Analysis Overview
SHA256
c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f
Threat Level: Known bad
The file c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f was found to be: Known bad.
Malicious Activity Summary
Detect Lumma Stealer payload V4
Lumma family
Risepro family
Checks system information in the registry
Enumerates physical storage devices
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 01:05
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma family
Risepro family
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 01:05
Reported
2024-05-25 01:07
Platform
win7-20240508-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f.exe
"C:\Users\Admin\AppData\Local\Temp\c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49249 | tcp |
Files
C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log
| MD5 | 27ab7bdf61a8dce300695dd5c17d17cd |
| SHA1 | 14f0e54c54cc0db2352912c82f5fb730ceb0b35d |
| SHA256 | fbc8b761a6400e5ec758e35924ee3c482db91dd7a4e92b5b43b9ffce6554a76f |
| SHA512 | c18a608a597049b9e4b33d6704f55079ea757053829f6fb4e3fd8f77e6c8039983c23ebd28e8e62470fba45c720705b5b53cbb28406b4f2b1550c7110522e6ee |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 01:05
Reported
2024-05-25 01:07
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
123s
Command Line
Signatures
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f.exe
"C:\Users\Admin\AppData\Local\Temp\c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:57539 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log
| MD5 | 09dae7d4f75dc22e52a5435ba86d78df |
| SHA1 | 73e04a54d4414965a5d7fcc13fbbd3a2940455b9 |
| SHA256 | b8330514be3e6b98fd0bfc43a5145b5a5e2855a4e91a0290248d8e0b62e6feb4 |
| SHA512 | e9501dd2303771db339ac514dbe43453d3e1bb2b306f7572d8f74cb3ac7620385bee0d2da929d6724695189db54f5616109049e6bf2e6b0495f09cf34a407b0d |
C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log
| MD5 | e98551c96d8a1a7caa45152c69fbbd72 |
| SHA1 | 524832d51c938b85fc05103139546fd2801b8126 |
| SHA256 | 053d09a5545d2e280943660229045e84c02bd4b5db746a85838452b75e33c22b |
| SHA512 | 294bce083a4e2ba05bd864663032ff47f536609d22c42e9bf6d2a4dc28598cc5d32c66cb06ad625f8facc7ed2a36385e708131851f4aa2fe0661615e48c04757 |