General
-
Target
Setup.exe (1).zip
-
Size
5KB
-
Sample
241028-ygsbfatlar
-
MD5
75e2ac7050d6ec1a0d49a60a2162c15a
-
SHA1
d13da671ee46ff1d6947ac7971a68e2618ab4338
-
SHA256
b710c05f9ad5674224f815f5c7a8be2d93fa1ea45b1865a2c28a3fb97f77cc3b
-
SHA512
01ec3381d2a16d01c39e7b2ba42b93484f022dcc49c0236302c5c58e259267f89989ec03be2c5182801fdb023e537416e26b44e6f4344d35d8aa835b57ed1a78
-
SSDEEP
96:zQ/bs6BLn0pfvxSf4eFelfxDVYTDA+mGigifKqD9ZI0OlM8xBg:z0bh50pfwfn6RVYTDn6gifdD9ZI0oM88
Malware Config
Extracted
stealc
mainteam
http://95.182.96.50
-
url_path
/2aced82320799c96.php
Extracted
phorphiex
http://185.215.113.84
Extracted
lumma
https://tryyudjasudqo.shop/api
https://eemmbryequo.shop/api
https://reggwardssdqw.shop/api
https://relaxatinownio.shop/api
https://tesecuuweqo.shop/api
https://tendencctywop.shop/api
https://licenseodqwmqn.shop/api
https://keennylrwmqlw.shop/api
https://deficticoepwqm.shop/api
https://optinewlip.shop/api
Targets
-
-
Target
Setup.exe.bin
-
Size
12KB
-
MD5
a14e63d27e1ac1df185fa062103aa9aa
-
SHA1
2b64c35e4eff4a43ab6928979b6093b95f9fd714
-
SHA256
dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
-
SHA512
10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
-
SSDEEP
192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies security service
-
Phorphiex family
-
Phorphiex payload
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Windows security bypass
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4