General

  • Target

    AccessoryLiberty.zip

  • Size

    966KB

  • Sample

    241113-ybsp1s1pdk

  • MD5

    bdccffd702a8417f5f5e86492a0f24ba

  • SHA1

    673c983f32fef0c4f57fe8670781170663dc4476

  • SHA256

    b80c11df84d7873d503f4961a305ffe8ea74ce65d411273183939d3c446cb5f8

  • SHA512

    f88a46919a97e8c49a91fc7cea19c1996ce50ecdf47552a013b94dddd416f9bf03d0d185b6daabbb13b7b916842fa6815ddbd14b6c74b38068e287bcc0c83a0a

  • SSDEEP

    24576:irqKBXs5cH4qgGinO0Gf4EfLsBJnhU7DMOR8pPqU127c3WX:MXs5Tq0M4EfYBNh2t85q447

Malware Config

Extracted

Family

lumma

C2

https://toleratedbaybo.cyou/api

Extracted

Language
ps1
Source
URLs
exe.dropper

https://mindfusteps.shop/minz/m4nd.zip

exe.dropper

https://mindfusteps.shop/minz/m2nd.zip

exe.dropper

https://mindfusteps.shop/minz/m3nd.zip

exe.dropper

https://mindfusteps.shop/minz/m1nd.zip

exe.dropper

https://mindfusteps.shop/mind/

Targets

    • Target

      AccessoryLiberty.exe

    • Size

      996KB

    • MD5

      e408e6a925110492f93cdfda48ca74eb

    • SHA1

      27e2eeeac0621d1939dd3e5e176b9544e4397689

    • SHA256

      4b64a85c1eaed8608e1f6162f6f643ee0e44017eb4564ce7bad41ed3bcf30342

    • SHA512

      7757f8ab7509bed46052fac8a8f114bddb78882154a01d4d66fbf577099bebde56d4bb9d8a6cad764bd55fc1b781fc116ba11b6e50e56a330ca4aea381bf787b

    • SSDEEP

      24576:XNgeBRs58xWqeGmjeAG/4Cf1ObNnhU/vMw/qvDqg1UFebT:fRs53qCy4Cf0bRhgtq7q8uU

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks