

    2.4MB

  • MD5

    98d67174a64d76751fe7f5f9b59acd0f

  • SHA1

    8ff6b05c0d393f398d8bf7f217b61ef4559e5051

  • SHA256

    2350036f4d3ada372336a56429281f96d7deefc637246ede1668ef6a33f7b4b1

  • SHA512

    55cf83aeb444d8a084987924fd808ca96b94aca405d261fb3702c78387298c5604f8fb8391affe6901a3875581c487ea46ab25ce589862b7cd7b8129e26867b9

  • SSDEEP

    49152:2uWXVMDdRolOyNTE91NaLnq6x8DGLyGC:hiSDdRoUYE910LJR

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FоrtniteHack\FоrtniteHack\FоrtniteHack.exe
    "C:\Users\Admin\AppData\Local\Temp\FоrtniteHack\FоrtniteHack\FоrtniteHack.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2488

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\d3d9.dll
      Filesize

      401KB

      MD5

      f33827e096a4f5b285a1302c1d9b77a7

      SHA1

      c60f62deb06357f4441a70446568d2917a0d6114

      SHA256

      fad067e2cd5c4db0996fa8c07d39b7f82b45c6188d9eb0c7a4440f68a62242c0

      SHA512

      8bb313ab84f0c0f4839561b2fcfac1280dd0ceefb64af313afcf71d4520a53b32d7bcc284b35c21be75595bb12ef42f988191196fc85dec81b6a02caac02380d

      Download Submit
    • memory/2488-8-0x0000000001100000-0x000000000114F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/2488-14-0x0000000001100000-0x000000000114F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/2488-17-0x0000000001100000-0x000000000114F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/4888-0-0x0000000000E40000-0x00000000011DC000-memory.dmp
      Filesize

      3.6MB

      Download
    • memory/4888-1-0x00000000752D0000-0x0000000075A80000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4888-2-0x0000000005650000-0x0000000005651000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4888-12-0x00000000752D0000-0x0000000075A80000-memory.dmp
      Filesize

      7.7MB

      Download