Malware Analysis Report

2024-11-30 05:31

Sample ID 240709-2e8ges1fpd
Target file.zip
SHA256 44c183b28375248cb934a5d9f55f1f127f30f9f1f3371e0289401c04fad5d2b6
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44c183b28375248cb934a5d9f55f1f127f30f9f1f3371e0289401c04fad5d2b6

Threat Level: Known bad

The file file.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-09 22:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 22:30

Reported

2024-07-09 22:34

Platform

win10v2004-20240709-en

Max time kernel

91s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1632 set thread context of 5044 N/A C:\Users\Admin\AppData\Local\Temp\file\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 56.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 bargainnykwo.shop udp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 104.21.6.254:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 61.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 93.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 254.6.21.104.in-addr.arpa udp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 172.67.203.63:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 104.21.25.154:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 172.67.160.230:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 154.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 63.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

memory/1632-0-0x00007FFDD91F0000-0x00007FFDD9662000-memory.dmp

memory/1632-7-0x00007FFDD9208000-0x00007FFDD9209000-memory.dmp

memory/1632-8-0x00007FFDD91F0000-0x00007FFDD9662000-memory.dmp

memory/1632-9-0x00007FFDD91F0000-0x00007FFDD9662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67cdaa50

MD5 99915155844f6f202bf99a5f856e5fb1
SHA1 3b6da09fec2a176e2847928e68678e1044e4318d
SHA256 c7da314dcc9037ec3a456e0fa1fb462e83944f45b96ba09ecad48026bacb90f3
SHA512 4c8c18937936eef7fff20dbf5c21fcc073b13a9fd02fb56ad594013de033cf42d5e2441db280ef59ce9e8dc2c2afebbdc53831fbe9497b19d11b6470add9d6df

memory/5044-12-0x00007FFDD9B30000-0x00007FFDD9D25000-memory.dmp

memory/5044-14-0x0000000075B1E000-0x0000000075B20000-memory.dmp

memory/5044-13-0x0000000075B10000-0x0000000075F4C000-memory.dmp

memory/5044-15-0x0000000075B10000-0x0000000075F4C000-memory.dmp

memory/5044-17-0x0000000075B10000-0x0000000075F4C000-memory.dmp

memory/3924-18-0x00007FFDD9B30000-0x00007FFDD9D25000-memory.dmp

memory/3924-19-0x0000000000330000-0x000000000039F000-memory.dmp

memory/3924-22-0x0000000000C6B000-0x0000000000C72000-memory.dmp

memory/5044-23-0x0000000075B1E000-0x0000000075B20000-memory.dmp

memory/3924-24-0x0000000000330000-0x000000000039F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 22:30

Reported

2024-07-09 22:34

Platform

win11-20240709-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3428 set thread context of 836 N/A C:\Users\Admin\AppData\Local\Temp\file\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 104.21.81.196:443 bannngwko.shop tcp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 93.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 104.21.44.192:443 answerrsdo.shop tcp
US 172.67.134.88:443 publicitttyps.shop tcp
US 104.21.81.128:443 benchillppwo.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp

Files

memory/3428-0-0x00007FF918710000-0x00007FF918B7C000-memory.dmp

memory/3428-7-0x00007FF918728000-0x00007FF918729000-memory.dmp

memory/3428-8-0x00007FF918710000-0x00007FF918B7C000-memory.dmp

memory/3428-9-0x00007FF918710000-0x00007FF918B7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\594c048b

MD5 a3c548595110d12af15f95386035ee4c
SHA1 6cddcc22e751cf7230d2a460f9df4658af1dcf76
SHA256 92186f2ce9032a7e060009e95483455da22cabff72f36accb539bd80186a95cc
SHA512 ad795bb3609630a89d61e304a157e7096d81f1b176a75e675cd2875a4cc07218acba0e1c74437b2b0085f61024d132a47e086a51d6fae2d4b943a92ab1227a53

memory/836-12-0x00007FF919280000-0x00007FF919489000-memory.dmp

memory/836-14-0x00000000752FE000-0x0000000075300000-memory.dmp

memory/836-15-0x00000000752F0000-0x000000007572B000-memory.dmp

memory/836-13-0x00000000752F0000-0x000000007572B000-memory.dmp

memory/836-17-0x00000000752F0000-0x000000007572B000-memory.dmp

memory/3080-18-0x00007FF919280000-0x00007FF919489000-memory.dmp

memory/3080-19-0x0000000000100000-0x000000000016F000-memory.dmp

memory/836-20-0x00000000752FE000-0x0000000075300000-memory.dmp

memory/3080-21-0x00000000009CB000-0x00000000009D2000-memory.dmp

memory/3080-22-0x0000000000100000-0x000000000016F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 22:30

Reported

2024-07-09 22:32

Platform

win7-20240708-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"

Network

N/A

Files

N/A