General
-
Target
https://lunacy3.com/
-
Sample
240808-1kjjtazfpp
Malware Config
Extracted
lumma
https://bannertastylbaoeow.xyz/api
https://horizonvxjis.shop/api
https://effectivedoxzj.shop/api
https://parntorpkxzlp.shop/api
https://stimultaionsppzv.shop/api
https://grassytaisol.shop/api
https://broccoltisop.shop/api
https://shellfyyousdjz.shop/api
https://bravedreacisopm.shop/api
Targets
-
-
Target
https://lunacy3.com/
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1