lumma | a65b36ef70366ea11fd553af7ba234e5ff0b905f5c907ed937ed3e07f8ead985

Analysis

max time kernel
14s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheatloader.exe
Size

1.2MB
MD5

31ed5612c413997d16a134d6c58584ed
SHA1

5171463c001dca2f5b27adc8c1e390e9896284e2
SHA256

a65b36ef70366ea11fd553af7ba234e5ff0b905f5c907ed937ed3e07f8ead985
SHA512

3b6b9facea4ff74f5b6696285d25037e62990db1b3fa2b2444a7306023e0e00048a2d853bec07ce5b01c97720bff54426e6fe8a16e094ff0b997e0b43515a59e
SSDEEP

24576:siAb9TBgREUU9cEieHXV7yN0buhgYsbOlN9U3jaPsM:siAb99yEy0b2lNy3jKsM

Score

10^/10

lumma evasion stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1412-7-0x0000000000FF0000-0x0000000001121000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cheatloader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cheatloader.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cheatloader.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools cheatloader.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 pastebin.com
8 pastebin.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cheatloader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	cheatloader.exe

flow	ioc
7	pastebin.com
8	pastebin.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cheatloader.exe

pid	process
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe
1412	cheatloader.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cheatloader.exe

pid process

1412 cheatloader.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cheatloader.exe

pid process

1412 cheatloader.exe

C:\Users\Admin\AppData\Local\Temp\cheatloader.exe
"C:\Users\Admin\AppData\Local\Temp\cheatloader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VMWare Tools registry key
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1412-7-0x0000000000FF0000-0x0000000001121000-memory.dmp

Filesize
1.2MB

Download