Analysis Overview
SHA256
fa7c889816a23be0866e921876a0c343f5aec6376396bbcb566e3c94d24fcda9
Threat Level: Known bad
The file Loader.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 18:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 18:39
Reported
2024-07-09 18:40
Platform
win10v2004-20240709-en
Max time kernel
19s
Max time network
22s
Command Line
Signatures
Lumma Stealer
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 692 set thread context of 4996 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitchsafettyudjwu.shop | udp |
| US | 104.21.27.50:443 | bitchsafettyudjwu.shop | tcp |
| US | 104.21.27.50:443 | bitchsafettyudjwu.shop | tcp |
| US | 104.21.27.50:443 | bitchsafettyudjwu.shop | tcp |
| US | 8.8.8.8:53 | 50.27.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 104.21.27.50:443 | bitchsafettyudjwu.shop | tcp |
| US | 104.21.27.50:443 | bitchsafettyudjwu.shop | tcp |
| US | 104.21.27.50:443 | bitchsafettyudjwu.shop | tcp |
Files
memory/692-0-0x0000000001060000-0x0000000001061000-memory.dmp
memory/4996-1-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4996-3-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4996-4-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4996-5-0x0000000000400000-0x0000000000452000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 18:39
Reported
2024-07-09 18:40
Platform
win7-20240705-en
Max time kernel
0s
Max time network
4s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Loader.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2452 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2452 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2452 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 112
Network
Files
memory/2452-0-0x00000000000F0000-0x00000000000F1000-memory.dmp