General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHNKZWxBOExZQ0xxc0hXU3JzMmc2a1NrVXpBUXxBQ3Jtc0trZmhaNU4xa3ljc1d5WFpNMTF1T2RQSnlJVTZlOXpBSl91N3lRTTI1NTBGNVExbDQxb0RQdkFBcnV2WnVSY09HSHk1SU1qRGU4bEZ1dGRmbzFMQXdiWGpiS0Ewek9oVUZLUnVvaHpCamdlaEQ2b3pOaw&q=https%3A%2F%2Fsites.google.com%2Fview%2Fnexol&v=6mF7AbF_SiE
-
Sample
241112-1by8xa1jcx
Malware Config
Extracted
lumma
https://chimneybuh.cyou/api
https://thicktoys.sbs/api
https://3xc1aimbl0w.sbs/api
https://300snails.sbs/api
https://faintbl0w.sbs/api
Targets
-
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHNKZWxBOExZQ0xxc0hXU3JzMmc2a1NrVXpBUXxBQ3Jtc0trZmhaNU4xa3ljc1d5WFpNMTF1T2RQSnlJVTZlOXpBSl91N3lRTTI1NTBGNVExbDQxb0RQdkFBcnV2WnVSY09HSHk1SU1qRGU4bEZ1dGRmbzFMQXdiWGpiS0Ewek9oVUZLUnVvaHpCamdlaEQ2b3pOaw&q=https%3A%2F%2Fsites.google.com%2Fview%2Fnexol&v=6mF7AbF_SiE
Score10/10-
Detected microsoft outlook phishing page
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2
-
System Binary Proxy Execution: Verclsid
Adversaries may abuse Verclsid to proxy execution of malicious code.
-
Detected potential entity reuse from brand MICROSOFT.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1System Binary Proxy Execution
1Verclsid
1Virtualization/Sandbox Evasion
1