lumma | eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eclipse RAT.zip
Size

12.5MB
MD5

30364181c2174678b94d74fcbd16f89d
SHA1

640ca938cd1497f0f7bff46de48d9765949c4214
SHA256

eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114
SHA512

d916e950d80f95d4061b1be6ec829f93631aa92272545b79c46d8bc7f01ba72e84a6e6a38a47ee7cd6723547de7d2c71ecde389154aec5c0a0efd2fa55bf8652
SSDEEP

393216:2xDA4Ulx6CHtKlswnb1q8EptEW7Zb2KOyUbYVNK:IUlxHHGd/E75ZSKjNK

Score

10^/10

lumma redline rhadamanthys discovery infostealer stealer

Malware Config

Extracted

Family

rhadamanthys

https://95.214.55.177:2474/fae624c5418d6/black.api

Extracted

Family

lumma

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4372-28-0x00000000006E0000-0x0000000000736000-memory.dmp	family_redline

Redline family
redline
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3480 created 2600	3480	main.exe	44

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Eclipse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Eclipse.exe

Executes dropped EXE 8 IoCs

pid	Process
2436	Eclipse.exe
4372	build.exe
888	Eclipse.exe
3480	main.exe
4060	EclipseLoaderX.exe
2472	EclipseLoaderX.exe
2452	EclipseLoaderX.exe
1188	EclipseLoaderX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EclipseLoaderX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EclipseLoaderX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EclipseLoaderX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EclipseLoaderX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclipse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclipse.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
3480	main.exe
3480	main.exe
64	7zFM.exe
64	7zFM.exe
1688	dialer.exe
1688	dialer.exe
1688	dialer.exe
1688	dialer.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
64	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	64	7zFM.exe
Token: 35	64	7zFM.exe
Token: SeSecurityPrivilege	64	7zFM.exe
Token: SeSecurityPrivilege	64	7zFM.exe
Token: SeSecurityPrivilege	64	7zFM.exe
Token: SeSecurityPrivilege	64	7zFM.exe
Token: SeSecurityPrivilege	64	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe
64	7zFM.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 2436	64	7zFM.exe	97
PID 64 wrote to memory of 2436	64	7zFM.exe	97
PID 64 wrote to memory of 2436	64	7zFM.exe	97
PID 2436 wrote to memory of 4372	2436	Eclipse.exe	99
PID 2436 wrote to memory of 4372	2436	Eclipse.exe	99
PID 2436 wrote to memory of 4372	2436	Eclipse.exe	99
PID 2436 wrote to memory of 888	2436	Eclipse.exe	101
PID 2436 wrote to memory of 888	2436	Eclipse.exe	101
PID 2436 wrote to memory of 888	2436	Eclipse.exe	101
PID 888 wrote to memory of 3480	888	Eclipse.exe	102
PID 888 wrote to memory of 3480	888	Eclipse.exe	102
PID 888 wrote to memory of 3480	888	Eclipse.exe	102
PID 3480 wrote to memory of 1688	3480	main.exe	105
PID 3480 wrote to memory of 1688	3480	main.exe	105
PID 3480 wrote to memory of 1688	3480	main.exe	105
PID 3480 wrote to memory of 1688	3480	main.exe	105
PID 3480 wrote to memory of 1688	3480	main.exe	105
PID 64 wrote to memory of 4060	64	7zFM.exe	107
PID 64 wrote to memory of 4060	64	7zFM.exe	107
PID 64 wrote to memory of 4060	64	7zFM.exe	107
PID 64 wrote to memory of 2472	64	7zFM.exe	109
PID 64 wrote to memory of 2472	64	7zFM.exe	109
PID 64 wrote to memory of 2472	64	7zFM.exe	109
PID 64 wrote to memory of 2452	64	7zFM.exe	111
PID 64 wrote to memory of 2452	64	7zFM.exe	111
PID 64 wrote to memory of 2452	64	7zFM.exe	111
PID 64 wrote to memory of 1188	64	7zFM.exe	113
PID 64 wrote to memory of 1188	64	7zFM.exe	113
PID 64 wrote to memory of 1188	64	7zFM.exe	113

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2600
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Eclipse RAT.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
    "C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\main.exe
      "C:\Users\Admin\AppData\Local\Temp\main.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3480
- C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4060
- C:\Users\Admin\AppData\Local\Temp\7zO040A9F78\EclipseLoaderX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO040A9F78\EclipseLoaderX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\7zO04080978\EclipseLoaderX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO04080978\EclipseLoaderX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\7zO04070208\EclipseLoaderX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO04070208\EclipseLoaderX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO04062EF7\Eclipse.exe

Filesize
12.1MB

MD5
e94abe514202de0a3e24c0f45ccea8a6

SHA1
27770fa35ea2ca6e1cd87f669e21f5e29cfaa381

SHA256
c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

SHA512
1fe72a35e6e0da642c42848d5009538ab97d5e833466abd25f2aa03e96f8b637a2a9a30054c8ebdf4cdf80570e39f387c9b6a535105a3e9b36b846570114c0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO040DF868\EclipseLoaderX.exe

Filesize
490KB

MD5
9c9245810bad661af3d6efec543d34fd

SHA1
93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

SHA256
f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

SHA512
90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

Filesize
11.6MB

MD5
d1b974d3816357532a0de6b388c5c361

SHA1
fef9e938027e649ebbcffb074c65d46b2d0a1621

SHA256
f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

SHA512
c4025fd2cc9c08c7319fc9574913d793954ba93b01288a5f03cf12beeaa40617c182f850ab40c1be434c80024632f395a355622f1bc4d0ce4dae987d43868f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
506KB

MD5
e5fb57e8214483fd395bd431cb3d1c4b

SHA1
60e22fc9e0068c8156462f003760efdcac82766b

SHA256
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SHA512
dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
448KB

MD5
e1e28c3acf184aa364c9ed9a30ab7289

SHA1
1a173a6f4ec39fe467f1b4b91c9fad794167ac1c

SHA256
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306

SHA512
e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991

Download Submit
memory/888-53-0x0000000000400000-0x0000000000F9C000-memory.dmp

Filesize
11.6MB

Download
memory/1188-125-0x0000000000E70000-0x0000000000EBB000-memory.dmp

Filesize
300KB

Download
memory/1188-120-0x0000000000E70000-0x0000000000EBB000-memory.dmp

Filesize
300KB

Download
memory/1688-62-0x0000000002750000-0x0000000002B50000-memory.dmp

Filesize
4.0MB

Download
memory/1688-59-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

Filesize
36KB

Download
memory/1688-63-0x00007FF902290000-0x00007FF902485000-memory.dmp

Filesize
2.0MB

Download
memory/1688-65-0x0000000076B30000-0x0000000076D45000-memory.dmp

Filesize
2.1MB

Download
memory/2436-35-0x0000000000400000-0x0000000001020000-memory.dmp

Filesize
12.1MB

Download
memory/2452-105-0x0000000000FA0000-0x0000000000FEB000-memory.dmp

Filesize
300KB

Download
memory/2452-110-0x0000000000FA0000-0x0000000000FEB000-memory.dmp

Filesize
300KB

Download
memory/2472-90-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2472-95-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3480-55-0x0000000003D20000-0x0000000004120000-memory.dmp

Filesize
4.0MB

Download
memory/3480-60-0x0000000000530000-0x00000000005B8000-memory.dmp

Filesize
544KB

Download
memory/3480-58-0x0000000076B30000-0x0000000076D45000-memory.dmp

Filesize
2.1MB

Download
memory/3480-56-0x00007FF902290000-0x00007FF902485000-memory.dmp

Filesize
2.0MB

Download
memory/3480-54-0x0000000003D20000-0x0000000004120000-memory.dmp

Filesize
4.0MB

Download
memory/3480-51-0x0000000000530000-0x00000000005B8000-memory.dmp

Filesize
544KB

Download
memory/4060-75-0x0000000000440000-0x000000000048B000-memory.dmp

Filesize
300KB

Download
memory/4060-80-0x0000000000440000-0x000000000048B000-memory.dmp

Filesize
300KB

Download
memory/4372-42-0x0000000004D50000-0x0000000004D9C000-memory.dmp

Filesize
304KB

Download
memory/4372-41-0x0000000004D10000-0x0000000004D4C000-memory.dmp

Filesize
240KB

Download
memory/4372-40-0x0000000004E20000-0x0000000004F2A000-memory.dmp

Filesize
1.0MB

Download
memory/4372-38-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4372-37-0x0000000005330000-0x0000000005948000-memory.dmp

Filesize
6.1MB

Download
memory/4372-28-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download