Overview

overview

10

Static

static

3

c290ad6281...6N.exe

windows7-x64

1

c290ad6281...6N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N

  • Size

    575KB

  • Sample

    241109-w1wf4azbrc

  • MD5

    21110bdf3a234f15f6f7523aa0fa0e90

  • SHA1

    50f8de3658915f7967042f071a95522866d149f9

  • SHA256

    c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966

  • SHA512

    6c61cb2c3fae5ba1511ec2ef468d54240fd428834495fba919a91e90a7d00cbff0868e65b3d29f08327244b2c6e1b369bbb4b3acddde1b5a7156bf87be575c50

  • SSDEEP

    12288:QgBHXRtrPBInYtSsnadym2jO+Aem8kAuW3f:DjJPB0sn4AV3

Score
10/10
dcratlummadefense_evasiondiscoveryinfostealerratstealer

Malware Config

Extracted

Family

lumma

C2

https://strappystyio.shop/api

https://coursedonnyre.shop/api

https://fossillargeiw.shop/api

https://tendencerangej.shop/api

https://appleboltelwk.shop/api

https://tearrybyiwo.shop/api

https://captainynfanw.shop/api

https://surveriysiop.shop/api

https://tiddymarktwo.shop/api

Targets

    • Target

      c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966N

    • Size

      575KB

    • MD5

      21110bdf3a234f15f6f7523aa0fa0e90

    • SHA1

      50f8de3658915f7967042f071a95522866d149f9

    • SHA256

      c290ad62817046fb9f21fecf38ec7da631f48e9dd7b3aba5ab17e9fe51ea9966

    • SHA512

      6c61cb2c3fae5ba1511ec2ef468d54240fd428834495fba919a91e90a7d00cbff0868e65b3d29f08327244b2c6e1b369bbb4b3acddde1b5a7156bf87be575c50

    • SSDEEP

      12288:QgBHXRtrPBInYtSsnadym2jO+Aem8kAuW3f:DjJPB0sn4AV3

    Score
    10/10
    dcratlummadefense_evasiondiscoveryinfostealerratstealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks