banload | d3d35ff8f3f4c305ccc30fd1b93c1f57fa5618aac9c66be7dfa96363322fb706 | Triage

Sharing

General

Target

!!SetUp_2244_PassW0rds$.zip
Size

10.4MB
Sample

240825-p3284aveqa
MD5

41ceb7544c4f077303f7d9d5e41ebd20
SHA1

c6a48ae6ba43446e98629929dd3e21656ebcf530
SHA256

d3d35ff8f3f4c305ccc30fd1b93c1f57fa5618aac9c66be7dfa96363322fb706
SHA512

8856ee797e7bfcd2b6f84adc76a2e651bd68bfe568a512689847e7c08d377aa5a0a1124fa0809e1d8459308e6bb747bd75676aa80a7f49ae725ee9ca419c0d45
SSDEEP

196608:J1pzZuTJozxpAKwhcyZov8FrKQ20/sIQ5I/EejqxXqZKerebfzRK:J1Lu67whRUGKhOxQiMxNereb7RK

Score

10^/10

banload lumma discovery downloader dropper evasion persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

lumma

C2

https://calcuatllitwop.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

https://condedqpwqm.shop/api

https://millyscroqwp.shop/api

https://stagedchheiqwo.shop/api

https://stamppreewntnq.shop/api

https://caffegclasiqwp.shop/api

https://tenntysjuxmz.shop/api

Targets

- Target
  
  Setup.exe
- Size
  
  8.5MB
- MD5
  
  98169506fec94c2b12ba9930ad704515
- SHA1
  
  bce662a9fb94551f648ba2d7e29659957fd6a428
- SHA256
  
  9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
- SHA512
  
  7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
- SSDEEP
  
  196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Score

10^/10

banload discovery downloader dropper evasion persistence privilege_escalation trojan lumma stealer
- Banload
  Banload variants download malicious files, then install and execute the files.
  trojan dropper downloader banload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

banloaddiscoverydownloaderdropperevasionpersistenceprivilege_escalationtrojan

behavioral2

banloaddiscoverydownloaderdropperevasionpersistenceprivilege_escalationtrojan

behavioral3

banloadlummadiscoverydownloaderdropperevasionpersistenceprivilege_escalationstealertrojan

behavioral4

banloaddiscoverydownloaderdropperevasionpersistenceprivilege_escalationtrojan