General

  • Target

    dlllist.txt

  • Size

    35B

  • Sample

    240705-trnzjstfmd

  • MD5

    ff98c62757cb7c9f5dbedcd67d3781f6

  • SHA1

    82076991ee9a824bcf9969b416fcc163d02a6160

  • SHA256

    662dd415e2796635702c49586fb99ae62a3c6f595976d6923ec8a4e7c23fa8fe

  • SHA512

    42973bbb4feb375354684c0356c45bfa7f0bf63056906244c2c0ac89720326cfa41c9aa51e2522d1d9da66c019ccf3dba570a732007e8b3306e66920faaae791

Malware Config

Extracted

Family

lumma

C2

https://bouncedgowp.shop/api

Targets

    • Target

      dlllist.txt

    • Size

      35B

    • MD5

      ff98c62757cb7c9f5dbedcd67d3781f6

    • SHA1

      82076991ee9a824bcf9969b416fcc163d02a6160

    • SHA256

      662dd415e2796635702c49586fb99ae62a3c6f595976d6923ec8a4e7c23fa8fe

    • SHA512

      42973bbb4feb375354684c0356c45bfa7f0bf63056906244c2c0ac89720326cfa41c9aa51e2522d1d9da66c019ccf3dba570a732007e8b3306e66920faaae791

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks