General

  • Target

    broadcom5.exe

  • Size

    13.2MB

  • Sample

    240909-jbmrfazcre

  • MD5

    de5df8536b7d4d9c45fc2e9c6639f24e

  • SHA1

    5394559d6e470025d886678f4d625a3d01f55d64

  • SHA256

    7382e6823dc5b6f0ae9b4a67f30a6fe8dc400dfa95278ec647d06e6550ada24e

  • SHA512

    b14c108ac482d54ee000b729170a765f4506ebeb1e7ebbfd7c4367e93cb1b46da642096d8191f1cea13e16b05c124fd7bdaea9323cb53c9a7b5d92629ed7ccad

  • SSDEEP

    393216:7DfYtlZKIfz5Nk7uSff1yosdxz60CptWbN/33YFEr:7D2lnkaSnCd00Cps/fr

Malware Config

Extracted

Family

cryptbot

C2

analforeverlovyu.top

thirtv13sb.top

Attributes
  • url_path

    /v1/upload.php

Extracted

Family

lumma

C2

https://preachstrwnwjw.shop/api

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://ignoracndwko.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

https://tenntysjuxmz.shop/api

Targets

    • Target

      broadcom5.exe

    • Size

      13.2MB

    • MD5

      de5df8536b7d4d9c45fc2e9c6639f24e

    • SHA1

      5394559d6e470025d886678f4d625a3d01f55d64

    • SHA256

      7382e6823dc5b6f0ae9b4a67f30a6fe8dc400dfa95278ec647d06e6550ada24e

    • SHA512

      b14c108ac482d54ee000b729170a765f4506ebeb1e7ebbfd7c4367e93cb1b46da642096d8191f1cea13e16b05c124fd7bdaea9323cb53c9a7b5d92629ed7ccad

    • SSDEEP

      393216:7DfYtlZKIfz5Nk7uSff1yosdxz60CptWbN/33YFEr:7D2lnkaSnCd00Cps/fr

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks