General

  • Target

    bittorrent_installer.exe

  • Size

    1.8MB

  • Sample

    240518-1rppeahf3y

  • MD5

    e3a426ee7af841fcf69607f319764df1

  • SHA1

    d75c44fb403d33399ec95ca13843d59abee6dc81

  • SHA256

    74c46613608a20996b55a6d2022d720e7dcc884c8a4038ca7a1db11308bba483

  • SHA512

    c48dd13bdaea81b9850c64e4c538aa4ce84253b4fd8dac93f8e2c4f7c406b005f16c2d88df72ee053666b18917380be2beeffde1a0f528ce86bef6302959578a

  • SSDEEP

    24576:z7FUDowAyrTVE3U5F4u6ZGYF8MOpJvXz31DFs8DZ/DdGVK6q+1nTTEE:zBuZrEU8uy8MOH1DSa/DoQGd/

Malware Config

Extracted

Family

lumma

C2

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Targets

    • Target

      bittorrent_installer.exe

    • Size

      1.8MB

    • MD5

      e3a426ee7af841fcf69607f319764df1

    • SHA1

      d75c44fb403d33399ec95ca13843d59abee6dc81

    • SHA256

      74c46613608a20996b55a6d2022d720e7dcc884c8a4038ca7a1db11308bba483

    • SHA512

      c48dd13bdaea81b9850c64e4c538aa4ce84253b4fd8dac93f8e2c4f7c406b005f16c2d88df72ee053666b18917380be2beeffde1a0f528ce86bef6302959578a

    • SSDEEP

      24576:z7FUDowAyrTVE3U5F4u6ZGYF8MOpJvXz31DFs8DZ/DdGVK6q+1nTTEE:zBuZrEU8uy8MOH1DSa/DoQGd/

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Downloads MZ/PE file

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks