Malware Analysis Report

2024-11-30 05:21

Sample ID 240709-xbbk3a1amb
Target Launcher.exe
SHA256 385acfc374741d089060df1d9f5b5a7d1e118976b4c1fa75a127d41758969206
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

385acfc374741d089060df1d9f5b5a7d1e118976b4c1fa75a127d41758969206

Threat Level: Known bad

The file Launcher.exe was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 18:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 18:40

Reported

2024-07-09 19:14

Platform

win10-20240404-en

Max time kernel

314s

Max time network

1593s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4604 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Launcher.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 civilizzzationo.shop udp
US 104.21.67.34:443 civilizzzationo.shop tcp
US 104.21.67.34:443 civilizzzationo.shop tcp
US 8.8.8.8:53 34.67.21.104.in-addr.arpa udp
US 104.21.67.34:443 civilizzzationo.shop tcp
US 104.21.67.34:443 civilizzzationo.shop tcp
US 104.21.67.34:443 civilizzzationo.shop tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/4604-4-0x00007FF6F29F0000-0x00007FF6F410E000-memory.dmp

memory/4552-5-0x00000000006F0000-0x000000000073F000-memory.dmp

memory/4552-9-0x00000000006F0000-0x000000000073F000-memory.dmp

memory/4552-8-0x00000000006F0000-0x000000000073F000-memory.dmp

memory/4604-6-0x00007FF6F29F0000-0x00007FF6F410E000-memory.dmp

memory/4552-10-0x00000000006F0000-0x000000000073F000-memory.dmp