Malware Analysis Report

2024-11-13 14:19

Sample ID 240705-p45qlsydnj
Target wsltty-3.7.0.2-i686-install.exe
SHA256 aba457d49c99294c895f8df69714801019ad69a4931f04c7a5a9c50f0ab122a7
Tags
lumma discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aba457d49c99294c895f8df69714801019ad69a4931f04c7a5a9c50f0ab122a7

Threat Level: Known bad

The file wsltty-3.7.0.2-i686-install.exe was found to be: Known bad.

Malicious Activity Summary

lumma discovery spyware stealer

Lumma Stealer

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 12:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 12:53

Reported

2024-07-05 12:56

Platform

win10v2004-20240704-en

Max time kernel

133s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wsltty-3.7.0.2-i686-install.exe"

Signatures

Lumma Stealer

stealer lumma

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\wsltty-3.7.0.2-i686-install.exe

"C:\Users\Admin\AppData\Local\Temp\wsltty-3.7.0.2-i686-install.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4100,i,18261153038209191383,10347744459236715365,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3020,i,18261153038209191383,10347744459236715365,262144 --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 assignmentygassdyw.shop udp
US 172.67.200.52:443 assignmentygassdyw.shop tcp
US 172.67.200.52:443 assignmentygassdyw.shop tcp
US 8.8.8.8:53 52.200.67.172.in-addr.arpa udp
US 172.67.200.52:443 assignmentygassdyw.shop tcp
US 172.67.200.52:443 assignmentygassdyw.shop tcp
US 172.67.200.52:443 assignmentygassdyw.shop tcp
US 172.67.200.52:443 assignmentygassdyw.shop tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/388-0-0x00000000012C0000-0x0000000001311000-memory.dmp

memory/388-2-0x00000000012C0000-0x0000000001311000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856