lumma | 48ce31ecda937253d2ccc1dfd01053eb4f3d93486c1ee36edd97347bf21a9e72

Resubmissions

27-12-2024 09:03

241227-k1emsstnck 10

Sharing

Copy URL

Twitter E-mail

General

Target

Solara.zip
Size

4.7MB
Sample

241227-k1emsstnck
MD5

01cc8b841c2c00bdd120f492131a10ea
SHA1

d438903ef37254da834647bca766e5e670885859
SHA256

48ce31ecda937253d2ccc1dfd01053eb4f3d93486c1ee36edd97347bf21a9e72
SHA512

54af1d94fd91e981a1a8756ee84a5d75d4a07f101fa67c90c020a7d66fc244086686f32b799a3f5160ef495143ada0a18b7fe90d786f08baffb9a6a36f413fae
SSDEEP

98304:pc+0rjbRcP30nr08HFGBK3s+vINCZVEMclLPPZlOZ7XtUZzPrF3J+b:QrjbRW3y4ZMI8lcJjOZJOxZ+b

Score

10^/10

Malware Config

Extracted

Family

lumma

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://forbidstow.site/api

Extracted

Family

meduza

127.0.0.1

Attributes

anti_dbg
true
anti_vm
true
build_name
Meduza
extensions
.txt; .doc; .xlsx
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Targets

- Target
  
  Solara.zip
- Size
  
  4.7MB
- MD5
  
  01cc8b841c2c00bdd120f492131a10ea
- SHA1
  
  d438903ef37254da834647bca766e5e670885859
- SHA256
  
  48ce31ecda937253d2ccc1dfd01053eb4f3d93486c1ee36edd97347bf21a9e72
- SHA512
  
  54af1d94fd91e981a1a8756ee84a5d75d4a07f101fa67c90c020a7d66fc244086686f32b799a3f5160ef495143ada0a18b7fe90d786f08baffb9a6a36f413fae
- SSDEEP
  
  98304:pc+0rjbRcP30nr08HFGBK3s+vINCZVEMclLPPZlOZ7XtUZzPrF3J+b:QrjbRW3y4ZMI8lcJjOZJOxZ+b
Score

10^/10

meduza discovery stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  SolaraExecutor.zip
- Size
  
  5.6MB
- MD5
  
  dd1ef271e374ee04c4b9dd1309d33c3a
- SHA1
  
  7fec11e0c363f6e6886d024e6e606739cc173f61
- SHA256
  
  f6c659e45fc58a9643cb25deab7e02c893b6b74ee5efab001606fcc7b167dd5e
- SHA512
  
  646d50a0472c98d26e13d51da2be5c1e0148b7178fafcdca6791887c62af04be8b00bd02c5fa721491e9cbf9238ae1995786730829756676604b0b3007ddc33d
- SSDEEP
  
  98304:lcEaulZ1vojDk3rsWHvE3eX6C7wRk5nEMGLT5lHRkdXbRCPptrFDh3ea:PlZ1v6D+CHuwclG5rkdVuX1ua
Score

1^/10
behavioral3 behavioral4
- Target
  
  Solara.exe
- Size
  
  754.0MB
- MD5
  
  6d2557890012c957faaae8d35a4f0e56
- SHA1
  
  1225cd40742576895f74b42bdc18b3af21d96eef
- SHA256
  
  b29da8d3e2117236d9f8af71bed0addf68093ccf61acad5a979b2531b0049310
- SHA512
  
  145b3471f498d9579b466695407c03a3bd0fad9b98cabbdab9f34ee0ba534d4734fcdb1ce357b90e0de1ec8d9ded04f5576b06e94abed79601510d05cfc4d65a
- SSDEEP
  
  98304:pJxFqrqnIGHYeUt7w8TsEitaAo4N/nl3x0NlBuQa3HUQLrFD:/xFqrqnwtw8ccAoKl3fQa3J
Score

10^/10

meduza stealer
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  WindowsManager.dll
- Size
  
  433KB
- MD5
  
  5b7211145cb919b8cac505949d35caa8
- SHA1
  
  6373c7181bfc64cf140630219db2aefbca2c9f62
- SHA256
  
  29363cf4cd506dcfbfa2f3d954e2130b85db8068c0a8acae7982a6f1fa657c90
- SHA512
  
  b553730dc97cfa5e3e920b2484d157757539c7728c693bbce189f911deb5e3697c12eb4bb847d714fc8f83bf481245574ded807e88317b2dd039c97a71384571
- SSDEEP
  
  12288:CI11++JcRZtddofKKrzHPJ3ii0bL7E6t7y22a:CIKRZtddoPrjR3sP7RtuS
Score

1^/10
behavioral7 behavioral8
- Target
  
  assets/TapInstaller.dll
- Size
  
  25KB
- MD5
  
  9cac1ad2f768d22e4aaae577097df7f3
- SHA1
  
  b059d99cdd50c46948bd6e4ac264c2fe53169b22
- SHA256
  
  9c050c82c065fe5e7553e73393e59d0b3ca3372e6d590d6eb074b014dab0ea78
- SHA512
  
  22d59282a9b2aab81884ad1b1391c16755e895b2b79466fc163f30a8e9035498b371781ea0fab40b6e79313a9a54fe90b8903ecb8ad29471eebd02ce269a0be4
- SSDEEP
  
  384:hxB7Wf+NkjZwWqXteRRUUmi/6XLNrtMQJK2+Katf5kKFKjqfvGBkSG00:/kjSoghrW29skKFKcMkP00
Score

1^/10
behavioral10 behavioral9
- Target
  
  assets/WSearchMigPlugin.dll
- Size
  
  134KB
- MD5
  
  b74eb945013d95409a3e071c4029cb02
- SHA1
  
  d087775c3f00e9c27842cc44bcb27c0f334a865b
- SHA256
  
  2bdbbd40df3b199cd8ebfc359be451971527e602ab999e23fae524f8edab0ef1
- SHA512
  
  3c1e8d24a4d0eadec0beb7c3288bbb290d018ddaa104df9e65db0de0d7543ab77c4139de6b20382925e35bb1ee303dca12b2ea418770c70dde33f26be06a1c48
- SSDEEP
  
  3072:PBBD02DY32F5K7lxgtRx3aHCHGA+48xgJJ5x5N3DPZtQ68f69ru:PBBD02U32F5K7KRxKiHGAP37QXfS
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral11
- Target
  
  assets/WpcMigration.Uplevel.dll
- Size
  
  231KB
- MD5
  
  c92661b900b934ce4e4b7d047aba74e5
- SHA1
  
  abf1d9b1058fb1f14a091985bd3fa3c2e9140702
- SHA256
  
  85302fc70223988f2e94c5b443afe8c95f73695f60778bdc8cd5e1316a701841
- SHA512
  
  34921fccfc07d4080c22d7ff056e92df2bfee61f82212501c9c86d532131c43b2b3655e101439396b887a53180159cb372b222e649bcd7d48ed9952df0a22f6d
- SSDEEP
  
  3072:aqJFmRDHgpg2Ri14Myz56tvi8UKLBWAUG/+vufW4369gNbv6K9kd+GAmA8C/y:a0otLkMVizsBXUi6qNdkd+GAmA8
Score

1^/10
behavioral12
- Target
  
  assets/WsUpgrade.dll
- Size
  
  201KB
- MD5
  
  9d99b0e88cc4eaa43141dea9e31ed3be
- SHA1
  
  442e48476650e97cfac8e8088a7315b9804be0c1
- SHA256
  
  061de26f44da62a17eecb71f078ef90a9c8784e7c58500984314c74b32c12e46
- SHA512
  
  2a0cd7adf67e535cf4a40988d6da4ee69970694875504ea7f7e68cef19e01675557bd3021d867c2bb837d1c3e8287d710259c921967324255c53d0351c6d48df
- SSDEEP
  
  3072:a0qV+qDh/7k8Rr92ZSbTP6c27UxDOUreaNQbmOhG7/tfxvharBjnt:a0qVHV1IwTPrFtOe/tzarB7
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral13
- Target
  
  library/ARSoft.Tools.Net.dll
- Size
  
  302KB
- MD5
  
  452def66509f01d15b43e4c57176d1d8
- SHA1
  
  fb3438a1b191fb75c76d22023c3478a585756463
- SHA256
  
  f1fe59774bf1fd914aea33459631837569d78e2c1a68d8c544cb498fcdbbef10
- SHA512
  
  c5ded39b6f8961bf9e1b77fb07fc41ac321f2e5b9e7a0c4d3a55cf7debb483384b51a8abade6edb9601ea2871cfba65886582cceefcc5010f45c819ec30c625e
- SSDEEP
  
  6144:/AUw1rf4dPEliWDLdQCc88UviewobzUY+GsKAZ:qbiy3Zc88UtFfU
Score

1^/10
behavioral14 behavioral15
- Target
  
  library/Autofac.dll
- Size
  
  236KB
- MD5
  
  f879f97c67c2d03cd47bb7ab1e6dfd51
- SHA1
  
  a65ec6943e9eb3ca7001f7bc310475709a949d08
- SHA256
  
  02c445f70273eff02d30055c83e77ce7434dd24f6da485b0231e88b2675795dc
- SHA512
  
  882db30f98796339a610ce5e5ddd8ad161e231fdd75c5ebd3e552fbb44a618faa09904b01c7c7dcf5834a350a2170c516838bc5de363a89a3a01bb6e0171970a
- SSDEEP
  
  3072:g36EQo/nAmrSwxl6g6o9We/Bwdc2lSG+qR/EWJS6A6g73yRhxgByGP/aw4cQSOhZ:gBclGKpT6zbcZAhdPSVuoxnBDPTS
Score

1^/10
behavioral16 behavioral17
- Target
  
  library/GalaSoft.MvvmLight.Platform.dll
- Size
  
  23KB
- MD5
  
  99a0483ce79d57b52b6a1eacd5f86a12
- SHA1
  
  443fc60ab490eefea76859cd263fafa15fed26a1
- SHA256
  
  16a051d25e5256348affa9f64a0919f69efd860c8fd3c3b28cea0a9fa126cd4f
- SHA512
  
  977719f32b0a4bd10f584a0ee82e7c69664a2a75533f1a3c7799eb89bd5d7c98cece830538372fb7e2263f3c99942ada1e90de50e0ba0e59dfacb8ab8e66d20c
- SSDEEP
  
  384:2KKUx+mQv787wr/igP39cVT0ojR97dKRSX8iPyZA3gs/bHMQJK2+KatfzNKFKjqI:DKnW3g/oTZjR97dJXTPyA3gs/bk29+Nn
Score

1^/10
behavioral18 behavioral19
- Target
  
  library/GalaSoft.MvvmLight.dll
- Size
  
  50KB
- MD5
  
  0fe3d6671024ea3d78aa18dd5adfa613
- SHA1
  
  3dfdfa5a20c3ded2908198c85aa04b9dae024441
- SHA256
  
  3baba32bdbcd1f2e715724e41ad97878bdb9fb7b7f85dfadc2f98d6cd68932fb
- SHA512
  
  84b7a7104ea5cce7c713c6bc2e8c686a684b78fe4949367db6652d285d3d01ebe594070cc993456fac9a21ac2f7a39180ecaf6013d674fce4e42206d0c1c6c55
- SSDEEP
  
  768:5nVF+heuJxTH6yaDSpAyYZbT0gJHTCNQYRWCiD5MaIN7UAifpzNJ2Ox/KpEsD+KQ:5VKLY5T0gUNQQiltEifpv2sCWRyIr
Score

1^/10
behavioral20 behavioral21
- Target
  
  settings.ini
- Size
  
  16KB
- MD5
  
  2b2c0eb8722a2fcc744e1c1a14ad76cc
- SHA1
  
  d87b5ec45d5dfc6380eea0bdcfec0abe907c453a
- SHA256
  
  70a55d6552152aef629eca02fc65e4fb2c07d789c60bcc439c1f68370784debf
- SHA512
  
  b390960e129fde367c3ff598f64d046c2cd11b9f2b08872353b80c2a6724c07b18c5156d7b4a5bcebe1dca7e065bcdfb57a1c3166bc6ba4e47109497ec4b8c10
- SSDEEP
  
  96:k/tsV/JtsK1KMt2o/tsV/JtsK1KMt2o/tsV/JtsK1KMt2o/tsV/JtsK1KMt2o/tp:kWRWRWRWRWRWRWRWRW2WRWRWRW7
Score

1^/10
behavioral22 behavioral23

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Meduza

Meduza Stealer payload

Meduza family

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Meduza

Meduza Stealer payload

Meduza family

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Event Triggered Execution: Component Object Model Hijacking

Event Triggered Execution: Component Object Model Hijacking

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23