Resubmissions

16-10-2024 16:07

241016-tkx9msycle 10

16-10-2024 16:04

241016-th2jaasdln 7

General

  • Target

    Screenshot 2024-10-13 143749.png

  • Size

    64KB

  • Sample

    241016-tkx9msycle

  • MD5

    95d5aa54faf76aa9aca139303ebc2e43

  • SHA1

    76f8da4301ffa7c22d75c0dc7a0c81de4b01d29e

  • SHA256

    ac699bf7c5b7dd3fc7bbfc54001efcef55113f2bb6963017ea0d6181e197d938

  • SHA512

    13b2d3b9d94ef5aa31940c600d73949aa06b106e26e7fe4559c7f8a234d152e642a3ee61fba4d524699f6f4de75abc109a35f7849f2918bcb97cf906fa509cf7

  • SSDEEP

    768:8vEAUAJkpKz6zi3Q+KygRlK9NCeXb+O7NQ8NMVPfOR1FOMAwYasPXYXh7B/dKzcl:8vEa2W6PZ/RK56GNlyPfEFdJBN/4zc6A

Malware Config

Extracted

Family

lumma

C2

https://conceptionnyi.sbs

https://platformcati.sbs

https://nervepianoyo.sbs

https://qualifielgalt.sbs

https://smashygally.sbs

https://fightyglobo.sbs

https://modellydivi.sbs

https://pioneeruyj.sbs

Targets

    • Target

      Screenshot 2024-10-13 143749.png

    • Size

      64KB

    • MD5

      95d5aa54faf76aa9aca139303ebc2e43

    • SHA1

      76f8da4301ffa7c22d75c0dc7a0c81de4b01d29e

    • SHA256

      ac699bf7c5b7dd3fc7bbfc54001efcef55113f2bb6963017ea0d6181e197d938

    • SHA512

      13b2d3b9d94ef5aa31940c600d73949aa06b106e26e7fe4559c7f8a234d152e642a3ee61fba4d524699f6f4de75abc109a35f7849f2918bcb97cf906fa509cf7

    • SSDEEP

      768:8vEAUAJkpKz6zi3Q+KygRlK9NCeXb+O7NQ8NMVPfOR1FOMAwYasPXYXh7B/dKzcl:8vEa2W6PZ/RK56GNlyPfEFdJBN/4zc6A

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Modifies WinLogon

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks