General

  • Target

    https://www.youtube.com/redirect?event=channel_header&redir_token=QUFFLUhqa0U5S1Z3QmdoZEtMVzhqWUtJS0lOQXNtcThkQXxBQ3Jtc0ttSm9KLWpBZkdjYjk3V3FTS1VzS2ZITzNGMHlENmJDa1hqNVdQRWJSMTBuSnFMblZsSDdRVjZVaW1jZEhGQ2hiTTdGa0hXc183cVlPZ29QR1d1OTFUTmYtU0R5T056SXF2Q2hYaGdwNGRaUGlXWG5OUQ&q=https%3A%2F%2Fupload.advgroup.ru%2FmvWwiE4h

  • Sample

    240707-12tq4s1fkb

Malware Config

Extracted

Family

lumma

C2

https://bitchsafettyudjwu.shop/api

Targets

    • Target

      https://www.youtube.com/redirect?event=channel_header&redir_token=QUFFLUhqa0U5S1Z3QmdoZEtMVzhqWUtJS0lOQXNtcThkQXxBQ3Jtc0ttSm9KLWpBZkdjYjk3V3FTS1VzS2ZITzNGMHlENmJDa1hqNVdQRWJSMTBuSnFMblZsSDdRVjZVaW1jZEhGQ2hiTTdGa0hXc183cVlPZ29QR1d1OTFUTmYtU0R5T056SXF2Q2hYaGdwNGRaUGlXWG5OUQ&q=https%3A%2F%2Fupload.advgroup.ru%2FmvWwiE4h

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks