lumma | eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114

General

Target

Eclipse RAT.zip
Size

12.5MB
MD5

30364181c2174678b94d74fcbd16f89d
SHA1

640ca938cd1497f0f7bff46de48d9765949c4214
SHA256

eca49914c9c9dbaad9e8ee1aaccfecb0d88a6fd610c02fbf873935467b7bf114
SHA512

d916e950d80f95d4061b1be6ec829f93631aa92272545b79c46d8bc7f01ba72e84a6e6a38a47ee7cd6723547de7d2c71ecde389154aec5c0a0efd2fa55bf8652
SSDEEP

393216:2xDA4Ulx6CHtKlswnb1q8EptEW7Zb2KOyUbYVNK:IUlxHHGd/E75ZSKjNK

Score

10^/10

lumma redline rhadamanthys discovery infostealer stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://95.214.55.177:2474/fae624c5418d6/black.api

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3040-151-0x0000000000BD0000-0x0000000000C26000-memory.dmp	family_redline

Redline family
redline
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2700 created 2852	2700	main.exe	51

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Eclipse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Eclipse.exe

Executes dropped EXE 7 IoCs

pid	Process
1848	Eclipse.exe
3040	build.exe
2456	Eclipse.exe
2700	main.exe
2060	EclipseLoaderX.exe
3736	EclipseLoaderX.exe
5060	EclipseLoaderX.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	build.exe
3040	build.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	3040	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EclipseLoaderX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EclipseLoaderX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EclipseLoaderX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclipse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclipse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
2700	main.exe
2700	main.exe
3672	7zFM.exe
3672	7zFM.exe
1772	dialer.exe
1772	dialer.exe
1772	dialer.exe
1772	dialer.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3672	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3672	7zFM.exe
Token: 35	3672	7zFM.exe
Token: SeSecurityPrivilege	3672	7zFM.exe
Token: SeSecurityPrivilege	3672	7zFM.exe
Token: SeSecurityPrivilege	3672	7zFM.exe
Token: SeSecurityPrivilege	3672	7zFM.exe
Token: SeSecurityPrivilege	3672	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe
3672	7zFM.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1848	3672	7zFM.exe	83
PID 3672 wrote to memory of 1848	3672	7zFM.exe	83
PID 3672 wrote to memory of 1848	3672	7zFM.exe	83
PID 1848 wrote to memory of 3040	1848	Eclipse.exe	87
PID 1848 wrote to memory of 3040	1848	Eclipse.exe	87
PID 1848 wrote to memory of 3040	1848	Eclipse.exe	87
PID 1848 wrote to memory of 2456	1848	Eclipse.exe	89
PID 1848 wrote to memory of 2456	1848	Eclipse.exe	89
PID 1848 wrote to memory of 2456	1848	Eclipse.exe	89
PID 2456 wrote to memory of 2700	2456	Eclipse.exe	93
PID 2456 wrote to memory of 2700	2456	Eclipse.exe	93
PID 2456 wrote to memory of 2700	2456	Eclipse.exe	93
PID 2700 wrote to memory of 1772	2700	main.exe	94
PID 2700 wrote to memory of 1772	2700	main.exe	94
PID 2700 wrote to memory of 1772	2700	main.exe	94
PID 2700 wrote to memory of 1772	2700	main.exe	94
PID 2700 wrote to memory of 1772	2700	main.exe	94
PID 3672 wrote to memory of 2060	3672	7zFM.exe	95
PID 3672 wrote to memory of 2060	3672	7zFM.exe	95
PID 3672 wrote to memory of 2060	3672	7zFM.exe	95
PID 3672 wrote to memory of 3736	3672	7zFM.exe	97
PID 3672 wrote to memory of 3736	3672	7zFM.exe	97
PID 3672 wrote to memory of 3736	3672	7zFM.exe	97
PID 3672 wrote to memory of 5060	3672	7zFM.exe	99
PID 3672 wrote to memory of 5060	3672	7zFM.exe	99
PID 3672 wrote to memory of 5060	3672	7zFM.exe	99

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2852
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1772

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Eclipse RAT.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 452
      4⤵
      Program crash
      PID:1448
- - C:\Users\Admin\AppData\Local\Temp\Eclipse.exe
    "C:\Users\Admin\AppData\Local\Temp\Eclipse.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\main.exe
      "C:\Users\Admin\AppData\Local\Temp\main.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2700
- C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\7zO85E64E58\EclipseLoaderX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO85E64E58\EclipseLoaderX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\7zO85E68348\EclipseLoaderX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO85E68348\EclipseLoaderX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3040 -ip 3040
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO85E16DF7\Eclipse.exe

Filesize
12.1MB

MD5
e94abe514202de0a3e24c0f45ccea8a6

SHA1
27770fa35ea2ca6e1cd87f669e21f5e29cfaa381

SHA256
c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606

SHA512
1fe72a35e6e0da642c42848d5009538ab97d5e833466abd25f2aa03e96f8b637a2a9a30054c8ebdf4cdf80570e39f387c9b6a535105a3e9b36b846570114c0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO85E35058\EclipseLoaderX.exe

Filesize
490KB

MD5
9c9245810bad661af3d6efec543d34fd

SHA1
93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

SHA256
f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

SHA512
90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eclipse.exe

Filesize
11.6MB

MD5
d1b974d3816357532a0de6b388c5c361

SHA1
fef9e938027e649ebbcffb074c65d46b2d0a1621

SHA256
f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499

SHA512
c4025fd2cc9c08c7319fc9574913d793954ba93b01288a5f03cf12beeaa40617c182f850ab40c1be434c80024632f395a355622f1bc4d0ce4dae987d43868f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
506KB

MD5
e5fb57e8214483fd395bd431cb3d1c4b

SHA1
60e22fc9e0068c8156462f003760efdcac82766b

SHA256
e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684

SHA512
dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
448KB

MD5
e1e28c3acf184aa364c9ed9a30ab7289

SHA1
1a173a6f4ec39fe467f1b4b91c9fad794167ac1c

SHA256
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306

SHA512
e8d38c9a144b7f4531e617de45dc240042a7b9ce7dd5766eb2f763b505d9786acccf54f3a03ff3639c36c957e2d14d34b5b59196170eb1b6b5f17e8a417d6991

Download Submit
memory/1772-184-0x0000000000CE0000-0x0000000000CE9000-memory.dmp

Filesize
36KB

Download
memory/1772-190-0x0000000076C90000-0x0000000076ECA000-memory.dmp

Filesize
2.2MB

Download
memory/1772-188-0x00007FFF45290000-0x00007FFF45488000-memory.dmp

Filesize
2.0MB

Download
memory/1772-187-0x0000000002A10000-0x0000000002E10000-memory.dmp

Filesize
4.0MB

Download
memory/1848-159-0x0000000000400000-0x0000000001020000-memory.dmp

Filesize
12.1MB

Download
memory/2060-203-0x0000000000640000-0x000000000068B000-memory.dmp

Filesize
300KB

Download
memory/2060-208-0x0000000000640000-0x000000000068B000-memory.dmp

Filesize
300KB

Download
memory/2456-176-0x0000000000400000-0x0000000000F9C000-memory.dmp

Filesize
11.6MB

Download
memory/2700-175-0x0000000000D90000-0x0000000000E18000-memory.dmp

Filesize
544KB

Download
memory/2700-180-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/2700-179-0x0000000003260000-0x0000000003660000-memory.dmp

Filesize
4.0MB

Download
memory/2700-185-0x0000000000D90000-0x0000000000E18000-memory.dmp

Filesize
544KB

Download
memory/2700-183-0x0000000076C90000-0x0000000076ECA000-memory.dmp

Filesize
2.2MB

Download
memory/2700-181-0x00007FFF45290000-0x00007FFF45488000-memory.dmp

Filesize
2.0MB

Download
memory/3040-151-0x0000000000BD0000-0x0000000000C26000-memory.dmp

Filesize
344KB

Download
memory/3736-221-0x0000000000930000-0x000000000097B000-memory.dmp

Filesize
300KB

Download
memory/3736-226-0x0000000000930000-0x000000000097B000-memory.dmp

Filesize
300KB

Download
memory/5060-239-0x0000000001480000-0x00000000014CB000-memory.dmp

Filesize
300KB

Download
memory/5060-244-0x0000000001480000-0x00000000014CB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads