General

  • Target

    setup.msi

  • Size

    34.8MB

  • Sample

    240710-lfe89szcmk

  • MD5

    6e619d3d24f58bfb7bd7e76a4756e258

  • SHA1

    890359e1e86525c4c14e975e762239878134b32d

  • SHA256

    5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431

  • SHA512

    1a1f432c3c8ed5c627b2724b1fc5600ba31859838445b67d137c29439345e48bebe16074c3d9f909958af31670764422b379d7ced52c13feca7468e25a10162e

  • SSDEEP

    786432:0qpRkI57hVSZmlNdonqUuhGMCiEIS/vTis1M:0qXT57jSZmGnqUezSTt

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://two-root.com/02074.bs64

Extracted

Family

lumma

C2

https://respectabledpcs.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Targets

    • Target

      setup.msi

    • Size

      34.8MB

    • MD5

      6e619d3d24f58bfb7bd7e76a4756e258

    • SHA1

      890359e1e86525c4c14e975e762239878134b32d

    • SHA256

      5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431

    • SHA512

      1a1f432c3c8ed5c627b2724b1fc5600ba31859838445b67d137c29439345e48bebe16074c3d9f909958af31670764422b379d7ced52c13feca7468e25a10162e

    • SSDEEP

      786432:0qpRkI57hVSZmlNdonqUuhGMCiEIS/vTis1M:0qXT57jSZmGnqUezSTt

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks