Resubmissions

10-07-2024 23:37

240710-3mj98syeqb 10

10-07-2024 23:31

240710-3hybaswcqj 10

10-07-2024 23:21

240710-3b5f2awall 10

Analysis

  • max time kernel
    315s
  • max time network
    620s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-07-2024 23:37

General

  • Target

    !~!SetUp_2025_Pa$$W0rd$s!!%!~.zip

  • Size

    2.7MB

  • MD5

    0bceb88aed8c6bb2f5d20c050af530b3

  • SHA1

    6ec563e2cc84bd115ca4c325f25860d9c7a57149

  • SHA256

    edef6777be8dbb15748bcf1332c0a7e49e5d8b8793ff23ccfb41da2d3ff1c0cc

  • SHA512

    eb3c3d5622684fa4f2d55b8307d6fef898404382a7fc8f2dc350bf6633cb700e5cae778d3315367f88d2b605ebe71a6d691bfd10b9432ce4c164ada9c85842f4

  • SSDEEP

    49152:c6B7KXGRde2dWchGri7yFjqsh+/Kq6AO96P2up7mnEhyha/h8:c6hKmdPWAx7DK+l6Q6EQX

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://bittercoldzzdwu.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
    1⤵
      PID:3604
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3396
      • C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe
        "C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3744
        • C:\Windows\SysWOW64\more.com
          C:\Windows\SysWOW64\more.com
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4236
          • C:\Windows\SysWOW64\SearchIndexer.exe
            C:\Windows\SysWOW64\SearchIndexer.exe
            3⤵
              PID:1280

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\5a1514fe

          Filesize

          1.1MB

          MD5

          ce5aad26f67385d60169d5e6de4c3cbe

          SHA1

          c1cf9100a732b5cf5530b097f5e2ac7c043885c4

          SHA256

          d8d634b29a61c4a5782d57726e078bf1139d3b4f7cb0f401a278aca08fba9bb5

          SHA512

          5428a0c6dd558a857feb98f25dbf621871926840c09482155aaa2811678a3566d4554bce1b7f51e944def68764faad4497e7670dfd07b535b3c951774b83ddd3

        • memory/1280-12-0x00007FFB84650000-0x00007FFB8482B000-memory.dmp

          Filesize

          1.9MB

        • memory/1280-13-0x0000000000580000-0x00000000005EB000-memory.dmp

          Filesize

          428KB

        • memory/1280-16-0x0000000000580000-0x00000000005EB000-memory.dmp

          Filesize

          428KB

        • memory/3744-0-0x0000000072A70000-0x0000000072B05000-memory.dmp

          Filesize

          596KB

        • memory/3744-1-0x00007FFB84650000-0x00007FFB8482B000-memory.dmp

          Filesize

          1.9MB

        • memory/3744-5-0x0000000072A70000-0x0000000072B05000-memory.dmp

          Filesize

          596KB

        • memory/4236-9-0x00007FFB84650000-0x00007FFB8482B000-memory.dmp

          Filesize

          1.9MB

        • memory/4236-10-0x0000000072A70000-0x0000000072B05000-memory.dmp

          Filesize

          596KB