Overview

overview

10

Static

static

1

goat-simul...e.html

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    goat-simulator-remastered-cheat-engine.454

  • Size

    39KB

  • Sample

    241127-s6ffaawlbk

  • MD5

    e395667f9d8ca6e86a2842b64539a421

  • SHA1

    c438c4602fdede71e1868bb58c1891477de468df

  • SHA256

    e34f332c700bebc0bebcfade306bda370c4057a3da405fcbc7ce2c2638babe34

  • SHA512

    38a3f000863874338d895eeae219889c3a7290f631e40707880a78adaa79cfaa283ec35b521f47610cc3d604d94b03d73bef5495066e7d9400ac18d10737a1c1

  • SSDEEP

    384:fOtIbsiy1EfQnID5wfjqScr6cLQ6wn/gACKdy1UdiseK1iGAK9Ffw9xKJEa8SFwc:fOBhg9UdrX5BJ/2rZhmcihCrourK

Score
10/10
lummamicrosoftdefense_evasiondiscoveryevasionexecutionpersistencephishingprivilege_escalationstealertrojan

Malware Config

Extracted

Family

lumma

C2

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://sapphirelake.shop/api

Targets

    • Target

      goat-simulator-remastered-cheat-engine.454

    • Size

      39KB

    • MD5

      e395667f9d8ca6e86a2842b64539a421

    • SHA1

      c438c4602fdede71e1868bb58c1891477de468df

    • SHA256

      e34f332c700bebc0bebcfade306bda370c4057a3da405fcbc7ce2c2638babe34

    • SHA512

      38a3f000863874338d895eeae219889c3a7290f631e40707880a78adaa79cfaa283ec35b521f47610cc3d604d94b03d73bef5495066e7d9400ac18d10737a1c1

    • SSDEEP

      384:fOtIbsiy1EfQnID5wfjqScr6cLQ6wn/gACKdy1UdiseK1iGAK9Ffw9xKJEa8SFwc:fOBhg9UdrX5BJ/2rZhmcihCrourK

    Score
    10/10
    lummamicrosoftdefense_evasiondiscoveryevasionexecutionpersistencephishingprivilege_escalationstealertrojan

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Stops running service(s)

      evasionexecution

    • A potential corporate email address has been identified in the URL: [email protected]

      phishing

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Detected potential entity reuse from brand MICROSOFT.

      phishingmicrosoft

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks