Overview

overview

10

Static

static

3

UpdaterSoft.exe

windows7-x64

1

UpdaterSoft.exe

windows10-2004-x64

10

locales/wi...01.exe

windows7-x64

5

locales/wi...01.exe

windows10-2004-x64

1

python3.dll

windows7-x64

1

python3.dll

windows10-2004-x64

1

python312.dll

windows7-x64

3

python312.dll

windows10-2004-x64

3

updater/py...64.exe

windows7-x64

7

updater/py...64.exe

windows10-2004-x64

7

vcruntime140.dll

windows7-x64

3

vcruntime140.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0a6c1e1a35167a351a778fb7b097644bbab9dce817377e8fae36c34ceddcfa52.zip

  • Size

    31.7MB

  • Sample

    241220-d6fzgsypfm

  • MD5

    29f7632372514dc102b643b8a43e9b7e

  • SHA1

    b19ea23fcb5827b5e74c927381ff47fb9ab16721

  • SHA256

    0a6c1e1a35167a351a778fb7b097644bbab9dce817377e8fae36c34ceddcfa52

  • SHA512

    099ad8cf4f383be7f5bef77612ab33c48baa1527659bb2d8b3ad97939f423eef365046b8483f1945a9cec31525f41494396eaeecb51ad90ec600d504df6b7cf8

  • SSDEEP

    786432:VjcYZykld+L2ZTttV5BRekSJA4yyjUeqZkoC:V41Ad42pV5BRiA4bUxZkoC

Score
10/10
lummadiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://ingreem-eilish.biz/api

Extracted

Family

lumma

C2

https://ingreem-eilish.biz/api

Targets

    • Target

      UpdaterSoft.exe

    • Size

      100KB

    • MD5

      cd2b6c28a8690c90953625c38ad21c05

    • SHA1

      cc9f6d12be5f2ee6001af0a6d7399619bb2ea721

    • SHA256

      1ecd4b2fc4c5ba45e58005df147b1f8cf51db8fabe1be76fb2ece1e55d42c4ff

    • SHA512

      8c54b0e9baba8be6105072e36aa2b02672a29c5ed138c5de306a55468c2ead66afe786a88719e0404cada45e1bbf0cf4f4ca24acb98f84b99ded31a09b9f8152

    • SSDEEP

      1536:kE/hIxHHWMpdPa5wiE21M8kJIGFvb1CwL/L5syuyUzR9aBfI+v3GVm:3SwMpdCq/IM8uIGfh/L5sNFVm

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      locales/winrar-x64-701.exe

    • Size

      3.8MB

    • MD5

      46c17c999744470b689331f41eab7df1

    • SHA1

      b8a63127df6a87d333061c622220d6d70ed80f7c

    • SHA256

      c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

    • SHA512

      4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

    • SSDEEP

      98304:6NRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAr:sR/gmeOqv7Ac9F0kB

    Score
    5/10
    discoverypersistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral3behavioral4

    • Target

      python3.dll

    • Size

      68KB

    • MD5

      4945b93f8dd31e0b888d740a8e4cc654

    • SHA1

      24428213793148c219e5998ad3883f88861a92bc

    • SHA256

      2fd506d5e68fc684254efde205f950f64e075d573df3531737bc8b52e2fd9f5d

    • SHA512

      8dc46ded06702a3539b5fdd3f2c09c7ab7bb5dbafa7949039843f6dc90169b805ae66bfa503682ed7f0c589fff8754a44b9a4a34bd9a07d32723918d8d13d6d5

    • SSDEEP

      768:dV1EbYGVXq6KC/prVHBN0cW18itCQDFPnOMFn+gikF/nFX14uewjBcCCC0yamM/+:dDmF61JFn+/O0xI+L0YyUzR9TfI/KRy

    Score
    1/10
    behavioral5behavioral6

    • Target

      python312.dll

    • Size

      2.9MB

    • MD5

      db7d4ce338ea1d52622ef545793f7b36

    • SHA1

      a7c3b1ef57c11d5fa2315715178fc1997e7767ef

    • SHA256

      50c144b9b8dc2c31914232efbd20ca1da945397738ae3bb4755911e65efacc8d

    • SHA512

      a92415b7df4b909617b596c97228502ffab4a72985a1c150ecf2fd2e09f266ac81751716d4ff1464d7601e28a0b899787c9c83aa87edad428cbffbaab7d301a1

    • SSDEEP

      24576:M5ej14694EDS6OvO5Ze+5qinbzEfZ3sA6N5c/oYEB:3r94EDS6imqoXS8TP4oYEB

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      updater/python-3.13.1-amd64.exe

    • Size

      27.4MB

    • MD5

      90176c0cfa29327ab08c6083dcdcc210

    • SHA1

      cc0bcf37414be313526d63ef708fc85da3b693b1

    • SHA256

      6b33fa9a439a86f553f9f60e538ccabc857d2f308bc77c477c04a46552ade81f

    • SHA512

      5940aae44386f3622dee3f32e6a98073851a9f646da6bf3e04f050b9a9239e0ddf50b26e5e125154edc5bbebce7353d273950f1111e4ca5f2b4e2e4a7ac7cf92

    • SSDEEP

      786432:fKScWFPQmn8ZNPeBvm1+MS3gpir9K8X+a:CcJQS8aBvm16gpGvX+a

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral10behavioral9

    • Target

      vcruntime140.dll

    • Size

      87KB

    • MD5

      656ffcbfe10e81b64a59f7bfc86581ea

    • SHA1

      765fe7b0bd404cb6fabb1b16372f2e41889f087b

    • SHA256

      e72cb60bc3afaed6f38fa28d7111938067a9e4bed38a36f7a1ac6b9c1f16d0e2

    • SHA512

      c5dfc2991cc382d5f9a03219f3e58c3c51b1baa77972d97548fa89b2c5a37d3eb80b1c7e2dae3e3336d02b755a53d78751f49d60250c4cb6ebcaa7a7756e1a18

    • SSDEEP

      1536:FcOjHc3U7aHQcT6rCUNgBhR2kBGCGmzWbGfaecbGKOa4dmzgZxIz:qGHchcWzhRqRmWKfaecbGlv0V

    Score
    3/10
    discovery
    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Tasks