General

  • Target

    Aura.zip

  • Size

    55.7MB

  • Sample

    240707-dbywtasall

  • MD5

    fb26d96e2c201d8d5450885315a0bf6b

  • SHA1

    fb85ef8d5a04bf9e3de58aae46a8969698a6914d

  • SHA256

    d6f82672effc3953b496924547d4a165bd3838a30235bc4116abae63cfc04391

  • SHA512

    50e503794c95534082e205370460167e22928d6023b4c94712a3d1ff7b147f0a56547bcd821dc8fc2fd11ef5d9edf110271ec6708d5bd4f6901526fe159ea65e

  • SSDEEP

    1572864:pc6X6iokYuTzQtdeEzEsEFA0HD5ZqMuWIjPPzr5C:ZqioR0z8gfVdVuWAHzE

Malware Config

Extracted

Family

lumma

C2

https://bargainnykwo.shop/api

Targets

    • Target

      Aura/Aura.exe

    • Size

      533KB

    • MD5

      106261b3414a009549eecb0dfa8eb52b

    • SHA1

      0c40118dea5b6071c68811887a1e88615f6e02ec

    • SHA256

      dea98a88803caf3843401d91cbd22be0412b3d22393ee50a9a08efd34052a083

    • SHA512

      e4ccd6c7369aa124c227ca051a34a1d7058838c24af606031c6bb851c913f76cb35c886b54a0c25900239e85e19456245df3b60e52e3827e1be672ba5af544e9

    • SSDEEP

      12288:SVRaZCLIN5/0Qji5gkJSwvzjOi2B+l3hayppyhOEO:SVEEL08Qjie8/LSi2gRhabYt

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks