lumma | ff89b26b08534382d19d9c99b8023467c007eda8c8a82cd728fb24634d99bb58

Sharing

General

Target

1718821613.976287_setup (2).exe
Size

12.6MB
Sample

240619-zmhvma1crh
MD5

dddae2b25f60e6331ab468bb5d9daf65
SHA1

93b425a91af75bdad1e27b08cd821b0123c9e61b
SHA256

ff89b26b08534382d19d9c99b8023467c007eda8c8a82cd728fb24634d99bb58
SHA512

d25580cb033c0cc1a68b1ab49166c8d6c0c6387ad690a92ff43e4ca1baf317e2ff68dd05d8f1c14e54cbedad9198cd51932aca7c7b05afe92eb1de6e3b4893c3
SSDEEP

393216:nxF2TkLoD4NFAKgkhC1LxRdYUmRMGhw4:qTkLoDO0PL/d5mK

Score

10^/10

Malware Config

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.92:27953

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

https://t.me/memve4erin

https://steamcommunity.com/profiles/76561199699680841

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0

Extracted

Family

lumma

https://accumulationeyerwos.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Extracted

Family

socks5systemz

bwcxxhp.com

http://bwcxxhp.com/search/?q=67e28dd83e0bfb2e455aa5187c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ae8889b5e4fa9281ae978f171ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff719c3ef969932

http://bwcxxhp.com/search/?q=67e28dd83e0bfb2e455aa5187c27d78406abdd88be4b12eab517aa5c96bd86ee92864b895a8bbc896c58e713bc90c91f36b5281fc235a925ed3e52d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee9d9238cd6c951f

Targets

- Target
  
  1718821613.976287_setup (2).exe
- Size
  
  12.6MB
- MD5
  
  dddae2b25f60e6331ab468bb5d9daf65
- SHA1
  
  93b425a91af75bdad1e27b08cd821b0123c9e61b
- SHA256
  
  ff89b26b08534382d19d9c99b8023467c007eda8c8a82cd728fb24634d99bb58
- SHA512
  
  d25580cb033c0cc1a68b1ab49166c8d6c0c6387ad690a92ff43e4ca1baf317e2ff68dd05d8f1c14e54cbedad9198cd51932aca7c7b05afe92eb1de6e3b4893c3
- SSDEEP
  
  393216:nxF2TkLoD4NFAKgkhC1LxRdYUmRMGhw4:qTkLoDO0PL/d5mK
Score

10^/10

lumma redline risepro socks5systemz stealc vidar logsdiller cloud (tg: @logsdillabot)bootkit botnet discovery evasion execution infostealer persistence privilege_escalation spyware stealer themida trojan
- Detect Vidar Stealer
  stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies firewall policy service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Socks5Systemz
  Socks5Systemz is a botnet written in C++.
  botnet socks5systemz
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect Vidar Stealer

Lumma Stealer

Modifies firewall policy service

RedLine

RedLine payload

RisePro

Socks5Systemz

Stealc

Vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Boot or Logon Autostart Execution: Active Setup

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection

Stops running service(s)

Checks BIOS information in registry

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Unexpected DNS network traffic destination

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks for any installed AV software in registry

Checks installed software on the system

Checks whether UAC is enabled

Drops Chrome extension

Drops desktop.ini file(s)

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Power Settings

Writes to the Master Boot Record (MBR)

Checks system information in the registry

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2