General

  • Target

    d1ce164e0ebd78270699fc551d6d431566a008a2842451b9a56e4db464e4c109.zip

  • Size

    6.2MB

  • Sample

    240708-bvdnwayarf

  • MD5

    26de58ed11d2cdf292d9f9b5bf036b03

  • SHA1

    de7d7ff5cd8dd3bb6380d2a6d3721556610ca4c5

  • SHA256

    d1ce164e0ebd78270699fc551d6d431566a008a2842451b9a56e4db464e4c109

  • SHA512

    b854944130bd9609d2b528d84359dbd1b4f984d47fa3a4ab4d827cb6c32321e41aa49f606270198ea4c441079a030eb873b1b7f2e95aa5ae215455f13c63d81b

  • SSDEEP

    98304:NXC+Zn5rhA4edyKaxIV7kDZxGgiP8JcjUED3SKFUrb+WU0vKthT70LpmZ360QK:JCY5dudyGV787ik+jt7xZruKsLpmsy

Malware Config

Extracted

Family

lumma

C2

https://answerrsdo.shop/api

Targets

    • Target

    • Size

      113.1MB

    • MD5

      2e3e5073d22bbcd2f2b0bfea40c95f29

    • SHA1

      acc3917dd7d803e68475c966064bf60177934c78

    • SHA256

      c3030eb910a9a625cd7ccfb58c831efe98db82b6e20e294d101345c24c162a2e

    • SHA512

      bd8532d16d5e32763ae6e9f4aa1a3676226682edfab7b5a1efd132f5f76ce14a6bdf061271e02681818e1d55c1791e9e613677d6648075d1af61b51a4f5176e3

    • SSDEEP

      98304:jzGfaIjrga+OQlJMHIu5LKoo2A5FEtHU53KW1avHpgAE6H3ei3AaUi:QjP+OQlmyEUJ1avHe56XLAaU

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks