Overview

overview

10

Static

static

3

ChatGPT-5 ...4 .exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    12s
  • max time network
    13s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-01-2025 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ChatGPT-5 Version 2024 .exe

  • Size

    599KB

  • MD5

    906e2e800689b68629d194ba1d388a5d

  • SHA1

    e1a7213c1b565dd4fbf5c73846f7e515c62eabc1

  • SHA256

    9fcba37dbe53ff8a8e1600f25c7493524dc1c4beb6f2d7f116d0db5fcd4fe40e

  • SHA512

    fc861c25649262eb28bb084705ce5ffaea57be4b2f071627e277583aedd5ae494ce1a5efcac78a8255c079abd515d6e8144559e9145d993f3224466ed867eabf

  • SSDEEP

    12288:KRlgp3NPQ1eiEY+Iy7XMrHyDO5TwAjVw+zvIiR679iN5g49d:KRGLaeFkg8HfXw+zvjRk965gQd

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Drops startup file 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ChatGPT-5 Version 2024 .exe
    "C:\Users\Admin\AppData\Local\Temp\ChatGPT-5 Version 2024 .exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Users\Admin\AppData\Local\Temp\ChatGPT-5 Version 2024 .exe
      "C:\Users\Admin\AppData\Local\Temp\ChatGPT-5 Version 2024 .exe"
      2⤵
        PID:1512
      • C:\Users\Admin\AppData\Local\Temp\ChatGPT-5 Version 2024 .exe
        "C:\Users\Admin\AppData\Local\Temp\ChatGPT-5 Version 2024 .exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Users\Admin\AppData\Roaming\es88TVd3A1.exe
          "C:\Users\Admin\AppData\Roaming\es88TVd3A1.exe"
          3⤵
          • Drops startup file
          • Executes dropped EXE
          PID:2176
        • C:\Users\Admin\AppData\Roaming\QGs0Ciy1ib.exe
          "C:\Users\Admin\AppData\Roaming\QGs0Ciy1ib.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3492
          • C:\Users\Admin\AppData\Roaming\QGs0Ciy1ib.exe
            "C:\Users\Admin\AppData\Roaming\QGs0Ciy1ib.exe"
            4⤵
            • Executes dropped EXE
            PID:1632
          • C:\Users\Admin\AppData\Roaming\QGs0Ciy1ib.exe
            "C:\Users\Admin\AppData\Roaming\QGs0Ciy1ib.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4208
          • C:\Users\Admin\AppData\Roaming\QGs0Ciy1ib.exe
            "C:\Users\Admin\AppData\Roaming\QGs0Ciy1ib.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1384
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 820
            4⤵
            • Program crash
            PID:1576
      • C:\Users\Admin\AppData\Local\Temp\ChatGPT-5 Version 2024 .exe
        "C:\Users\Admin\AppData\Local\Temp\ChatGPT-5 Version 2024 .exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Users\Admin\AppData\Roaming\AIpSAGtN7B.exe
          "C:\Users\Admin\AppData\Roaming\AIpSAGtN7B.exe"
          3⤵
          • Executes dropped EXE
          PID:2536
        • C:\Users\Admin\AppData\Roaming\3GaPdEo2mW.exe
          "C:\Users\Admin\AppData\Roaming\3GaPdEo2mW.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Users\Admin\AppData\Roaming\3GaPdEo2mW.exe
            "C:\Users\Admin\AppData\Roaming\3GaPdEo2mW.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4228
          • C:\Users\Admin\AppData\Roaming\3GaPdEo2mW.exe
            "C:\Users\Admin\AppData\Roaming\3GaPdEo2mW.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2120
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1380
              5⤵
              • Program crash
              PID:3196
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1264
              5⤵
              • Program crash
              PID:1524
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1420
              5⤵
              • Program crash
              PID:1468
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 744
            4⤵
            • Program crash
            PID:3728
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 828
        2⤵
        • Program crash
        PID:696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3948 -ip 3948
      1⤵
        PID:1496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2836 -ip 2836
        1⤵
          PID:3804
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3492 -ip 3492
          1⤵
            PID:3060
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2120 -ip 2120
            1⤵
              PID:392
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2120 -ip 2120
              1⤵
                PID:1968
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2120 -ip 2120
                1⤵
                  PID:4220

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\3GaPdEo2mW.exe
                  Filesize

                  358KB

                  MD5

                  8b9abdd34bc37aa98a7354ddfadb3ad4

                  SHA1

                  e0d0f196cd32d11c0730782312ee6187bc0a4e25

                  SHA256

                  998e60e73f4fdc01ac1c16038b0c6ee393adeb95394cad764d77bc2d8d661d6f

                  SHA512

                  71340bddced0006d82731924f2fe1d605655aeae63058295b86e98698db60611370fd0d8f87411b5cd26c2a080af91752cff5b71fd87039e676bea095c21f309

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\AIpSAGtN7B.exe
                  Filesize

                  11KB

                  MD5

                  5afb8ce4dd3923219bd69bd7b5168d91

                  SHA1

                  e06283294510284af9082eb67d368e6d88d9e232

                  SHA256

                  f727bba8d917fa3f129d71745e0741a8511f940b1a6817ff5130aa2f3ae85c79

                  SHA512

                  8135efb34c768a9c292b54bc25845dd9b388e98f9f0b67918fbf5887c8e1d3da81bb84e044eebdf0868c40a685bd157daafb4789b373dea3e273c5275ebd0740

                  Download Submit

                • memory/1636-14-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/1636-5-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/1636-53-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/1636-7-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/1636-6-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/1636-50-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2156-9-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2156-57-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2156-13-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2156-11-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2156-10-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2156-8-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2156-48-0x0000000000400000-0x0000000000490000-memory.dmp

                  Filesize

                  576KB

                  Download

                • memory/2176-51-0x0000027269DF0000-0x0000027269DF8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2836-59-0x00000000006D0000-0x0000000000732000-memory.dmp

                  Filesize

                  392KB

                  Download

                • memory/3948-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3948-12-0x0000000074A80000-0x0000000075231000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3948-2-0x00000000056C0000-0x0000000005C66000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/3948-1-0x00000000006E0000-0x000000000077E000-memory.dmp

                  Filesize

                  632KB

                  Download

                • memory/4228-62-0x0000000000400000-0x000000000045B000-memory.dmp

                  Filesize

                  364KB

                  Download

                • memory/4228-64-0x0000000000400000-0x000000000045B000-memory.dmp

                  Filesize

                  364KB

                  Download