Resubmissions

26/10/2024, 20:07

241026-ywcjjaybnd 1

26/10/2024, 20:06

241026-yvvzgswlgj 1

26/10/2024, 20:06

241026-yvjlfsybmd 4

26/10/2024, 20:05

241026-yt9fgswlfn 1

26/10/2024, 20:04

241026-ytcrhsyhqr 1

26/10/2024, 19:16

241026-xytp6avrgj 8

01/08/2024, 00:01

240801-aa84lszhpn 10

General

  • Target

    KMS_VL_ALL_AIO-master.zip

  • Size

    12KB

  • Sample

    240801-aa84lszhpn

  • MD5

    01d4bc416d709adb626fefac8d2a0159

  • SHA1

    74095ff6e58fa3b70dfa5f455030f24e8be172a6

  • SHA256

    228bb528dc4202ca0ee4b88643607d2a5f13ed506b458f78fb9c7cf1637ba67c

  • SHA512

    c723af9eb11c82fbcb606b26bededc957854e121c27bcdbdde9343e257ea29f0270673589eb035b07b13fadfc16e6c4b6400d668fa7f4d9d20c47cb49af6e09d

  • SSDEEP

    192:b8Mmw2Vs5cpm0gkUyvwq/YkbZp5TbzBl70xWRsySpPIDoz4i/fCvyCQloZYGc92d:QVbCEh/70cpShMoU8bbL92+hVCCY

Malware Config

Extracted

Family

lumma

C2

https://kaminiasbbefow.shop/api

https://applyzxcksdia.shop/api

https://replacedoxcjzp.shop/api

https://declaredczxi.shop/api

https://catchddkxozvp.shop/api

https://arriveoxpzxo.shop/api

https://contemplateodszsv.shop/api

https://bindceasdiwozx.shop/api

https://conformfucdioz.shop/api

Extracted

Family

lumma

C2

https://applyzxcksdia.shop/api

https://violanntyisopz.shop/api

Targets

    • Target

      KMS_VL_ALL_AIO-master.zip

    • Size

      12KB

    • MD5

      01d4bc416d709adb626fefac8d2a0159

    • SHA1

      74095ff6e58fa3b70dfa5f455030f24e8be172a6

    • SHA256

      228bb528dc4202ca0ee4b88643607d2a5f13ed506b458f78fb9c7cf1637ba67c

    • SHA512

      c723af9eb11c82fbcb606b26bededc957854e121c27bcdbdde9343e257ea29f0270673589eb035b07b13fadfc16e6c4b6400d668fa7f4d9d20c47cb49af6e09d

    • SSDEEP

      192:b8Mmw2Vs5cpm0gkUyvwq/YkbZp5TbzBl70xWRsySpPIDoz4i/fCvyCQloZYGc92d:QVbCEh/70cpShMoU8bbL92+hVCCY

    Score
    1/10
    • Target

      KMS_VL_ALL_AIO-master/LICENSE

    • Size

      34KB

    • MD5

      1ebbd3e34237af26da5dc08a4e440464

    • SHA1

      31a3d460bb3c7d98845187c716a30db81c44b615

    • SHA256

      3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986

    • SHA512

      d361e5e8201481c6346ee6a886592c51265112be550d5224f1a7a6e116255c2f1ab8788df579d9b8372ed7bfd19bac4b6e70e00b472642966ab5b319b99a2686

    • SSDEEP

      768:Fo1acy3LTB2VsrHG/OfvMmnBCtLmJ9A7J:Fhcycsrfrnoum

    Score
    1/10
    • Target

      KMS_VL_ALL_AIO-master/README.md

    • Size

      198B

    • MD5

      c4148b2a33c5d4dccd54c895e9a8cdfc

    • SHA1

      29a13950a93d0c0178e6dcc98743237a5ba9f721

    • SHA256

      b1beddcbe408e1eeca9b2171d9e2e1fc2c4202098b5c3768424867aa19b9187b

    • SHA512

      0176cfedfcde965045f8c18edcdb60ee1417f9e3a508e8baf443f31591542d936afcc065fd4de1433b14842f717415655380bc513a7b70a8ab09dbfd07bce95a

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks