Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df0c393f7d41e7f36bae4cdf5f63869c1c0b7fe7c567c2844c5da88906dc7e3e.exe

  • Size

    2.1MB

  • MD5

    a1ad46e02818ee49a291ddd29f09f216

  • SHA1

    69212dce9518f612922ac5fe638832b8a67385d2

  • SHA256

    df0c393f7d41e7f36bae4cdf5f63869c1c0b7fe7c567c2844c5da88906dc7e3e

  • SHA512

    af0c36d46b2e83c8e51a2db023fca75effe780d1506b0082811c20f4a8e40df74bae339a0b6c2e12dbd24d4333e5614131bc8942c0b266d6de2cc16fc0431a2b

  • SSDEEP

    49152:1Djlabwz9iDjlabwz9+HjAr6EwEVulQgsXd4WfLW+ZrZznYR:Zqwwqw7rmEVulQgYxDPZzYR

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://greetclassifytalk.shop/api

https://distincttangyflippan.shop/api

https://macabrecondfucews.shop/api

https://greentastellesqwm.shop/api

https://stickyyummyskiwffe.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

https://innerverdanytiresw.shop/api

https://standingcomperewhitwo.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df0c393f7d41e7f36bae4cdf5f63869c1c0b7fe7c567c2844c5da88906dc7e3e.exe
    "C:\Users\Admin\AppData\Local\Temp\df0c393f7d41e7f36bae4cdf5f63869c1c0b7fe7c567c2844c5da88906dc7e3e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\read.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\logad.exe
        logad.exe -pmultit
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\kiwarg.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\kiwarg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetWindowsHookEx
          PID:4192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\logad.exe
    Filesize

    1.7MB

    MD5

    95cbc37d7c73ed0bf29074713701ce8a

    SHA1

    da6ad1007e94f69772eee09473dab8b4eb2db14e

    SHA256

    d38f510bc1a2f2e389f22e0a8609f531472d1b367111f74de9109b49c91cbe26

    SHA512

    a084c74bc1716356dad090a4aba0beee0aa4e098161a191781c48abb4db1c52f6f2167f9e48d60381f5b89822ea17ae62b9a7c755900842c897fad8b9897db81

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\read.bat
    Filesize

    35B

    MD5

    e45f6a0d55d7fa893be7ec033793ba6b

    SHA1

    6905c4a234f4e6e9fcfd222a0d932e827b86d833

    SHA256

    d623c0b8d9d662362b6347c6862217221e660082ef0a9bff77a83a6efffda4cf

    SHA512

    773730f1b0284d102060f20ac8f6b636fde2036b30ede41b5472754824a87c79c3995de5b7766b0802efb5698961ee82a4e862cb2a474d090b7f9c29e79b396a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\kiwarg.exe
    Filesize

    1.2MB

    MD5

    dace48604bcab6c26d34af1ef04ec8e3

    SHA1

    1a2aa011ee5f894dd85a894ac65e71622bfe1ab0

    SHA256

    9dc583e0cf587d0442e2b9f72fa2de23c0910a21d543f862e498e6add0794f30

    SHA512

    2d1cad6d368f24c52e7a0809fb72b52f19f7cbedca7924bc3bdc0855e31692c03ddc914ea1a455bd8464bb89d869538805e8b2ba16be92e95808324c36d99fad

    Download Submit

  • memory/4192-19-0x0000000000420000-0x00000000007E1000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4192-20-0x0000000000420000-0x00000000007E1000-memory.dmp

    Filesize

    3.8MB

    Download