General

  • Target

    ratecon.exe

  • Size

    174KB

  • Sample

    240710-wp3q2asbjr

  • MD5

    e88090688568737d446e4deeb010ca30

  • SHA1

    5f96db7467fb79c71cbcc3366ad5715d9c8d4b3c

  • SHA256

    adfec68a396185a6741875b8c5a7bc01a59f6638667c0c1efaacb4d6382026f1

  • SHA512

    3dab64e33a2516cdf691d0be630503e2eca43c73b7de1658179403c9a3263c2e45c9795f9e09af5c5300d415995ac5e7ec111ca0018558ad5861290010036ffd

  • SSDEEP

    3072:XahKyd2n31W5GWp1icKAArDZz4N9GhbkrNEk6aL3x:XahO2p0yN90QEE

Malware Config

Extracted

Family

lumma

C2

https://handyxczos.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Targets

    • Target

      ratecon.exe

    • Size

      174KB

    • MD5

      e88090688568737d446e4deeb010ca30

    • SHA1

      5f96db7467fb79c71cbcc3366ad5715d9c8d4b3c

    • SHA256

      adfec68a396185a6741875b8c5a7bc01a59f6638667c0c1efaacb4d6382026f1

    • SHA512

      3dab64e33a2516cdf691d0be630503e2eca43c73b7de1658179403c9a3263c2e45c9795f9e09af5c5300d415995ac5e7ec111ca0018558ad5861290010036ffd

    • SSDEEP

      3072:XahKyd2n31W5GWp1icKAArDZz4N9GhbkrNEk6aL3x:XahO2p0yN90QEE

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks