Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    60a8c4e5f5b37b856e45ec5e04ebf30d8a8fb271e8884657c922770dd3b920f6.exe

  • Size

    1.7MB

  • Sample

    241216-crvnna1jbq

  • MD5

    91d5cfb8d87ee0bfbabec96f509feddb

  • SHA1

    448617558ec059cfa5e8e0c542cec1cd1528331d

  • SHA256

    60a8c4e5f5b37b856e45ec5e04ebf30d8a8fb271e8884657c922770dd3b920f6

  • SHA512

    c73f838dbd4756bc3a21a30449ebb85a3cb2e21951de12a96f5793589d5e8676c0b22f488b277c6689bc98e0073655768e7bb62122e42d052f64ff730e7262ad

  • SSDEEP

    49152:fA4VZv10UT7+xVaCumN+avFoK/w4OQKOmyuP2PNAkQnBhr:ffvR4LuMrE4RHrPNWBhr

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://tacitglibbr.biz/api

Targets

    • Target

      60a8c4e5f5b37b856e45ec5e04ebf30d8a8fb271e8884657c922770dd3b920f6.exe

    • Size

      1.7MB

    • MD5

      91d5cfb8d87ee0bfbabec96f509feddb

    • SHA1

      448617558ec059cfa5e8e0c542cec1cd1528331d

    • SHA256

      60a8c4e5f5b37b856e45ec5e04ebf30d8a8fb271e8884657c922770dd3b920f6

    • SHA512

      c73f838dbd4756bc3a21a30449ebb85a3cb2e21951de12a96f5793589d5e8676c0b22f488b277c6689bc98e0073655768e7bb62122e42d052f64ff730e7262ad

    • SSDEEP

      49152:fA4VZv10UT7+xVaCumN+avFoK/w4OQKOmyuP2PNAkQnBhr:ffvR4LuMrE4RHrPNWBhr

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Modifies Windows Defender Real-time Protection settings

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks