Malware Analysis Report

2024-11-30 05:23

Sample ID 240710-me2xbascmj
Target #!SETuP_9050_PA@$sW0rd!~!.zip
SHA256 0a89f60c9186d7e4ea96d84bd2634a50e68b2eac0859e7185ea5bf4d6709a725
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a89f60c9186d7e4ea96d84bd2634a50e68b2eac0859e7185ea5bf4d6709a725

Threat Level: Known bad

The file #!SETuP_9050_PA@$sW0rd!~!.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-10 10:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-10 10:23

Reported

2024-07-10 10:29

Platform

win11-20240709-en

Max time kernel

90s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5028 set thread context of 2300 N/A C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 52.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 68.158.67.172.in-addr.arpa udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 104.21.6.254:443 affecthorsedpo.shop tcp
US 104.21.68.158:443 radiationnopp.shop tcp
US 104.21.44.192:443 answerrsdo.shop tcp
US 104.21.25.154:443 publicitttyps.shop tcp
US 104.21.81.128:443 benchillppwo.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp

Files

memory/5028-0-0x00007FFC1C2F0000-0x00007FFC1C75C000-memory.dmp

memory/5028-4-0x00007FFC1C308000-0x00007FFC1C309000-memory.dmp

memory/5028-5-0x00007FFC1C2F0000-0x00007FFC1C75C000-memory.dmp

memory/5028-6-0x00007FFC1C2F0000-0x00007FFC1C75C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eea07689

MD5 9b6228bc521bff5684d643138e2b5e34
SHA1 f0f70e635c90582d44da4ffabd09b3e29be4114d
SHA256 d434c7c4b6b48835e939956b5d33c22279e73b54685fab0fe9ec3b49e1795ca0
SHA512 8400606c87ec53d03e6233b8f892b65da94ea3fc05fc63777b7c2c7675f9e127b930a86f8f61b0d5f8944d1a44808f93e3db4879f305d7e062d58fbd07fe9e38

memory/2300-9-0x00007FFC1E380000-0x00007FFC1E589000-memory.dmp

memory/2300-11-0x00000000751AE000-0x00000000751B0000-memory.dmp

memory/2300-10-0x00000000751A0000-0x00000000755DB000-memory.dmp

memory/2300-12-0x00000000751A0000-0x00000000755DB000-memory.dmp

memory/2300-14-0x00000000751A0000-0x00000000755DB000-memory.dmp

memory/3568-15-0x00007FFC1E380000-0x00007FFC1E589000-memory.dmp

memory/3568-16-0x0000000000AA0000-0x0000000000B07000-memory.dmp

memory/3568-17-0x0000000000A0B000-0x0000000000A12000-memory.dmp

memory/3568-18-0x0000000000AA0000-0x0000000000B07000-memory.dmp

memory/2300-19-0x00000000751AE000-0x00000000751B0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 10:23

Reported

2024-07-10 10:30

Platform

win7-20240704-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 10:23

Reported

2024-07-10 10:29

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

207s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 560 set thread context of 2044 N/A C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 104.21.81.196:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 8.8.8.8:53 52.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 196.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 93.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 publicitttyps.shop udp
US 172.67.134.88:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 172.67.160.230:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 192.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 88.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 48.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/560-0-0x00007FF80DB10000-0x00007FF80DF82000-memory.dmp

memory/560-4-0x00007FF80DB28000-0x00007FF80DB29000-memory.dmp

memory/560-5-0x00007FF80DB10000-0x00007FF80DF82000-memory.dmp

memory/560-6-0x00007FF80DB10000-0x00007FF80DF82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2bf26277

MD5 3c86d53901d761a894864f5fd9aa515f
SHA1 a88c42d0cde8434db6211d0facdca55316349cbf
SHA256 bc81c8c917d4f6a72882bbd00abaecc3cb9204f6d42634f75f59dd8949d0fb1d
SHA512 fdb36b4bdfa745fa345568b588e0e9f00083e367a46e1743133c7333d9071848eaafbdb490c371d8ae15a9a0164343dc53044667a1b33f98627161046538d71a

memory/2044-9-0x00007FF80E030000-0x00007FF80E225000-memory.dmp

memory/2044-11-0x000000007751E000-0x0000000077520000-memory.dmp

memory/2044-10-0x0000000077510000-0x000000007794C000-memory.dmp

memory/2044-12-0x0000000077510000-0x000000007794C000-memory.dmp

memory/2044-14-0x0000000077510000-0x000000007794C000-memory.dmp

memory/3256-15-0x00007FF80E030000-0x00007FF80E225000-memory.dmp

memory/3256-16-0x0000000000130000-0x0000000000197000-memory.dmp

memory/2044-19-0x000000007751E000-0x0000000077520000-memory.dmp

memory/3256-20-0x000000000066B000-0x0000000000672000-memory.dmp

memory/3256-21-0x0000000000130000-0x0000000000197000-memory.dmp