Overview

overview

10

Static

static

3

Arnis.exe

windows10-2004-x64

10

Qt5Gui.dll

windows7-x64

3

Qt5Gui.dll

windows10-2004-x64

3

Qt5Svg.dll

windows7-x64

3

Qt5Svg.dll

windows10-2004-x64

3

args.js

windows7-x64

3

args.js

windows10-2004-x64

3

iviewers.dll

windows7-x64

3

iviewers.dll

windows10-2004-x64

10

main.js

windows7-x64

3

main.js

windows10-2004-x64

3

ssleay32.dll

windows7-x64

3

ssleay32.dll

windows10-2004-x64

3

world_editor.js

windows7-x64

3

world_editor.js

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    43e6a585c64017573bc07fe709222d1b6cb17f01b7391e5b0a3b22be80e9deb6.zip

  • Size

    1.5MB

  • Sample

    250107-acdqgswncq

  • MD5

    9287a49c7d6f54a961a1f44208c01a00

  • SHA1

    79852c06efc37c5290faa437a360d6503a72d78d

  • SHA256

    43e6a585c64017573bc07fe709222d1b6cb17f01b7391e5b0a3b22be80e9deb6

  • SHA512

    8490971dc5ef9463445a2a63593e319938fe87b73088a3cc628d63180316bf279c6656214417fa8df34a55921ae1ed7e08023f151a5aec51dc326922986c9a3f

  • SSDEEP

    49152:7DoNWXs2d4rJ2UJ1KL3WNeOaNwQfmXNYuT2ou1bL:3owXs2d6IUJ1KL9OaNsNYnoux

Score
10/10
lummadiscoveryexecutionstealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Targets

    • Target

      Arnis.exe

    • Size

      201KB

    • MD5

      2696d944ffbef69510b0c826446fd748

    • SHA1

      e4106861076981799719876019fe5224eac2655c

    • SHA256

      a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

    • SHA512

      c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

    • SSDEEP

      3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb

    Score
    10/10
    lummadiscoveryexecutionstealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      Qt5Gui.dll

    • Size

      4.8MB

    • MD5

      d9b78f4b2f8f393c8854c7cc95eae5d8

    • SHA1

      8d648e7bda5b6bf7b02041189b9823fe8d4689e5

    • SHA256

      55faebb8f5e28cde50f561bbd2638db7edcfd26e7ee7b975e0049b113145ae38

    • SHA512

      6e76b524a56cc9bb5ae4beeedd41a48c35cf03c730752da3cae49862cb7bc3c17283099c39787f5933c1771eca7c2e651d92b961de7f43813f026eb295c90c81

    • SSDEEP

      49152:PcLeg66Ry8jdAYbppzo7Tzj1/JrRbkwW6Ydzzr3YCWizxCqDRkU9i4g1/JAyn:kLrBpr1o7bRyfdzzxz0NTA4

    Score
    3/10
    discovery
    behavioral2behavioral3

    • Target

      Qt5Svg.dll

    • Size

      253KB

    • MD5

      06cc5d18a496520e05bcfee1e3169535

    • SHA1

      98ba5d0ed52499a845038c3b4bcba356b9339f11

    • SHA256

      ea31035fa96ba656d64b58d4f1a9dd210df7154afad3d4f96ee36b41584e4360

    • SHA512

      154a2fdbaa045df6289476420cc4045905a866cd54d756dcc09e0ea79f2cec7f33c748534f47c827841e35c35f71d462cadb801a6b99bf72c162c075d786fdbe

    • SSDEEP

      6144:kKD4dwpLEE61jMW52NP5xwuMnyOWYGcy8Dv4Cnke+9oCsGhvdw61IwxP4zd:kKD42pLEE6mw2NPnBMIBrU

    Score
    3/10
    discovery
    behavioral4behavioral5

    • Target

      args.rs

    • Size

      2KB

    • MD5

      14d602575efe35b03a7ca52fc54f5e37

    • SHA1

      75ce5beb4820088f729c14dc7f097b6929598f89

    • SHA256

      74a247b54649861596678f851e337f0aa3d4d993f328103bc74aeee9a0e99b5d

    • SHA512

      c3d92539bcd473e053d4119cdafad054f792c489aac5694392eefe487ba51a1bcf062be11f0ff73dd42995d9179e84f5cc64282d1dbc8e68eb07b3c65246cecc

    Score
    3/10
    execution
    behavioral6behavioral7

    • Target

      iviewers.dll

    • Size

      8KB

    • MD5

      da9b36090cd0f8766f2127bc5c318389

    • SHA1

      972f6a885512db3c5ae4330be4e81519d8e7884d

    • SHA256

      b6edb1c17bbdafa08c1b97f0e0880f036937d5453c3dc06c7c24e34abe36f828

    • SHA512

      702213d3d2955e58dc02468288891d29f69213b75fdb5f9aba27daf618bf1b8a3ff5ad96283945ead868d4f837641ea52273430207080e781221ee2294a728f6

    • SSDEEP

      96:UXVV9kybtLHUkbpGDrA791djz3Jn6b7g303PRPFJygFE1H/8R:okybtLHuvG9vjz3J29RTygFE1H/u

    Score
    10/10
    discoveryexecutionlummastealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral8behavioral9

    • Target

      main.rs

    • Size

      13KB

    • MD5

      02369fe3370bab4de20ad6dad33989ae

    • SHA1

      7822f7ce2bc323161c8be04c4c2d2722122d60eb

    • SHA256

      b619429acc43717b1e1b8d66c55078e4960657ab8bb6132072c3ac67c9af9afc

    • SHA512

      1c5cd2b03412e680c08f0d935619c000ebbfb1345f6ac30768773d946d8ce26e3b6677cb11d0f70019c9f67d5a6a6ba2c7301ce8881c07cabcc2403aa5b68977

    • SSDEEP

      192:SQg/mwXUUkrFXtN78gx0MZhjjiGK74lXeuT+ShGpFl/8yKl3KrvANLdt1/2sLv:SQVFXtNAWndlWSh9mTaLdt1fL

    Score
    3/10
    execution
    behavioral10behavioral11

    • Target

      ssleay32.dll

    • Size

      270KB

    • MD5

      df38eb2002e5979e57babf8b4f6a2f82

    • SHA1

      219d5837f6461688122d637bf67f041fc6c19aac

    • SHA256

      5c2f10a772edfbeef8a5261b8677e68c4194cb87f3cb9bc319c8da75cfaefa3f

    • SHA512

      da4b6ec820f5886102577a7e98187ed45165ee5373504fb4f610cfb47eb2ad6e0b75d868464df4ee8b97f506c2f493a1d3bf029c184c08b311dbc1b76c2a37f6

    • SSDEEP

      6144:0xnT+R40IInTyFxvYlBtCikIK3gb/VuLXyJxm11VMaorgpa7ivoQXoYwWAaHeeT6:6nKR40IInTyFxvY3tCikIK3gb/VECJxD

    Score
    3/10
    discovery
    behavioral12behavioral13

    • Target

      world_editor.rs

    • Size

      15KB

    • MD5

      46e693c8163f47b49606d48b1c184182

    • SHA1

      9c65cac6b687030b0e4970f042a8501485ad865b

    • SHA256

      8f97d95fbca4efa749585c6485782f0d07441b447807188736c03f04b74ffd72

    • SHA512

      3e426433e163af7e5039b20ef7f25654d46f5184a284dbd2a64a3f97502684d8d5ccd138499cd0f6fb4958aae23c36ec5204d4fff6e6ee39120089b73cb6271a

    • SSDEEP

      192:E6f5X7zNy9/MOg55jQ5AX6RPHqJe02SWymNWkCy2E1CKCe7oTJmiW516qKE:E6f5X7zs9/qwqsl8CBXx

    Score
    3/10
    execution
    behavioral14behavioral15

MITRE ATT&CK Enterprise v15

Tasks