lumma | dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

General

Target

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453.exe
Size

12KB
Sample

240714-lx1xaswapr
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

jony

C2

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

lumma

C2

https://replacedoxcjzp.shop/api

Targets

- Target
  
  dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453.exe
- Size
  
  12KB
- MD5
  
  a14e63d27e1ac1df185fa062103aa9aa
- SHA1
  
  2b64c35e4eff4a43ab6928979b6093b95f9fd714
- SHA256
  
  dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
- SHA512
  
  10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
- SSDEEP
  
  192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ
Score

10^/10

lumma phorphiex stealc vidar jony defense_evasion discovery evasion execution loader persistence privilege_escalation pyinstaller stealer trojan upx worm
- Detect Vidar Stealer
  stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies security service
  evasion
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2