Malware Analysis Report

2024-11-13 14:19

Sample ID 240704-wc1qxa1cjj
Target ezyzip.zip
SHA256 df4d859ead3eedc85f206be1822330eaf0cf9f65889f244be231e7de0446b7ad
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df4d859ead3eedc85f206be1822330eaf0cf9f65889f244be231e7de0446b7ad

Threat Level: Known bad

The file ezyzip.zip was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 17:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 17:47

Reported

2024-07-04 17:51

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ezyzip.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ezyzip.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 17:47

Reported

2024-07-04 17:51

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ezyzip.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ezyzip.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 17:47

Reported

2024-07-04 17:49

Platform

win7-20240419-en

Max time kernel

15s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\github_installer.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\github_installer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\github_installer.exe

"C:\Users\Admin\AppData\Local\Temp\github_installer.exe"

Network

N/A

Files

memory/2368-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/2368-1-0x00000000000D0000-0x0000000000164000-memory.dmp

memory/2368-2-0x00000000002B0000-0x00000000002B6000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 ff0531892270c9da7859e1adf5e0bf65
SHA1 9087ff214b0228efddbd68e043685234ba0d7932
SHA256 3fb33acf13aaafdd8d26fc70cab223812f8bf286550e620a09f91155a0b7b86e
SHA512 7995903d039ba81c837e6a7fe5fdaaf3e003115f2bd826cc9940fccb77ceca0ae2f6ccb56eca5fda1acf2bbc579e7e9ae4fb54df39ee626a2de23ddcdec81c27

memory/2368-7-0x0000000075830000-0x00000000758F1000-memory.dmp

memory/2368-8-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-04 17:47

Reported

2024-07-04 17:51

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\github_installer.exe"

Signatures

Lumma Stealer

stealer lumma

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\github_installer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4456 set thread context of 3684 N/A C:\Users\Admin\AppData\Local\Temp\github_installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Processes

C:\Users\Admin\AppData\Local\Temp\github_installer.exe

"C:\Users\Admin\AppData\Local\Temp\github_installer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 184.28.176.49:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 stationacutwo.shop udp
US 172.67.172.239:443 stationacutwo.shop tcp
US 8.8.8.8:53 239.172.67.172.in-addr.arpa udp
US 172.67.172.239:443 stationacutwo.shop tcp
US 172.67.172.239:443 stationacutwo.shop tcp
US 172.67.172.239:443 stationacutwo.shop tcp
US 172.67.172.239:443 stationacutwo.shop tcp
GB 184.28.176.51:443 www.bing.com tcp
US 172.67.172.239:443 stationacutwo.shop tcp
US 8.8.8.8:53 51.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/4456-0-0x00000000751DE000-0x00000000751DF000-memory.dmp

memory/4456-1-0x0000000000690000-0x0000000000724000-memory.dmp

memory/4456-2-0x0000000005010000-0x0000000005016000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 ff0531892270c9da7859e1adf5e0bf65
SHA1 9087ff214b0228efddbd68e043685234ba0d7932
SHA256 3fb33acf13aaafdd8d26fc70cab223812f8bf286550e620a09f91155a0b7b86e
SHA512 7995903d039ba81c837e6a7fe5fdaaf3e003115f2bd826cc9940fccb77ceca0ae2f6ccb56eca5fda1acf2bbc579e7e9ae4fb54df39ee626a2de23ddcdec81c27

memory/4456-13-0x0000000077C71000-0x0000000077D91000-memory.dmp

memory/3684-12-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3684-15-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4456-14-0x00000000751D0000-0x0000000075980000-memory.dmp

memory/3684-9-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3684-16-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4456-17-0x00000000751D0000-0x0000000075980000-memory.dmp