General

  • Target

    ClientAppSettings.json

  • Size

    3KB

  • Sample

    240706-whcahaxflq

  • MD5

    7a3ddecfa7f54d37a3a682ff672ddc5b

  • SHA1

    336e6ec98ec7ede6fecf0ca57009ed300ba5b187

  • SHA256

    d58416aa991d70de03d3d80c8ea1290107222cfa1d4d1714047f878b559d3c11

  • SHA512

    34f84b828576d2dc5f805c4939deb9e7436eb2d75154d7f1f6e2707b9cb07551e376a2b295ffdc97d37ce3e65b8331a1f919c3817efb742634f929b1cc1f4f57

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    194.28.224.2
  • Port:
    21
  • Username:
    anonymous
  • Password:
    anonymous@

Extracted

Family

lumma

C2

https://bannngwko.shop/api

Targets

    • Target

      ClientAppSettings.json

    • Size

      3KB

    • MD5

      7a3ddecfa7f54d37a3a682ff672ddc5b

    • SHA1

      336e6ec98ec7ede6fecf0ca57009ed300ba5b187

    • SHA256

      d58416aa991d70de03d3d80c8ea1290107222cfa1d4d1714047f878b559d3c11

    • SHA512

      34f84b828576d2dc5f805c4939deb9e7436eb2d75154d7f1f6e2707b9cb07551e376a2b295ffdc97d37ce3e65b8331a1f919c3817efb742634f929b1cc1f4f57

    Score
    10/10
    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks