Analysis Overview
SHA256
cced1a3811e37720251db4e3d5836ea94da430682863ca61b2ff9940b7d56965
Threat Level: Known bad
The file cced1a3811e37720251db4e3d5836ea94da430682863ca61b2ff9940b7d56965 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 10:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 10:37
Reported
2024-07-09 10:40
Platform
win10v2004-20240704-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Lumma Stealer
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\cced1a3811e37720251db4e3d5836ea94da430682863ca61b2ff9940b7d56965.exe
"C:\Users\Admin\AppData\Local\Temp\cced1a3811e37720251db4e3d5836ea94da430682863ca61b2ff9940b7d56965.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stationacutwo.shop | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 239.172.67.172.in-addr.arpa | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 10:37
Reported
2024-07-09 10:40
Platform
win11-20240704-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\cced1a3811e37720251db4e3d5836ea94da430682863ca61b2ff9940b7d56965.exe
"C:\Users\Admin\AppData\Local\Temp\cced1a3811e37720251db4e3d5836ea94da430682863ca61b2ff9940b7d56965.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stationacutwo.shop | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |