Malware Analysis Report

2024-11-15 06:25

Sample ID 240705-rf7leascpd
Target !ŞetUp_51286--#PaSꞨKḙy#$$.rar
SHA256 cbfc287e66b97d1c47dd11e81b188287e086c27cc4882e0ab9d5c6eef8d60c92
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbfc287e66b97d1c47dd11e81b188287e086c27cc4882e0ab9d5c6eef8d60c92

Threat Level: Known bad

The file !ŞetUp_51286--#PaSꞨKḙy#$$.rar was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 14:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 14:09

Reported

2024-07-05 14:12

Platform

win7-20240508-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 14:09

Reported

2024-07-05 14:12

Platform

win10v2004-20240704-en

Max time kernel

125s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 452 set thread context of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3764,i,5095735526234624271,6356691058050835509,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3032,i,5095735526234624271,6356691058050835509,262144 --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:3

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 68.158.67.172.in-addr.arpa udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 downloadfile123.xyz udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/452-0-0x00007FFA97A60000-0x00007FFA97A7C000-memory.dmp

memory/452-4-0x00007FFA97A78000-0x00007FFA97A79000-memory.dmp

memory/452-5-0x00007FFA97A60000-0x00007FFA97A7C000-memory.dmp

memory/452-6-0x00007FFA97A60000-0x00007FFA97A7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\260e4e8c

MD5 65d7e154affbe8639a1e6181b9847f62
SHA1 39248e29dc810d04785502f111d7a35b358f7c3f
SHA256 0955169f187f260c08c9b67bdbd7e54057ecf2d5e2f0dda9470e821335c62764
SHA512 8afc98d1a978ba428a941cfa1687431b1e40525f1f833cec75b29912eb72a812d493c522b32bffffef4338c8568874d543bb4e86f76a8d48371a4a893a516212

memory/2812-10-0x00007FFAA51D0000-0x00007FFAA53C5000-memory.dmp

memory/2812-11-0x00000000757C0000-0x00000000757D4000-memory.dmp

memory/2812-13-0x00000000757C0000-0x00000000757D4000-memory.dmp

memory/2812-12-0x00000000757CE000-0x00000000757D0000-memory.dmp

memory/2812-15-0x00000000757C0000-0x00000000757D4000-memory.dmp

memory/4816-16-0x00007FFAA51D0000-0x00007FFAA53C5000-memory.dmp

memory/4816-17-0x0000000000810000-0x0000000000868000-memory.dmp

memory/4816-18-0x0000000000ADB000-0x0000000000AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4816-25-0x0000000000810000-0x0000000000868000-memory.dmp

memory/2812-26-0x00000000757CE000-0x00000000757D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856