Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba

  • Size

    174KB

  • Sample

    240429-fdl15saf59

  • MD5

    df469e0a98c5be3dbbdee404268d491a

  • SHA1

    17951c7c3b3dbb7769efa595298ac0183e000c77

  • SHA256

    a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba

  • SHA512

    8c90c9e5b57a854b38600946659d39519a222d5cc36008ef9617df74719e662d66445ca223cff7feffabbb50ecad6028d06d436c5d8fdb349b6bf9ddd1128dfc

  • SSDEEP

    1536:+ngptcHx6TyxkuM39m/wrut+8IGA/75IVL0tQlfYvm/ivedMzcfknx9Xb5Wyq9R9:+nZZBMtjruMGA/lxtbvma2dGTb5Wyq9

Score
10/10
lummasmokeloaderpub1backdoorbootkitpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

lumma

C2

https://accountasifkwosov.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

https://palmeventeryjusk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Targets

    • Target

      a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba

    • Size

      174KB

    • MD5

      df469e0a98c5be3dbbdee404268d491a

    • SHA1

      17951c7c3b3dbb7769efa595298ac0183e000c77

    • SHA256

      a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba

    • SHA512

      8c90c9e5b57a854b38600946659d39519a222d5cc36008ef9617df74719e662d66445ca223cff7feffabbb50ecad6028d06d436c5d8fdb349b6bf9ddd1128dfc

    • SSDEEP

      1536:+ngptcHx6TyxkuM39m/wrut+8IGA/75IVL0tQlfYvm/ivedMzcfknx9Xb5Wyq9R9:+nZZBMtjruMGA/lxtbvma2dGTb5Wyq9

    Score
    10/10
    lummasmokeloaderpub1backdoorbootkitpersistencestealertrojan

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks