Analysis Overview
SHA256
c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f
Threat Level: Known bad
The file 2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil was found to be: Known bad.
Malicious Activity Summary
Detect Lumma Stealer payload V4
Lumma family
Risepro family
Checks system information in the registry
Enumerates physical storage devices
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 01:01
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma family
Risepro family
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 01:00
Reported
2024-05-25 01:03
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49260 | tcp |
Files
C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log
| MD5 | 2de1bfe71cfc5a4220f1c4591aec8d07 |
| SHA1 | 9cbfee4cdb3fc4680c47e3ca659fa370cb599a3b |
| SHA256 | a6beba9600e995452800cc6729b56bf6f08741c2c5c6a041da11cb7c20382f49 |
| SHA512 | 6a0c4d8e6407be69b2df8c652316052615041367522dc2281c83cfe22f8f9a4858927f113528dc05fa61df6c9c35db5ed43318ca87dff72679ec3c62d99501c3 |
C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log
| MD5 | 47f2322fb942160bbfb66b20089c26b5 |
| SHA1 | 64872306a838eb7d89fe1929c92837055cfbad6e |
| SHA256 | e408469bbdfd6e476beb948a13dfcdd7ae5ce41c8b2c7d84cf8592b1a3c99e4f |
| SHA512 | 62696289437232028184d53d367ceb5e6d5cafb4b1336638e5083be58b066207b6eecbd3fb4f4f313a155c9e41bd63b5496403f647e4d75d0e59b38aa96116e9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 01:00
Reported
2024-05-25 01:03
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
101s
Command Line
Signatures
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:55731 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log
| MD5 | 3e4c41db27479e98573b1bc85658a944 |
| SHA1 | 84b39c5d7f161f26e788236aa84fe9771e5e4929 |
| SHA256 | 6cf0ed2260954c5ab122e9d08035f468d3ee5e5a7a5f56bc474b47b077c84f7b |
| SHA512 | 71a71e7ab9d5d29050a2d634e5d8596dcf86180a216d8bb3b640620e2085da616714082c639bcc7b7082eb8f935ba084c44328b39d6c09bf2846352c977d4a70 |
C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log
| MD5 | 45792e4d83ea4a027e3f915a7a04cad8 |
| SHA1 | fcf8f4361cf854882f3ffc69ae3b76efb9b8c2e8 |
| SHA256 | b34840b2915ffc04a053ab46c5a1261685051fd3191e5f62bc301599ee2aef09 |
| SHA512 | 8ce6fe19ad106576a9685a8190a9983c810f8765e21c067958e1f4a2ef1664ffa465e3691711a148b2def9c80b31b711f619cb1306b8f0cfc863bc6d94729609 |