lumma | db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747 | Triage

Submit
Reports

Overview

overview

Static

static

3

Kobalc.exe

windows7-x64

Kobalc.exe

windows10-2004-x64

Sharing

General

Target

Kobalc.exe
Size

185KB
Sample

240506-wx6gwsdd41
MD5

15717cd327a723820d71900611545917
SHA1

99184ec149d329e98cd3e600cfaba22a2f9a0156
SHA256

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
SHA512

a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49
SSDEEP

3072:LoixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:0W5jOA96xrRd

Score

10^/10

lumma metasploit backdoor evasion persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Kobalc.exe

Resource

win7-20240221-en

lumma metasploit backdoor evasion persistence stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

Kobalc.exe

Resource

win10v2004-20240419-en

lumma metasploit backdoor evasion persistence stealer trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  Kobalc.exe
- Size
  
  185KB
- MD5
  
  15717cd327a723820d71900611545917
- SHA1
  
  99184ec149d329e98cd3e600cfaba22a2f9a0156
- SHA256
  
  db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
- SHA512
  
  a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49
- SSDEEP
  
  3072:LoixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:0W5jOA96xrRd
Score

10^/10

lumma metasploit backdoor evasion persistence stealer trojan
- Detect Lumma Stealer payload V4
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Looks for VMWare Tools registry key
  evasion
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Deletes itself
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lummametasploitbackdoorevasionpersistencestealertrojan

behavioral2

lummametasploitbackdoorevasionpersistencestealertrojan

© 2018-2024

Terms | Privacy