General

  • Target

    RobloxPlayerLauncher (2).exe

  • Size

    1.5MB

  • Sample

    240711-sqxdvsvckd

  • MD5

    ab590156d632a29449502d2286d71cd0

  • SHA1

    e6ed301af1ac1868e2dd557196f1bda54610c01d

  • SHA256

    1652d06b5aeda8b65065689bcf87976bbd5ff79bf3e643e52f6e45f4d6f6c58d

  • SHA512

    a44f63e075ac5e1b0ff6e9d941f9ae0b0ebcdbba8e7763cb60e0fc4e509bda5cb248f00076c47fc2d0789b942b1c0c7a7cb59870dee81238c74225aefca216aa

  • SSDEEP

    49152:V7ldcJTtYOyVCfnelnJTAaWi9OFtTKwMUPMQ3dAJsTZVETnw:tT2tYblGVt

Malware Config

Extracted

Family

lumma

C2

https://bargainnykwo.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

https://extorteauhhwigw.shop/api

https://applyzxcksdia.shop/api

https://replacedoxcjzp.shop/api

https://declaredczxi.shop/api

https://catchddkxozvp.shop/api

https://arriveoxpzxo.shop/api

https://contemplateodszsv.shop/api

https://bindceasdiwozx.shop/api

https://conformfucdioz.shop/api

Targets

    • Target

      RobloxPlayerLauncher (2).exe

    • Size

      1.5MB

    • MD5

      ab590156d632a29449502d2286d71cd0

    • SHA1

      e6ed301af1ac1868e2dd557196f1bda54610c01d

    • SHA256

      1652d06b5aeda8b65065689bcf87976bbd5ff79bf3e643e52f6e45f4d6f6c58d

    • SHA512

      a44f63e075ac5e1b0ff6e9d941f9ae0b0ebcdbba8e7763cb60e0fc4e509bda5cb248f00076c47fc2d0789b942b1c0c7a7cb59870dee81238c74225aefca216aa

    • SSDEEP

      49152:V7ldcJTtYOyVCfnelnJTAaWi9OFtTKwMUPMQ3dAJsTZVETnw:tT2tYblGVt

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Use of msiexec (install) with remote resource

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks