Malware Analysis Report

2025-06-15 19:53

Sample ID 240425-2z8ypagb52
Target bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a
SHA256 bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a

Threat Level: Known bad

The file bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Unsigned PE

Program crash

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-25 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 23:02

Reported

2024-04-25 23:04

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a.exe

"C:\Users\Admin\AppData\Local\Temp\bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 strollheavengwu.shop udp
US 172.67.163.209:443 strollheavengwu.shop tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 productivelookewr.shop udp
US 104.21.11.250:443 productivelookewr.shop tcp
US 8.8.8.8:53 209.163.67.172.in-addr.arpa udp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 202.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 225.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 172.67.147.169:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 106.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 23.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 169.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4028-1-0x0000000002D10000-0x0000000002E10000-memory.dmp

memory/4028-2-0x00000000030E0000-0x000000000312B000-memory.dmp

memory/4028-3-0x0000000000400000-0x0000000002C39000-memory.dmp

memory/4028-4-0x0000000000400000-0x0000000002C39000-memory.dmp

memory/4028-6-0x00000000030E0000-0x000000000312B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 23:02

Reported

2024-04-25 23:04

Platform

win11-20240412-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a.exe

"C:\Users\Admin\AppData\Local\Temp\bb27e654bd3d0fc63c49b44f9d6c0a2bd73e11366ffb335c3ed2fb23eceaf48a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1260

Network

Country Destination Domain Proto
US 8.8.8.8:53 strollheavengwu.shop udp
US 104.21.15.198:443 strollheavengwu.shop tcp
US 104.21.11.250:443 productivelookewr.shop tcp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
US 104.21.95.19:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 202.89.21.104.in-addr.arpa udp
US 172.67.216.69:443 shortsvelventysjo.shop tcp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
US 172.67.192.138:443 liabilitynighstjsko.shop tcp
US 172.67.147.169:443 demonstationfukewko.shop tcp

Files

memory/1044-1-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

memory/1044-2-0x0000000004980000-0x00000000049CB000-memory.dmp

memory/1044-3-0x0000000000400000-0x0000000002C39000-memory.dmp

memory/1044-5-0x0000000004980000-0x00000000049CB000-memory.dmp