Malware Analysis Report

2025-01-02 08:00

Sample ID 240509-qj8r7sbd9s
Target The Setup Files.rar
SHA256 1ca339a6fb14ebd235d1a9292226f98ca48c0c10199df6eadc22a5430c9d960d
Tags
lumma stealer privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ca339a6fb14ebd235d1a9292226f98ca48c0c10199df6eadc22a5430c9d960d

Threat Level: Known bad

The file The Setup Files.rar was found to be: Known bad.

Malicious Activity Summary

lumma stealer privateloader

Lumma Stealer

Privateloader family

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-09 13:18

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 13:18

Reported

2024-05-09 13:21

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1600 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/1600-0-0x0000000074430000-0x00000000745A4000-memory.dmp

memory/1600-1-0x0000000077740000-0x00000000778E9000-memory.dmp

memory/1600-7-0x0000000074430000-0x00000000745A4000-memory.dmp

memory/1600-6-0x0000000074442000-0x0000000074444000-memory.dmp

memory/1600-8-0x0000000074430000-0x00000000745A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\854334e6

MD5 617d58684189e2d9f90129ea238977d3
SHA1 7aed26437d5d56612bfe473ffeea3858049de7ca
SHA256 0e47882b4968445b488cd4fd783dd16b63caa2e774d9cf6698e2f0fc814e80eb
SHA512 f0cae03e25b0e17c11be6b4f4c77580d7ad4681c7ee3f416a0818d27518a4f7b0aae565d4b610afacb43070783d62d475f6264748b9a77746f086ba5429e143d

memory/2752-11-0x0000000074430000-0x00000000745A4000-memory.dmp

memory/2752-12-0x0000000077740000-0x00000000778E9000-memory.dmp

memory/2752-13-0x0000000074430000-0x00000000745A4000-memory.dmp

memory/2752-14-0x0000000074430000-0x00000000745A4000-memory.dmp

memory/2752-16-0x0000000074430000-0x00000000745A4000-memory.dmp

memory/2732-17-0x0000000077740000-0x00000000778E9000-memory.dmp

memory/2732-18-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2732-19-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2732-20-0x00000000006FD000-0x0000000000705000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 13:18

Reported

2024-05-09 13:21

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3948 set thread context of 552 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 105.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 penetratedworrsyw.shop udp
US 172.67.186.224:443 penetratedworrsyw.shop tcp
US 8.8.8.8:53 acceptabledcooeprs.shop udp
US 172.67.180.137:443 acceptabledcooeprs.shop tcp
US 8.8.8.8:53 224.186.67.172.in-addr.arpa udp
US 8.8.8.8:53 obsceneclassyjuwks.shop udp
US 188.114.96.2:443 obsceneclassyjuwks.shop tcp
US 8.8.8.8:53 zippyfinickysofwps.shop udp
US 104.21.39.216:443 zippyfinickysofwps.shop tcp
US 8.8.8.8:53 miniaturefinerninewjs.shop udp
US 172.67.173.139:443 miniaturefinerninewjs.shop tcp
US 8.8.8.8:53 plaintediousidowsko.shop udp
US 8.8.8.8:53 137.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 216.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 139.173.67.172.in-addr.arpa udp
US 104.21.53.146:443 plaintediousidowsko.shop tcp
US 8.8.8.8:53 sweetsquarediaslw.shop udp
US 104.21.44.201:443 sweetsquarediaslw.shop tcp
US 8.8.8.8:53 holicisticscrarws.shop udp
US 104.21.40.92:443 holicisticscrarws.shop tcp
US 8.8.8.8:53 boredimperissvieos.shop udp
US 104.21.72.135:443 boredimperissvieos.shop tcp
US 8.8.8.8:53 146.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 201.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 92.40.21.104.in-addr.arpa udp
US 8.8.8.8:53 135.72.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/3948-0-0x0000000073000000-0x000000007317B000-memory.dmp

memory/3948-1-0x00007FFA932D0000-0x00007FFA934C5000-memory.dmp

memory/3948-6-0x0000000073012000-0x0000000073014000-memory.dmp

memory/3948-7-0x0000000073000000-0x000000007317B000-memory.dmp

memory/3948-8-0x0000000073000000-0x000000007317B000-memory.dmp

memory/552-10-0x0000000073001000-0x000000007300F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a0c2303f

MD5 766af7198185b728c5b7d98c3868555a
SHA1 5f59de943450d8ac9d7e51cf2a79093da64c560f
SHA256 1c498970cdb076855faf2cc43bed2aa933617b4ff27cae5cc6aac1957c102bb4
SHA512 000bb5e1c8fd12b411dbadcc0958a60231fb939280dc5aa55c5a2dc383534e6bc1a40aeca4b8ca4a1aaa828f766ba52568fc560dc917acff3901afedca14579a

memory/552-12-0x00007FFA932D0000-0x00007FFA934C5000-memory.dmp

memory/552-13-0x000000007300E000-0x0000000073010000-memory.dmp

memory/552-14-0x0000000073001000-0x000000007300F000-memory.dmp

memory/552-15-0x0000000073001000-0x000000007300F000-memory.dmp

memory/1716-16-0x00007FFA932D0000-0x00007FFA934C5000-memory.dmp

memory/1716-17-0x0000000000B90000-0x0000000000BEB000-memory.dmp

memory/1716-18-0x0000000000FFB000-0x0000000001002000-memory.dmp

memory/1716-19-0x0000000000B90000-0x0000000000BEB000-memory.dmp

memory/552-20-0x000000007300E000-0x0000000073010000-memory.dmp