Malware Analysis Report

2024-11-15 06:25

Sample ID 240706-b6jz2avcrd
Target b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2.exe
SHA256 b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2

Threat Level: Known bad

The file b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2.exe was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:45

Reported

2024-07-06 02:04

Platform

win7-20240704-en

Max time kernel

12s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2.exe

"C:\Users\Admin\AppData\Local\Temp\b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2.exe"

Network

N/A

Files

memory/2488-0-0x000000013FBF0000-0x000000014010D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:45

Reported

2024-07-06 02:03

Platform

win10v2004-20240704-en

Max time kernel

94s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Processes

C:\Users\Admin\AppData\Local\Temp\b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2.exe

"C:\Users\Admin\AppData\Local\Temp\b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 172.67.196.169:443 radiationnopp.shop tcp
US 172.67.196.169:443 radiationnopp.shop tcp
US 172.67.196.169:443 radiationnopp.shop tcp
US 172.67.196.169:443 radiationnopp.shop tcp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/868-4-0x0000000000740000-0x0000000000797000-memory.dmp

memory/3524-5-0x00007FF75F5D0000-0x00007FF75FAED000-memory.dmp

memory/868-7-0x0000000000740000-0x0000000000797000-memory.dmp

memory/868-8-0x0000000000740000-0x0000000000797000-memory.dmp

memory/868-9-0x0000000000740000-0x0000000000797000-memory.dmp