Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2025 01:32

General

  • Target

    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe

  • Size

    1.2MB

  • MD5

    8cb303a0d38bfd91163192b53ce3b01d

  • SHA1

    f4634ef2bcd87793c7d926712b419a64337e5c37

  • SHA256

    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122

  • SHA512

    4d3f3b2ab4651548bb23b58d23e595c14760c8e1da7729a59d1d28ae9cd4930045f1873ad54464383074afbb6c505bb0a3fd87021e5a9e89331e0972c7c3387c

  • SSDEEP

    24576:EDnubmjlREOivWlyVPWemgkv2MtQnHnejg6EQ6EqmgiPT:OqsbEwS/Dy1qxQ6EqY

Score
10/10

Malware Config

Extracted

Family

lumma

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    "C:\Users\Admin\AppData\Local\Temp\3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:4636

Network

  • flag-us
    DNS
    clockersspic.click
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    clockersspic.click
    IN A
    Response
    clockersspic.click
    IN A
    104.21.85.66
    clockersspic.click
    IN A
    172.67.203.16
  • flag-us
    POST
    https://clockersspic.click/api
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    104.21.85.66:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: clockersspic.click
    Response
    HTTP/1.1 200 OK
    Date: Sun, 05 Jan 2025 01:32:46 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=4d2h9epedu73a45rc4rcaput7t; expires=Wed, 30 Apr 2025 19:19:25 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uvJpqnZqlzdRAVoB6PkiN02HoWxQWGIctd%2Bg9qIKfwBAwWVcfqK%2BPtG564AK5wWHItwaaxzjzjEFTcOQvMesQW7PufUl9FV%2FMy7qktpUb9jEyXV8mWQ5YUIU5ZmuTDaDMRNmBW0%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fcfb762fa346376-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=64865&min_rtt=59818&rtt_var=22340&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3302&recv_bytes=609&delivery_rate=62778&cwnd=253&unsent_bytes=0&cid=6af2835932fad37a&ts=320&x=0"
  • flag-us
    DNS
    grannyejh.lat
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    grannyejh.lat
    IN A
    Response
  • flag-us
    DNS
    discokeyus.lat
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    discokeyus.lat
    IN A
    Response
  • flag-us
    DNS
    necklacebudi.lat
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    necklacebudi.lat
    IN A
    Response
  • flag-us
    DNS
    energyaffai.lat
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    energyaffai.lat
    IN A
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    66.85.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    66.85.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    179.101.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    179.101.123.92.in-addr.arpa
    IN PTR
    Response
    179.101.123.92.in-addr.arpa
    IN PTR
    a92-123-101-179deploystaticakamaitechnologiescom
  • flag-us
    DNS
    aspecteirs.lat
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    aspecteirs.lat
    IN A
    Response
  • flag-us
    DNS
    sustainskelet.lat
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    sustainskelet.lat
    IN A
    Response
  • flag-us
    DNS
    crosshuaht.lat
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    crosshuaht.lat
    IN A
    Response
  • flag-us
    DNS
    rapeflowwj.lat
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    rapeflowwj.lat
    IN A
    Response
  • flag-us
    DNS
    steamcommunity.com
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    23.59.52.127
  • flag-dk
    GET
    https://steamcommunity.com/profiles/76561199724331900
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    Remote address:
    23.59.52.127:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Sun, 05 Jan 2025 01:32:47 GMT
    Content-Length: 25984
    Connection: keep-alive
    Set-Cookie: sessionid=26f0e0624b2bf9a8f347b3bb; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    127.52.59.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    127.52.59.23.in-addr.arpa
    IN PTR
    Response
    127.52.59.23.in-addr.arpa
    IN PTR
    a23-59-52-127deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    137.101.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    137.101.123.92.in-addr.arpa
    IN PTR
    Response
    137.101.123.92.in-addr.arpa
    IN PTR
    a92-123-101-137deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    218.101.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    218.101.123.92.in-addr.arpa
    IN PTR
    Response
    218.101.123.92.in-addr.arpa
    IN PTR
    a92-123-101-218deploystaticakamaitechnologiescom
  • 104.21.85.66:443
    https://clockersspic.click/api
    tls, http
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    1.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://clockersspic.click/api

    HTTP Response

    200
  • 23.59.52.127:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    1.4kB
    33.2kB
    18
    29

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 8.8.8.8:53
    clockersspic.click
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    64 B
    96 B
    1
    1

    DNS Request

    clockersspic.click

    DNS Response

    104.21.85.66
    172.67.203.16

  • 8.8.8.8:53
    grannyejh.lat
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    59 B
    124 B
    1
    1

    DNS Request

    grannyejh.lat

  • 8.8.8.8:53
    discokeyus.lat
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    60 B
    125 B
    1
    1

    DNS Request

    discokeyus.lat

  • 8.8.8.8:53
    necklacebudi.lat
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    62 B
    127 B
    1
    1

    DNS Request

    necklacebudi.lat

  • 8.8.8.8:53
    energyaffai.lat
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    61 B
    126 B
    1
    1

    DNS Request

    energyaffai.lat

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    66.85.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    66.85.21.104.in-addr.arpa

  • 8.8.8.8:53
    179.101.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    179.101.123.92.in-addr.arpa

  • 8.8.8.8:53
    aspecteirs.lat
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    60 B
    125 B
    1
    1

    DNS Request

    aspecteirs.lat

  • 8.8.8.8:53
    sustainskelet.lat
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    63 B
    128 B
    1
    1

    DNS Request

    sustainskelet.lat

  • 8.8.8.8:53
    crosshuaht.lat
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    60 B
    125 B
    1
    1

    DNS Request

    crosshuaht.lat

  • 8.8.8.8:53
    rapeflowwj.lat
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    60 B
    125 B
    1
    1

    DNS Request

    rapeflowwj.lat

  • 8.8.8.8:53
    steamcommunity.com
    dns
    3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
    64 B
    80 B
    1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    23.59.52.127

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    127.52.59.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    127.52.59.23.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    137.101.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    137.101.123.92.in-addr.arpa

  • 8.8.8.8:53
    218.101.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    218.101.123.92.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4636-0-0x00000000007B0000-0x0000000000B69000-memory.dmp

    Filesize

    3.7MB

  • memory/4636-1-0x00000000007B0000-0x0000000000B69000-memory.dmp

    Filesize

    3.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.