Analysis Overview
SHA256
8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f
Threat Level: Known bad
The file 8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Reads user/profile data of web browsers
Loads dropped DLL
VMProtect packed file
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 22:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 22:41
Reported
2024-07-04 22:46
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe
"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
polaris.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | 76ce3d5d5c3032cc9f78133af90b7ca7 |
| SHA1 | 774907a1177135daf81ad950c2201510958cc52b |
| SHA256 | 7deb532bdc37e4ed59642407a94a479ad7b7c18b852c9237899bb1fa9e55febd |
| SHA512 | fbc4c6fe065ed0000687130f6a173349ccd3fb68a6b5fa72c24cac90cbb53b82970961b60bee7bc1318682de70823aa054eff27010773b3c5b950ed084ba71de |
\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
| MD5 | 0f21f614bbd1768957b4ada1faf64885 |
| SHA1 | 9e1fde36a3f615e783afec63be45a55453a14b89 |
| SHA256 | cda0db0d276a2a24745a5c9b23712e2c950f5dd5c103f1ab88b9f1bdbe5be501 |
| SHA512 | 8df61c2aa68b1ffef973d60bfa46c1fb0566ddc64f84729e459bc5d587daeab2cdc0ab5a69db3bb57bad1b2067969db06a83d9066c71215a2bd7e1f416b7c0a7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
| MD5 | 5fd19293fa5acf9323ebc45b5df49b06 |
| SHA1 | 6f0c22c0f40a1a4ac7abf31c7e3ba977bd3a133a |
| SHA256 | 659ad4fec79f03ac2f1c9fc81371a426cefd6abaef8edad4403a71f29088a261 |
| SHA512 | 595e552e6202d7b22615eff1fecb35ad0fdf7506dd70dd3b708b7342b119a3f885bbdb0709785401a991b5de55cd4043c6398baa2a9b6a45ca390687e99aa697 |
memory/2480-37-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2480-35-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2480-39-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2480-43-0x0000000000D93000-0x00000000010C8000-memory.dmp
memory/2480-42-0x0000000000D93000-0x00000000010C8000-memory.dmp
memory/2480-44-0x0000000000D40000-0x000000000164C000-memory.dmp
memory/2480-40-0x0000000000D40000-0x000000000164C000-memory.dmp
memory/2480-45-0x0000000000D40000-0x000000000164C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 22:41
Reported
2024-07-04 22:46
Platform
win10-20240404-en
Max time kernel
195s
Max time network
256s
Command Line
Signatures
Lumma Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe
"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
polaris.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | foodypannyjsud.shop | udp |
| US | 104.21.49.164:443 | foodypannyjsud.shop | tcp |
| US | 8.8.8.8:53 | 164.49.21.104.in-addr.arpa | udp |
| US | 104.21.49.164:443 | foodypannyjsud.shop | tcp |
| US | 104.21.49.164:443 | foodypannyjsud.shop | tcp |
| US | 104.21.49.164:443 | foodypannyjsud.shop | tcp |
| US | 104.21.49.164:443 | foodypannyjsud.shop | tcp |
| US | 104.21.49.164:443 | foodypannyjsud.shop | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | 76ce3d5d5c3032cc9f78133af90b7ca7 |
| SHA1 | 774907a1177135daf81ad950c2201510958cc52b |
| SHA256 | 7deb532bdc37e4ed59642407a94a479ad7b7c18b852c9237899bb1fa9e55febd |
| SHA512 | fbc4c6fe065ed0000687130f6a173349ccd3fb68a6b5fa72c24cac90cbb53b82970961b60bee7bc1318682de70823aa054eff27010773b3c5b950ed084ba71de |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
| MD5 | 0f21f614bbd1768957b4ada1faf64885 |
| SHA1 | 9e1fde36a3f615e783afec63be45a55453a14b89 |
| SHA256 | cda0db0d276a2a24745a5c9b23712e2c950f5dd5c103f1ab88b9f1bdbe5be501 |
| SHA512 | 8df61c2aa68b1ffef973d60bfa46c1fb0566ddc64f84729e459bc5d587daeab2cdc0ab5a69db3bb57bad1b2067969db06a83d9066c71215a2bd7e1f416b7c0a7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
| MD5 | 5fd19293fa5acf9323ebc45b5df49b06 |
| SHA1 | 6f0c22c0f40a1a4ac7abf31c7e3ba977bd3a133a |
| SHA256 | 659ad4fec79f03ac2f1c9fc81371a426cefd6abaef8edad4403a71f29088a261 |
| SHA512 | 595e552e6202d7b22615eff1fecb35ad0fdf7506dd70dd3b708b7342b119a3f885bbdb0709785401a991b5de55cd4043c6398baa2a9b6a45ca390687e99aa697 |
memory/1852-20-0x00000000018D0000-0x00000000018D1000-memory.dmp
memory/1852-22-0x0000000000B10000-0x000000000141C000-memory.dmp