Malware Analysis Report

2024-11-30 05:27

Sample ID 240711-ehr8aazgmf
Target 4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd
SHA256 4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd

Threat Level: Known bad

The file 4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-11 03:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 03:56

Reported

2024-07-11 03:57

Platform

win7-20240708-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe

"C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 112

Network

N/A

Files

memory/3052-0-0x0000000000090000-0x0000000000091000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 03:56

Reported

2024-07-11 03:58

Platform

win10v2004-20240709-en

Max time kernel

41s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2040 set thread context of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe

"C:\Users\Admin\AppData\Local\Temp\4502d00753405a4dda90486c8ba9a373fb9f08eef7bfc8a5cce63c2219a115fd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 demandlinzei.shop udp
US 172.67.216.112:443 demandlinzei.shop tcp
US 8.8.8.8:53 applyzxcksdia.shop udp
US 104.21.83.240:443 applyzxcksdia.shop tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 112.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 replacedoxcjzp.shop udp
US 104.21.39.50:443 replacedoxcjzp.shop tcp
US 8.8.8.8:53 declaredczxi.shop udp
US 172.67.139.95:443 declaredczxi.shop tcp
US 8.8.8.8:53 240.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 catchddkxozvp.shop udp
US 172.67.220.79:443 catchddkxozvp.shop tcp
US 8.8.8.8:53 arriveoxpzxo.shop udp
US 172.67.215.170:443 arriveoxpzxo.shop tcp
US 8.8.8.8:53 95.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 79.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 contemplateodszsv.shop udp
US 104.21.36.154:443 contemplateodszsv.shop tcp
US 8.8.8.8:53 bindceasdiwozx.shop udp
US 172.67.143.55:443 bindceasdiwozx.shop tcp
US 8.8.8.8:53 conformfucdioz.shop udp
US 172.67.158.114:443 conformfucdioz.shop tcp
US 8.8.8.8:53 170.215.67.172.in-addr.arpa udp
US 8.8.8.8:53 154.36.21.104.in-addr.arpa udp
US 8.8.8.8:53 55.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 114.158.67.172.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 48.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp

Files

memory/2040-0-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/4500-1-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4500-3-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4500-4-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4500-5-0x0000000000400000-0x0000000000455000-memory.dmp