Overview

overview

10

Static

static

1

aa845a8fb4...e9.hta

windows10-2004-x64

10

aa845a8fb4...e9.hta

windows11-21h2-x64

10

Resubmissions

07-01-2025 03:19

250107-dt8tqs1rc1 10

07-01-2025 03:10

250107-dpd4ka1pdv 10

07-01-2025 03:09

250107-dnmz3stlcp 10

07-01-2025 02:39

250107-c5hk9asmbl 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9.hta

  • Size

    1.6MB

  • Sample

    250107-dpd4ka1pdv

  • MD5

    dbf37b54acb5e3b86a3dc93ec3b7dc24

  • SHA1

    65100e3e23406a9f92880e202e4b006fd39f33d6

  • SHA256

    aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9

  • SHA512

    0f785989935702715872e6621ecf9ad003f5d3d9eb8396a32fa5c0506f636a979e5c98c292885207124029c05c6dd88df33d2b91b028cdb5055ce9000dac7ae9

  • SSDEEP

    24576:g/ISwmcPODvnBj3SoGDw/ISwmcPODvnBjc/ISwmcPODvnBj1/ISwmcPODvnBjf:g/IMcAYoGc/IMcAu/IMcAn/IMcAN

Score
10/10
lummadiscoveryexecutionstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://klipdiheqoe.shop/ruwkl.png

Extracted

Family

lumma

C2

https://grooveoiy.cyou/api

Targets

    • Target

      aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9.hta

    • Size

      1.6MB

    • MD5

      dbf37b54acb5e3b86a3dc93ec3b7dc24

    • SHA1

      65100e3e23406a9f92880e202e4b006fd39f33d6

    • SHA256

      aa845a8fb4ab38aebe6a16a2a8f80ca4467ac0991d3eef4d8a10bdf97dedb1e9

    • SHA512

      0f785989935702715872e6621ecf9ad003f5d3d9eb8396a32fa5c0506f636a979e5c98c292885207124029c05c6dd88df33d2b91b028cdb5055ce9000dac7ae9

    • SSDEEP

      24576:g/ISwmcPODvnBj3SoGDw/ISwmcPODvnBjc/ISwmcPODvnBj1/ISwmcPODvnBjf:g/IMcAYoGc/IMcAu/IMcAn/IMcAN

    Score
    10/10
    lummadiscoveryexecutionstealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks