Extracted

• • Target

    Fiddler Triage Pyinstaller shit.zip

  • Size

    9.8MB

  • MD5

    d74316e7c7bb248880a6d3349fd27fcf

  • SHA1

    639c91ac359884fe9cb6d41ef2171491f47bff40

  • SHA256

    7372d669599c35de6b4bf6a158a947ae49e8a3a56742f9f3948be7d6d75e9172

  • SHA512

    418b0e96155386cef61d666bbac37eb10b092dfd3f0abe6ac848ae11fa87eeccf2057b02724f70ecef65a5a3229052d98ba2d92aced8dad82c4ffd033b7a8404

  • SSDEEP

    196608:G83Kl3QHFPGsGvoZhtbTEJji85s1tcICfiDs4ptQR6fCjt8F3bJ8XgJN:mBnubAi83ViDsRR6fCx8f8kN

  Score

  10^/10

  lummadiscoveryevasionpersistenceprivilege_escalationstealertrojan

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Checks for common network interception software

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion

  • Downloads MZ/PE file

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2