lumma | 8f8ef83776282feb2487206099f276ce6a2b29f43428a96c081e92ebba6b6e5a

General

Target

ZrSoft_.rar
Size

56.0MB
Sample

241222-2agsxa1mdq
MD5

1053c0dd0cdaac7ec1e6db6e2cf9ba67
SHA1

f6774f85c071e43b0ee530bee08cb72942d46c1a
SHA256

8f8ef83776282feb2487206099f276ce6a2b29f43428a96c081e92ebba6b6e5a
SHA512

1e03aceab8232cb11f8bbd2f39cedbd0a218f69cb0657373229b7b4a6a6d243b46a2f0e7c8e60c22fc5428525e78c6c7803d60ee9861d0bf948d7e06b0707e81
SSDEEP

1572864:dPhzJC8a2OhGI/Ag681b0gZmrlHCne0W8UiWPN9Cu26t:dPhzJFanhXAgr1g0neMSVO6t

Score

10^/10

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Path

C:\Users\Admin\README_HOW_TO_UNLOCK.TXT

Ransom Note

YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.

URLs

http://zvnvp2rhe3ljwf2m.onion

Targets

- Target
  
  ZrSoft_.rar
- Size
  
  56.0MB
- MD5
  
  1053c0dd0cdaac7ec1e6db6e2cf9ba67
- SHA1
  
  f6774f85c071e43b0ee530bee08cb72942d46c1a
- SHA256
  
  8f8ef83776282feb2487206099f276ce6a2b29f43428a96c081e92ebba6b6e5a
- SHA512
  
  1e03aceab8232cb11f8bbd2f39cedbd0a218f69cb0657373229b7b4a6a6d243b46a2f0e7c8e60c22fc5428525e78c6c7803d60ee9861d0bf948d7e06b0707e81
- SSDEEP
  
  1572864:dPhzJC8a2OhGI/Ag681b0gZmrlHCne0W8UiWPN9Cu26t:dPhzJFanhXAgr1g0neMSVO6t
Score

10^/10

lumma troldesh bootkit defense_evasion discovery execution impact persistence privilege_escalation ransomware stealer trojan upx
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (79) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1