Overview

overview

10

Static

static

3

Loader.exe

windows7-x64

3

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    208s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    459KB

  • MD5

    3e813dde943f8bc1c64ff1d6fb5f5442

  • SHA1

    9c822e820b3108caca86a5adcb86dcd2fb7a1a2c

  • SHA256

    4406e60b91320a9df156733902e256207aea47b496d8abe882db20f2908130fe

  • SHA512

    42352ce5c3a39d05d37731a7feb35e01db835dbe861a95a1835144ead3c59209ee6f4d2574dc3111d5ea2f5ef9a9b68c6bf5dee08ba32160d5b97bb6d223e162

  • SSDEEP

    6144:ARc5tEKmC4P2uNTEsXC/CyRMSz/t3EzIKdB37DNl2p03fcqJXEOFm6p09zKXlPUY:AS5tgn7S/CyK0t3EzhL+Qr0E1s82RR

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2916
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3020
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3716
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.0.840587537\727049142" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8503572c-7281-464f-9e9d-df9941a8c126} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 1948 1c7e43ee558 gpu
            3⤵
              PID:2904
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.1.1524341696\82190375" -parentBuildID 20221007134813 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a39b934-6848-44db-8e58-b30211879676} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 2348 1c7e3d44358 socket
              3⤵
                PID:3220
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.2.1792760275\1453829367" -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba4e5062-9e4b-4930-ba38-802f6fa0448e} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 3156 1c7e80a0b58 tab
                3⤵
                  PID:2336
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.3.745076792\328454126" -childID 2 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a71a3dc-8750-448d-a198-eb519ac252b7} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 3828 1c7d055df58 tab
                  3⤵
                    PID:1744
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.4.1939000008\604524683" -childID 3 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b9b8c9c-3b9b-4979-98fe-af0ef8030e3b} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 4264 1c7e971db58 tab
                    3⤵
                      PID:2076
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.5.644948419\82149704" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5044 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f71215c-de4b-452e-9a7f-f82a0930ea55} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 5080 1c7e86db858 tab
                      3⤵
                        PID:5680
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.6.610780192\1704782359" -childID 5 -isForBrowser -prefsHandle 5140 -prefMapHandle 5144 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01db5278-1615-4c83-b746-21089f35a4ac} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 5132 1c7ea942b58 tab
                        3⤵
                          PID:5688
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.7.161221488\994858" -childID 6 -isForBrowser -prefsHandle 5348 -prefMapHandle 5352 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e30f47ba-cb36-4264-bc42-dd4abbabe96c} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 5340 1c7ea943458 tab
                          3⤵
                            PID:5704
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:6100

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
                          Filesize

                          13KB

                          MD5

                          2bee8946ef58fb99a2de19676be57580

                          SHA1

                          324de18d9f380958afcd73597558a1d24ee8d213

                          SHA256

                          35a5f6f5826dab3ce5ed681fc47afaa4760f212a8f337c680e229219cf970263

                          SHA512

                          d079a212c50b292791ae2447b89da474222a4024ba2ae2ba09744cfc1b706c636993e4b9a5d430c91aeeaa8f853cc2b7e8c03cd78fe104bc434575e3a47b6a64

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                          Filesize

                          442KB

                          MD5

                          85430baed3398695717b0263807cf97c

                          SHA1

                          fffbee923cea216f50fce5d54219a188a5100f41

                          SHA256

                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                          SHA512

                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                          Filesize

                          8.0MB

                          MD5

                          a01c5ecd6108350ae23d2cddf0e77c17

                          SHA1

                          c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                          SHA256

                          345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                          SHA512

                          b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          2KB

                          MD5

                          b0fb85f7787e6f1001f4dc8690eee8b4

                          SHA1

                          28361668bbcc5f4a488b5eeaba12d716df9f13ab

                          SHA256

                          d78e559e5636cca8a2f5e0f17d2dcafe7e479832dd4bf0cebec458e124e8a842

                          SHA512

                          8202037dc9dae09fcb5e07928d517f11ec010912e987c5a9c3fc823f57d926995ec6fa73e6a29e7ca3819cfb3f1932fe33d6e1f0aae75b1b714fe20746112cc0

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\66c78e65-cddf-41a3-9a14-c28d2cb16945
                          Filesize

                          746B

                          MD5

                          d259827fcc0a8908ad292ce9fb950a99

                          SHA1

                          54a00b25c5090455a44e6ba8208a4077a46e2e15

                          SHA256

                          1457cc11fc966d0d543a22fc10c3e57f45cea76119f53ae7d89c15bbcbac87e2

                          SHA512

                          fdf2863e8b3b1c4f35639583fae2c1b281fd4475a350a7bd900154e813e42feeb9be4ff56c0ffeb66fa8f0bc8c561546669308578aaf83968ed168903b59b374

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\e7949744-7ee8-46cc-a6dc-7cb75fe0cd81
                          Filesize

                          10KB

                          MD5

                          3f2b2e91bdf98bd1550c2a01f68abdab

                          SHA1

                          5f9f61db6fcbdbb2d1bd2f91bd56fdb141303f31

                          SHA256

                          e0f5a8d28e0fc403f621d333f1dc26d2f03a3ff6097d91ce494ad0f8f2fe8717

                          SHA512

                          6f4fb15f5f0afd415197a0c7bf7add1a973ab3a8c36c974e61cf7212a328741ee99cae80ddb395c684c2ee3d12c7a3c401289fc11b01d4663a738e99012e26ea

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                          Filesize

                          997KB

                          MD5

                          fe3355639648c417e8307c6d051e3e37

                          SHA1

                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                          SHA256

                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                          SHA512

                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                          Filesize

                          116B

                          MD5

                          3d33cdc0b3d281e67dd52e14435dd04f

                          SHA1

                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                          SHA256

                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                          SHA512

                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                          Filesize

                          479B

                          MD5

                          49ddb419d96dceb9069018535fb2e2fc

                          SHA1

                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                          SHA256

                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                          SHA512

                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                          Filesize

                          372B

                          MD5

                          8be33af717bb1b67fbd61c3f4b807e9e

                          SHA1

                          7cf17656d174d951957ff36810e874a134dd49e0

                          SHA256

                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                          SHA512

                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                          Filesize

                          11.8MB

                          MD5

                          33bf7b0439480effb9fb212efce87b13

                          SHA1

                          cee50f2745edc6dc291887b6075ca64d716f495a

                          SHA256

                          8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                          SHA512

                          d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                          Filesize

                          1KB

                          MD5

                          688bed3676d2104e7f17ae1cd2c59404

                          SHA1

                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                          SHA256

                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                          SHA512

                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                          Filesize

                          1KB

                          MD5

                          937326fead5fd401f6cca9118bd9ade9

                          SHA1

                          4526a57d4ae14ed29b37632c72aef3c408189d91

                          SHA256

                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                          SHA512

                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          444a72aedfe97cc4eac954af4d669a36

                          SHA1

                          865d3ae7de3211cb1237ef64d6d62f6cf359335c

                          SHA256

                          258b62f068cfcf662f546d8f9b1b76b5002197c34b1c41c3f04c0f283b748782

                          SHA512

                          5248b22db4d389cf0bd7d6cc43b614864c5bc167b585d6fa5340d61ccac6fb835242d74070c3c9b2f47ca6a5dbea9b2b9f908aaa17ae8563d1b9610ff0e7ab84

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          a4edf9d57e97f3d8932c6e86fabc2235

                          SHA1

                          9d2ee3f96f665ca64bab218ebbc18d758d23c7df

                          SHA256

                          fb74b75c65a09a8eb06a38b4a39db2a36bb89e14030bb4e47aa599a45d899c02

                          SHA512

                          01f1acae003b4ceb83154143aff41e6e00ca2333789568d5af2e59cd7b76476850fa2b158a3961b3d8b3951ae660e3ea11217c88853c4ea98e856c08e6474805

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          c08caae1091a40b4f128d7f2a3aa6ae0

                          SHA1

                          d7d4ff6c19ef6037c19e452ec775b41e6f92da61

                          SHA256

                          10f59684e45ff0c889b92c934feac3e3bbdbb6dea4e750e6ff6f07702e25b6c1

                          SHA512

                          93e8da198b302afee93869ecbb1b2b7f3449e4185fccbeafcfe6aed6247b8e98c62037b65dc7df536002c9dbb2d1fe576bc657b96d58971f50ab9f7c6c8fadfc

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                          Filesize

                          184KB

                          MD5

                          b6bacbca69e2002c0ee0506268d3daf2

                          SHA1

                          750aafe071e6d41f6597bb4f91e1b1ae387e68d8

                          SHA256

                          92fccd4f269d9b7a4509610dc0d995b49b819c98ed114a180a85e7b7ab13a4db

                          SHA512

                          5c4ade499e043dc5190f677d942adadcff19b549c9138e023c58bb9b316c36f9ce0e99d11b68ad92a125632589352ec9a693bbdf48ff37ded987e2c5359f88cd

                          Download Submit

                        • memory/2432-0-0x00000000003F0000-0x00000000003F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2432-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2432-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2916-7-0x0000000000400000-0x0000000000454000-memory.dmp

                          Filesize

                          336KB

                          Download

                        • memory/2916-2-0x0000000000400000-0x0000000000454000-memory.dmp

                          Filesize

                          336KB

                          Download

                        • memory/2916-5-0x0000000000400000-0x0000000000454000-memory.dmp

                          Filesize

                          336KB

                          Download

                        • memory/2916-6-0x0000000000400000-0x0000000000454000-memory.dmp

                          Filesize

                          336KB

                          Download