Overview

overview

10

Static

static

7

Install_x64.exe

windows7-x64

8

Install_x64.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Install_x64.exe.vir

  • Size

    152.8MB

  • Sample

    240817-qmbxmszhqr

  • MD5

    604062d27cc339e78ea521fe9006d644

  • SHA1

    170592ee65755f0d3dc182cd4868f114654dbf65

  • SHA256

    b04ea53d801862b98b10c1f83d899fdbb6f8685f02723dc11c26d5aea2abf9ad

  • SHA512

    34c4b9d53d09e6a9834dd1188c8ccb98f485478f45707ec17b9f898e2b328e2310d9c7339850b491de442111131c27918ac46eaa9b7001ce3306e7f9fffd2f3b

  • SSDEEP

    786432:dt20SZkMhfqpHCOdRIeoxOTx9ylnEk2Fd7yLie63pk3lLwmYEDz:dtKZkMMi5w9qEn7S6S3zY+

Score
10/10
lummastealcmainteamcredential_accessdefense_evasiondiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

mainteam

C2

http://147.45.47.68

Attributes
  • url_path

    /a8f961c72f0d877c.php

Extracted

Family

lumma

C2

https://samledwwekspzxp.shop/api

https://writerospzm.shop/api

https://deallerospfosu.shop/api

https://bassizcellskz.shop/api

https://languagedscie.shop/api

https://complaintsipzzx.shop/api

https://quialitsuzoxm.shop/api

https://tenntysjuxmz.shop/api

Targets

    • Target

      Install_x64.exe.vir

    • Size

      152.8MB

    • MD5

      604062d27cc339e78ea521fe9006d644

    • SHA1

      170592ee65755f0d3dc182cd4868f114654dbf65

    • SHA256

      b04ea53d801862b98b10c1f83d899fdbb6f8685f02723dc11c26d5aea2abf9ad

    • SHA512

      34c4b9d53d09e6a9834dd1188c8ccb98f485478f45707ec17b9f898e2b328e2310d9c7339850b491de442111131c27918ac46eaa9b7001ce3306e7f9fffd2f3b

    • SSDEEP

      786432:dt20SZkMhfqpHCOdRIeoxOTx9ylnEk2Fd7yLie63pk3lLwmYEDz:dtKZkMMi5w9qEn7S6S3zY+

    Score
    10/10
    executionlummastealcmainteamcredential_accessdefense_evasiondiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks