39f022c9d8c871076f40cbe64909a76a93e58d893ba31f0d76ba0ff7f355400f | Triage

Submit
Reports

Overview

overview

6

Static

static

1

Luna-Grabb...64.exe

windows7-x64

4

Luna-Grabb...64.exe

windows10-2004-x64

6

Sharing

Copy URL Twitter E-mail

General

Target

Luna-Grabber-main.zip
Size

51.2MB
Sample

240627-yef6dsxbqf
MD5

00e8d6ad69787248327e2def5404c716
SHA1

ce6b09752cdb9f1868efa82e76473513054dc650
SHA256

39f022c9d8c871076f40cbe64909a76a93e58d893ba31f0d76ba0ff7f355400f
SHA512

d74d62edb9e25599c16f4d89a3b37ce86a365170ae28493ee7b792da0f58442d715405e1c0c468c6f6adcf40517fca2f4ec5c815b1085fa440c56b6c8c7e4783
SSDEEP

786432:SXKBN3Eq/hQPwbCMnaujbIfzWnP4FE2IW1sem8NeeXmmNhuOUmrON92ZK8SH:QEUq/OP0CMdIbWnZ2Nm8Mgmsuj3e2

Score

6^/10

discovery persistence privilege_escalation

Static task

static1

Behavioral task

behavioral1

Sample

Luna-Grabber-main/python-3.10.9-amd64.exe

Resource

win7-20240508-en

windows7-x64

3 signatures

1200 seconds

Behavioral task

behavioral2

Sample

Luna-Grabber-main/python-3.10.9-amd64.exe

Resource

win10v2004-20240611-en

discovery persistence privilege_escalation

windows10-2004-x64

20 signatures

1200 seconds

Malware Config

Targets

- Target
  
  Luna-Grabber-main/python-3.10.9-amd64.exe
- Size
  
  27.6MB
- MD5
  
  dce578fe177892488cadb6c34aea58ee
- SHA1
  
  e562807ddd0bc8366d936ce72684ce2b6630e297
- SHA256
  
  b8c707fb7a3a80f49af5a51c94f428525a3ad4331c7b9e3b2e321caf5cb56d7d
- SHA512
  
  8858aa7e82ca8cf559eeb25c14d86d24637a86e64c8db7465c99d05558ce3c67cea18d68abdfbe3df08cdbedfca5f819aa7fd8e57beae2054a7f7a8a64c04b41
- SSDEEP
  
  393216:rLQzCSAmQThdbDLP4+pG+ynEuB2EdPJPSmZ7SCZtnfhk1pACJ+DH5dTLwUTmhU+3:rqCLPxpG+tRKPJPSu7rkphcDnwhC7i
Score

6^/10

discovery persistence privilege_escalation
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

discoverypersistenceprivilege_escalation

© 2018-2025

Terms | Privacy