Overview

overview

10

Static

static

1

!ŞetUp_92...up.exe

windows7-x64

10

!ŞetUp_92...up.exe

windows10-2004-x64

10

!ŞetUp_92...up.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    !ŞetUp_92517--#PaSꞨKḙy#$$.zip

  • Size

    40.1MB

  • Sample

    240710-meszeasckn

  • MD5

    15ad98f84df2ac3b755eb07fbfcb4ff7

  • SHA1

    08e4373b278d440c8b2cfb6e450624fa48bc70a1

  • SHA256

    0ca3b1c2202d5107d74e28fca4a84a8da8fbe9799297ea82f016e9aecce3fdab

  • SHA512

    dbbe89c99ab805c6fa29e3cee5d8b003afb060ffa524ba95f98f64a5deac479aa193f5ebe119bed06696a7d64a1a6c896ffcbc26aaaed02f34040e5dfa564059

  • SSDEEP

    786432:5wsoemkAd6WRCnXaXmYZJi8WiQym4ZOP82Fq44Ux+nEe+TWqoy1C1YRItlA:5wsojkAdns8U8WFyV2uUYEe+Thoy1Ql0

Score
10/10
banloadlummadownloaderdropperevasionpersistenceprivilege_escalationstealertrojan

Malware Config

Extracted

Family

lumma

C2

https://unwielldyzpwo.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Targets

    • Target

      !ŞetUp_92517--#PaSꞨKḙy#$$/Setup.exe

    • Size

      8.5MB

    • MD5

      98169506fec94c2b12ba9930ad704515

    • SHA1

      bce662a9fb94551f648ba2d7e29659957fd6a428

    • SHA256

      9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

    • SHA512

      7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

    • SSDEEP

      196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK

    Score
    10/10
    banloaddownloaderdropperevasionpersistenceprivilege_escalationtrojanlummastealer

    • Banload

      Banload variants download malicious files, then install and execute the files.

      trojandropperdownloaderbanload

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks