General

  • Target

    7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe

  • Size

    1.8MB

  • Sample

    241219-dt8tqswmbr

  • MD5

    36e8bef9e64aab447e4deed78acb16a4

  • SHA1

    102c5e3e7bc0448c9a564411ecb5a831a6899c79

  • SHA256

    7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3

  • SHA512

    e9d2bcc4cfbbf3ec02f1daa360696446e1a821be2253a57db833d667c3cb70706343e59aaa252ec341079fc604dcd7d2cc48ecc5c5f650de9a6e416769a4d0e6

  • SSDEEP

    49152:1eYB58EGCuOD1Ch9EPrj7QfpjSvJF+m6b9AXIS:1gdORuyUjSvT+zAXI

Malware Config

Extracted

Family

lumma

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Targets

    • Target

      7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe

    • Size

      1.8MB

    • MD5

      36e8bef9e64aab447e4deed78acb16a4

    • SHA1

      102c5e3e7bc0448c9a564411ecb5a831a6899c79

    • SHA256

      7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3

    • SHA512

      e9d2bcc4cfbbf3ec02f1daa360696446e1a821be2253a57db833d667c3cb70706343e59aaa252ec341079fc604dcd7d2cc48ecc5c5f650de9a6e416769a4d0e6

    • SSDEEP

      49152:1eYB58EGCuOD1Ch9EPrj7QfpjSvJF+m6b9AXIS:1gdORuyUjSvT+zAXI

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Modifies Windows Defender Real-time Protection settings

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks