Malware Analysis Report

2025-06-15 19:54

Sample ID 240426-aqmkjsgd78
Target 2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber
SHA256 14c33aa6a0f7ab361be5f99ccdc9f56f14cde20b6a526d5e26e58c94de107320
Tags
lumma persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14c33aa6a0f7ab361be5f99ccdc9f56f14cde20b6a526d5e26e58c94de107320

Threat Level: Known bad

The file 2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber was found to be: Known bad.

Malicious Activity Summary

lumma persistence stealer

Lumma Stealer

Adds Run key to start application

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 00:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 00:25

Reported

2024-04-26 00:27

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe"

Network

N/A

Files

memory/2304-1-0x0000000000400000-0x000000000114C000-memory.dmp

memory/2304-2-0x0000000000400000-0x000000000114C000-memory.dmp

memory/2304-3-0x0000000000400000-0x000000000114C000-memory.dmp

memory/2304-4-0x0000000000280000-0x000000000028A000-memory.dmp

memory/2304-5-0x0000000000280000-0x000000000028A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 00:25

Reported

2024-04-26 00:27

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe"

Signatures

Lumma Stealer

stealer lumma

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aoradic3 = "C:\\Users\\Admin\\Documents\\ChromeUpdate\\MHOST.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe"

C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1048 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 exceptionwillapews.shop udp
US 172.67.192.201:443 exceptionwillapews.shop tcp
US 8.8.8.8:53 entitlementappwo.shop udp
US 104.21.75.133:443 entitlementappwo.shop tcp
US 8.8.8.8:53 economicscreateojsu.shop udp
US 104.21.47.60:443 economicscreateojsu.shop tcp
US 8.8.8.8:53 pushjellysingeywus.shop udp
US 172.67.217.241:443 pushjellysingeywus.shop tcp
US 8.8.8.8:53 201.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 absentconvicsjawun.shop udp
US 172.67.135.202:443 absentconvicsjawun.shop tcp
US 8.8.8.8:53 suitcaseacanehalk.shop udp
US 172.67.214.60:443 suitcaseacanehalk.shop tcp
US 8.8.8.8:53 bordersoarmanusjuw.shop udp
US 8.8.8.8:53 60.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 133.75.21.104.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 202.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 60.214.67.172.in-addr.arpa udp
US 104.21.9.123:443 bordersoarmanusjuw.shop tcp
US 8.8.8.8:53 mealplayerpreceodsju.shop udp
US 172.67.202.250:443 mealplayerpreceodsju.shop tcp
US 8.8.8.8:53 wifeplasterbakewis.shop udp
US 172.67.196.237:443 wifeplasterbakewis.shop tcp
US 8.8.8.8:53 123.9.21.104.in-addr.arpa udp
US 8.8.8.8:53 250.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 237.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3936-0-0x0000000000400000-0x000000000114C000-memory.dmp

memory/3936-1-0x0000000000400000-0x000000000114C000-memory.dmp

memory/3936-2-0x0000000000400000-0x000000000114C000-memory.dmp

memory/3936-3-0x0000000000400000-0x000000000114C000-memory.dmp

memory/1872-6-0x0000000001150000-0x000000000119F000-memory.dmp

memory/1872-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1872-7-0x0000000001150000-0x000000000119F000-memory.dmp

memory/1872-8-0x0000000001150000-0x000000000119F000-memory.dmp

memory/3936-9-0x0000000000400000-0x000000000114C000-memory.dmp

memory/1872-11-0x0000000001150000-0x000000000119F000-memory.dmp