Overview

overview

10

Static

static

1

botlobby12...xt.ps1

windows7-x64

3

botlobby12...xt.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    botlobby12.b-cdn.net_IVLVIOYW.txt.ps1

  • Size

    33.3MB

  • MD5

    5418685e5a0cde78582f1e7086bc11c5

  • SHA1

    44b8a7eb1e68d3d49aa77dc55cbaafa089b6b410

  • SHA256

    6d8c4d326c1da4c9fd6c410030b725cf4a54a76f29030d786dc3df8ab06c687f

  • SHA512

    86024aaec09bf12b531e8577de76639bbe97decee1fb6eec6704f177df74b4460f5c4d6e5d0e5bf37736c338e449cce3526eda02bba9bbd47b4dcd4ba420fb52

  • SSDEEP

    49152:mD6Y62P93RoIy7QjmQMEymPv6CnJAc0U+pKAT6+nOLgYQw1gGZ2u/scENOuKQwNP:k

Score
10/10
lummadiscoveryexecutionpersistencestealer

Malware Config

Extracted

Family

lumma

C2

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://oak-smash.cyou

Extracted

Family

lumma

C2

https://oak-smash.cyou/api

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

https://disobey-curly.sbs/api

https://motion-treesz.sbs/api

https://powerful-avoids.sbs/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\botlobby12.b-cdn.net_IVLVIOYW.txt.ps1
    1⤵
    • Adds Run key to start application
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Roaming\pCHVWuDU\Set-up.exe
      "C:\Users\Admin\AppData\Roaming\pCHVWuDU\Set-up.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\SysWOW64\more.com
        C:\Windows\SysWOW64\more.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Users\Admin\AppData\Local\Temp\bicep.com
          C:\Users\Admin\AppData\Local\Temp\bicep.com
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uw4x12an.52l.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bicep.com
    Filesize

    921KB

    MD5

    3f58a517f1f4796225137e7659ad2adb

    SHA1

    e264ba0e9987b0ad0812e5dd4dd3075531cfe269

    SHA256

    1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

    SHA512

    acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\f809ab16
    Filesize

    1.9MB

    MD5

    f125679c9c234d741f4f8a635db07b50

    SHA1

    9033a646540f5e1b7f280602b95cb0f438e33530

    SHA256

    3f83aca59a68793735d8fa91377c262d050ab9830016d60b1aaa59532c72bc61

    SHA512

    9a82c4d16855813905f7e7c1c56eb035c92ba70537cc10b10e9671e2527a4530790efaaa4430301d8aaf2e978222459524c06ab7ab7e08a68e94ea7aabb80bae

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\MSVCP100.dll
    Filesize

    411KB

    MD5

    03e9314004f504a14a61c3d364b62f66

    SHA1

    0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

    SHA256

    a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

    SHA512

    2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\QtCore4.dll
    Filesize

    12.4MB

    MD5

    bb652e7faf42200d14f3e2a9dd5a23bd

    SHA1

    4adcca7288b1320db141a65b56ff902699149655

    SHA256

    34f3ec6caaa4947eb10b305fd01509c5fdb7a4aba5c41d5649b5489820ae0c0b

    SHA512

    b708dd7491cdf95e62cc084b33b1d2f3ad2f502f9b0139d85f1703c2245f67f211823063ba4747486aa68bd8269db9d8abbad1e866d8f300696afd64ba5fb545

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\QtGui4.dll
    Filesize

    8.2MB

    MD5

    831ba3a8c9d9916bdf82e07a3e8338cc

    SHA1

    6c89fd258937427d14d5042736fdfccd0049f042

    SHA256

    d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

    SHA512

    beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\QtNetwork4.dll
    Filesize

    1.0MB

    MD5

    8a2e025fd3ddd56c8e4f63416e46e2ec

    SHA1

    5f58feb11e84aa41d5548f5a30fc758221e9dd64

    SHA256

    52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

    SHA512

    8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\QtXml4.dll
    Filesize

    348KB

    MD5

    e9a9411d6f4c71095c996a406c56129d

    SHA1

    80b6eefc488a1bf983919b440a83d3c02f0319dd

    SHA256

    c9b2a31bfe75d1b25efcc44e1df773ab62d6d5c85ec5d0bc2dfe64129f8eab5e

    SHA512

    93bb3dd16de56e8bed5ac8da125681391c4e22f4941c538819ad4849913041f2e9bb807eb5570ee13da167cfecd7a08d16ad133c244eb6d25f596073626ce8a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\Set-up.exe
    Filesize

    6.2MB

    MD5

    11c8962675b6d535c018a63be0821e4c

    SHA1

    a150fa871e10919a1d626ffe37b1a400142f452b

    SHA256

    421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273

    SHA512

    3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\StarBurn.dll
    Filesize

    654KB

    MD5

    f75225db13e3b86477dc8658c63f9b99

    SHA1

    6ffd5596fd69e161b788001abab195cc609476cf

    SHA256

    4286cf3c1ed10b8d6e2794ab4ed1cfcded0ea40d6794016ce926cd9b547c6a00

    SHA512

    07dee210de39e9f303bb72558c4b2aeb5de597638f0a5bfdcbe8f8badfb46a45f7a1518726d543f18682214668d22586299159e2c3947a9285990867bc457327

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\mgkv
    Filesize

    1.4MB

    MD5

    b0d4e96824d217cfec091b45ff3c2100

    SHA1

    001526f5b14f2e771cfd9c3f7a3b0fcb5540c865

    SHA256

    25b2b8c419223b55123d2f595a62c7bd2372eaaad055237cae2b1c652b798244

    SHA512

    06e323e2428fb50e224d24de5990537c3594d32465de82492ec2867b1d1aae3c1c67511c4d47821e78bd0c13e9873a42dcf38b826fc5c9e62fa5aa56fb9af92c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\msvcr100.dll
    Filesize

    752KB

    MD5

    67ec459e42d3081dd8fd34356f7cafc1

    SHA1

    1738050616169d5b17b5adac3ff0370b8c642734

    SHA256

    1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

    SHA512

    9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\pCHVWuDU\tyr
    Filesize

    25KB

    MD5

    1658d2a6ee0d4ad19d2aae3893690cc2

    SHA1

    b3d15e4beb3f16085f52f410494b85778f89663d

    SHA256

    42a350b0b0c607b21dce44993b85d706f1d07d7f630e502fa96d66b21586acf0

    SHA512

    bd847f6a9308dcd8695d11263e595c46785cdb2166380192987d1abbf2d90a43273119c968487ee64289cf16b6ef517872964c5bde9dab0ae7de02ee68874ea1

    Download Submit

  • memory/772-136-0x0000000075E60000-0x0000000076413000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/772-125-0x0000000075E60000-0x0000000076413000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/772-138-0x00000000746AB000-0x0000000074CD9000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/772-126-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/772-118-0x00000000746AB000-0x0000000074CD9000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/772-119-0x0000000000B90000-0x0000000000B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/772-120-0x0000000074440000-0x0000000075945000-memory.dmp

    Filesize

    21.0MB

    Download

  • memory/2752-140-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2752-142-0x0000000075E60000-0x0000000076413000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3052-117-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3052-15-0x0000027A54860000-0x0000027A54872000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3052-16-0x0000027A3A0E0000-0x0000027A3A0EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3052-12-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3052-0-0x00007FFCD4143000-0x00007FFCD4145000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3052-14-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3052-11-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3052-6-0x0000027A54880000-0x0000027A548A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4860-148-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4860-150-0x00000000003C0000-0x000000000041E000-memory.dmp

    Filesize

    376KB

    Download