General

  • Target

    file.exe

  • Size

    13.2MB

  • Sample

    240910-tryhzstfqe

  • MD5

    89c2a0024c8fb9afe5a54592354c56af

  • SHA1

    b025c8d428f4e33f6de7ea0151f0ef5b5babc89f

  • SHA256

    98636755633560832c7621a4b85f08553f513c0eee2ad21cc277044349b17075

  • SHA512

    62e1bf2198f0d50b23c89f0154bdeffe8b5fbabd841cb4bf32bd9777ad07173e9b4c4eb4ab2b52bbdad31097b9543e1ab0247c58cce42c0480611cb3c33d3252

  • SSDEEP

    393216:LTwC3d3ZurVpI+Jww5YDn2R6sJXnOO0CHJmQya4S4I9:LTFdL+2wq729JX/0CHY49

Malware Config

Extracted

Family

cryptbot

C2

thirtv13pn.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Extracted

Family

lumma

C2

https://preachstrwnwjw.shop/api

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://ignoracndwko.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

https://tenntysjuxmz.shop/api

Targets

    • Target

      file.exe

    • Size

      13.2MB

    • MD5

      89c2a0024c8fb9afe5a54592354c56af

    • SHA1

      b025c8d428f4e33f6de7ea0151f0ef5b5babc89f

    • SHA256

      98636755633560832c7621a4b85f08553f513c0eee2ad21cc277044349b17075

    • SHA512

      62e1bf2198f0d50b23c89f0154bdeffe8b5fbabd841cb4bf32bd9777ad07173e9b4c4eb4ab2b52bbdad31097b9543e1ab0247c58cce42c0480611cb3c33d3252

    • SSDEEP

      393216:LTwC3d3ZurVpI+Jww5YDn2R6sJXnOO0CHJmQya4S4I9:LTFdL+2wq729JX/0CHY49

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks