lumma | 94c8fb631f919bd52d1d4341311325510d33aee6e976a75c940a38d88a4b7757

Analysis

max time kernel
138s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 15:07

Target

1.exe
Size

725KB
MD5

a52ce5b525413f39401a3416dd8e2de2
SHA1

148e4b6b2b2904d736fc9442ff1f6309edc40023
SHA256

94c8fb631f919bd52d1d4341311325510d33aee6e976a75c940a38d88a4b7757
SHA512

52616053550e5f26a62d1260a850e8bfbf10e9484ba776b2b808040021e0d944b23e77e64273bd7485eb9662fe057ea41a369a873e7b2f0e90b62daf1b5ac88b
SSDEEP

12288:O+O4diU6/GC4sVniwgco34nYN/MghT4rxj+TTM45P0coq/ZrUGv1L:O+seunM4Y9feBB9q+G

Score

10^/10

Family

lumma

https://voicelighterrrepso.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/696-1-0x00000000008C0000-0x000000000097C000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 696 set thread context of 1652	696	1.exe	85

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
696	1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 1652	696	1.exe	85
PID 696 wrote to memory of 1652	696	1.exe	85
PID 696 wrote to memory of 1652	696	1.exe	85
PID 696 wrote to memory of 1652	696	1.exe	85
PID 696 wrote to memory of 1652	696	1.exe	85
PID 696 wrote to memory of 1652	696	1.exe	85
PID 696 wrote to memory of 1652	696	1.exe	85
PID 696 wrote to memory of 1652	696	1.exe	85
PID 696 wrote to memory of 1652	696	1.exe	85

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  #cmd
  2⤵
  PID:1652

memory/696-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/696-1-0x00000000008C0000-0x000000000097C000-memory.dmp

Filesize
752KB

Download
memory/696-2-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/696-3-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/696-4-0x0000000005550000-0x00000000055A4000-memory.dmp

Filesize
336KB

Download
memory/696-10-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/1652-5-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1652-7-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1652-9-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1652-11-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download