Malware Analysis Report

2024-11-30 05:27

Sample ID 240711-ccxjpssenm
Target 0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4
SHA256 0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4

Threat Level: Known bad

The file 0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4 was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-11 01:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 01:56

Reported

2024-07-11 01:57

Platform

win7-20240705-en

Max time kernel

13s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe

"C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe"

Network

N/A

Files

memory/2460-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

memory/2460-1-0x0000000001220000-0x00000000012C2000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 bb25a1b9cc4e7f73119c5d88501a3f42
SHA1 a60d282ad86582e3a4a1aac56ec93fc6232bec21
SHA256 94563140c985b4d77ccff4f39b9af9d882847100018b26e63032a529158b75d1
SHA512 3ca098d3e3b50a4d6a70dc6e1197f3e7af5d1cbb2cf9c0fcc392e9db4a6de2e0616f29d995e825d35dd67cfebcb0caebcdfe9fd3a42456db88220a1500774974

memory/2460-6-0x0000000076760000-0x0000000076821000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 01:56

Reported

2024-07-11 01:57

Platform

win10v2004-20240709-en

Max time kernel

34s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 4508 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe

"C:\Users\Admin\AppData\Local\Temp\0991b89416529ba9430580b936b91fbd22692c4ccf0b95a1146db10b6d55efc4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 demandlinzei.shop udp
US 104.21.37.245:443 demandlinzei.shop tcp
US 8.8.8.8:53 applyzxcksdia.shop udp
US 172.67.183.118:443 applyzxcksdia.shop tcp
US 8.8.8.8:53 replacedoxcjzp.shop udp
US 104.21.39.50:443 replacedoxcjzp.shop tcp
US 8.8.8.8:53 declaredczxi.shop udp
US 104.21.65.19:443 declaredczxi.shop tcp
US 8.8.8.8:53 245.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 118.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 catchddkxozvp.shop udp
US 172.67.220.79:443 catchddkxozvp.shop tcp
US 8.8.8.8:53 arriveoxpzxo.shop udp
US 104.21.53.167:443 arriveoxpzxo.shop tcp
US 8.8.8.8:53 contemplateodszsv.shop udp
US 104.21.36.154:443 contemplateodszsv.shop tcp
US 8.8.8.8:53 79.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 167.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 bindceasdiwozx.shop udp
US 104.21.39.48:443 bindceasdiwozx.shop tcp
US 8.8.8.8:53 conformfucdioz.shop udp
US 172.67.158.114:443 conformfucdioz.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 48.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 154.36.21.104.in-addr.arpa udp
US 8.8.8.8:53 114.158.67.172.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp

Files

memory/4508-0-0x000000007501E000-0x000000007501F000-memory.dmp

memory/4508-1-0x0000000000EC0000-0x0000000000F62000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 bb25a1b9cc4e7f73119c5d88501a3f42
SHA1 a60d282ad86582e3a4a1aac56ec93fc6232bec21
SHA256 94563140c985b4d77ccff4f39b9af9d882847100018b26e63032a529158b75d1
SHA512 3ca098d3e3b50a4d6a70dc6e1197f3e7af5d1cbb2cf9c0fcc392e9db4a6de2e0616f29d995e825d35dd67cfebcb0caebcdfe9fd3a42456db88220a1500774974

memory/1740-8-0x0000000000700000-0x0000000000755000-memory.dmp

memory/1740-12-0x0000000000700000-0x0000000000755000-memory.dmp

memory/1740-16-0x0000000000700000-0x0000000000755000-memory.dmp

memory/4508-17-0x0000000075010000-0x00000000757C0000-memory.dmp

memory/4508-18-0x0000000075010000-0x00000000757C0000-memory.dmp