Resubmissions

10-07-2024 23:37

240710-3mj98syeqb 10

10-07-2024 23:31

240710-3hybaswcqj 10

10-07-2024 23:21

240710-3b5f2awall 10

Analysis

  • max time kernel
    315s
  • max time network
    398s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-es
  • resource tags

    arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
  • submitted
    10-07-2024 23:31

General

  • Target

    !~!SetUp_2025_Pa$$W0rd$s!!%!~.zip

  • Size

    2.7MB

  • MD5

    0bceb88aed8c6bb2f5d20c050af530b3

  • SHA1

    6ec563e2cc84bd115ca4c325f25860d9c7a57149

  • SHA256

    edef6777be8dbb15748bcf1332c0a7e49e5d8b8793ff23ccfb41da2d3ff1c0cc

  • SHA512

    eb3c3d5622684fa4f2d55b8307d6fef898404382a7fc8f2dc350bf6633cb700e5cae778d3315367f88d2b605ebe71a6d691bfd10b9432ce4c164ada9c85842f4

  • SSDEEP

    49152:c6B7KXGRde2dWchGri7yFjqsh+/Kq6AO96P2up7mnEhyha/h8:c6hKmdPWAx7DK+l6Q6EQX

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://bittercoldzzdwu.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
    1⤵
      PID:2372
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4884
      • C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe
        "C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\more.com
          C:\Windows\SysWOW64\more.com
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3984
          • C:\Windows\SysWOW64\SearchIndexer.exe
            C:\Windows\SysWOW64\SearchIndexer.exe
            3⤵
              PID:4404

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\fe1a37d4

          Filesize

          1.1MB

          MD5

          03ed35c1da1e7c102bb48e7e54a9d7a0

          SHA1

          3721b892d5718e8f8bf6e961d58eaed84ee0fdc5

          SHA256

          3f65eb58a19d90e872e8e36ffb1f03c35e7a5c0dff7bdac82034dfc52bd56dbe

          SHA512

          55a59f462e9363ecae179d59ee1954eb30a8f09099e1aead807c3b9542c13fe15af51798e2fdc82646708cf593f8d59114bcadd56e32739a0056369c2a3dc448

        • memory/1656-0-0x0000000072D40000-0x0000000072DD5000-memory.dmp

          Filesize

          596KB

        • memory/1656-1-0x00007FFDA3E30000-0x00007FFDA400B000-memory.dmp

          Filesize

          1.9MB

        • memory/1656-5-0x0000000072D40000-0x0000000072DD5000-memory.dmp

          Filesize

          596KB

        • memory/3984-9-0x00007FFDA3E30000-0x00007FFDA400B000-memory.dmp

          Filesize

          1.9MB

        • memory/3984-10-0x0000000072D40000-0x0000000072DD5000-memory.dmp

          Filesize

          596KB

        • memory/4404-12-0x00007FFDA3E30000-0x00007FFDA400B000-memory.dmp

          Filesize

          1.9MB

        • memory/4404-13-0x00000000009E0000-0x0000000000A4B000-memory.dmp

          Filesize

          428KB

        • memory/4404-14-0x00000000009E0000-0x0000000000A4B000-memory.dmp

          Filesize

          428KB