Overview

overview

10

Static

static

3

Lunar Rele....6.exe

windows10-2004-x64

10

Lunar Rele...ch.dll

windows7-x64

1

Lunar Rele...ch.dll

windows10-2004-x64

1

Lunar Rele...on.dll

windows7-x64

1

Lunar Rele...on.dll

windows10-2004-x64

1

Lunar Rele...eld.js

windows7-x64

3

Lunar Rele...eld.js

windows10-2004-x64

3

Lunar Rele...ces.js

windows7-x64

3

Lunar Rele...ces.js

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lunar Release.rar

  • Size

    68.9MB

  • Sample

    240528-a4qjcshc94

  • MD5

    5f3bad64191f3ea4c0e210314e35dd83

  • SHA1

    860d69e95b3a76e78576e027811ffd2548d9b594

  • SHA256

    7030f01bf9505498b2c7b951a2f2dc7c2a616c1181bb7e6f8947bda2629c69c8

  • SHA512

    addf220896c2eb199788a923060e297421273e81f9500484588c7ccf8e155b96fb80854a527fe546165bc922caf1ec14dffbf27349083e51316b4855510222ce

  • SSDEEP

    1572864:85DYMDvoZQ482TixPlMrUJeCkDlSLdVx36Wc4KpJlP+B6nBRhrSQNx4h9g3:mvDv14NTEPl28h36kKpLP+BUB3rSQNxh

Score
10/10
discoveryexecutionpersistencepyinstallerspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Targets

    • Target

      Lunar Release/LunarExecutorV1.6.EXE

    • Size

      68.9MB

    • MD5

      0de60c954486bdc0a5d0f1073d988aa2

    • SHA1

      3dfbab5b70194d39dc8ab68160253eb641051123

    • SHA256

      7c57b598878c89fc502dfa308dd9255e3c336d0c846925bed74b054c11dbf515

    • SHA512

      72917b080077522f758aa9abce53d97d940aca626a65b08392c6221b1b26f2ae850b78850bddd547993c49ea55026715341b36b9e9646759691ac52800e3e4cf

    • SSDEEP

      1572864:ay8NYZ4tZ33atAbmT5LTGj9aY79EXZH263FwggCU1FcDI2:ay8hZS7T5LTGBaY99YrOcDI

    Score
    10/10
    discoveryexecutionpersistencepyinstallerspywarestealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      Lunar Release/auto_attach.dll

    • Size

      11KB

    • MD5

      10b65d0b42a5c28e46c636f3b80acd72

    • SHA1

      b7d055065692c937de0c6cc8a4a10ab56953bc35

    • SHA256

      6a5f47fb94b352d816beb3301cec80c29067ac49867013653c5f6254617d24fb

    • SHA512

      75dc3b928bf1dc3eccd1f8a70b71be4734bbce99419cbd5a6090c08182bf6b74617d9a78c2e7ccf243f550922c17a79c255ba07a92a48b110d1aadd823a78461

    • SSDEEP

      192:3jzHguR1ID//9g6Gep+d/iz2Gg3bzE7xYGVN2PzQdv4tkpyzM9zvGMA5KIhzlm:3jzHguR1IKdeocPUk86tZaU

    Score
    1/10
    behavioral2behavioral3

    • Target

      Lunar Release/byfron.dll

    • Size

      104KB

    • MD5

      23070ddf008a2351eb49b39bcaadc40b

    • SHA1

      7797e39ed2543d0e42fce9239e9e8f8ff55482a3

    • SHA256

      a7b4d7ee10059bfe41c1405f589c898f8261186bbb65f9e63240e27aaba5e17f

    • SHA512

      676d9ca1260ee2f8db90f5ec3430fd297ff2429163b39110ea80a42d5111be80b75d9fdc73f9262a713d29eb0ac3d573060a739ff843e393485de6c9a154646b

    • SSDEEP

      1536:Jcck8caFAtPTFwZ644yQZvNuAVe5tJmcCA2noyUEowjE:Jcck8caFAtPTFwZ6ZN505H2nLUcY

    Score
    1/10
    behavioral4behavioral5

    • Target

      Lunar Release/infinite yield.txt

    • Size

      458KB

    • MD5

      fd82c56f51bbd6e20b5cd3f13df47df3

    • SHA1

      5cc7735d0df6224d522a62b51ff0e5980741de3a

    • SHA256

      753e72e558297fc7658e32d37baa81d72333f06fd6640ede858c5ba3294cec7b

    • SHA512

      602f05e8b7018e4066d6663976178a66c2f274d0168a041c5e3a99ae037e3730789a0130e580e33161d1f99fac288f4a8831a2400866b54fb2f6acd3c1f79f6d

    • SSDEEP

      6144:ZkrLwE7/gTt3Kr2/h5MuR0Y9gIBuQulO7uFo5n4XvxDhoQh9kZtUi8/1j304U48F:ZkrLwEAKr2ZGHYWFOn4XPffpo

    Score
    3/10
    execution
    behavioral6behavioral7

    • Target

      Lunar Release/resources.dll

    • Size

      5.1MB

    • MD5

      773b3b72481fd8ef9b62b5ef0fe8040a

    • SHA1

      a42cbc7aab88689e834c158b24af8722586cf1b4

    • SHA256

      7f93fef11819a9f4b8edd342a1c2d3dbab25698ed75f9713ee1167fa2f852331

    • SHA512

      db7d29100060afc909cbf20bcd6d9c02fc0b29d8ee32606e2d6cf18270484f2b46853cda0b495a85cc7a2e3ae4536030a25216f101dceabf2f972e3375208c38

    • SSDEEP

      768:+UI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUIn:3

    Score
    3/10
    execution
    behavioral8behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

1
T1059.001

JavaScript

2
T1059.007

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks