LunaGrabber | a8f611076c461e67ad46fb3c7dc118abb1ec9d9cc71076f12a372202dd302c91

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 07:17

Target

adm-hub.exe
Size

59.6MB
MD5

e20737240141c56388af8de1f151c761
SHA1

819b9fb1d2cbcf304b379470332822c33f39f554
SHA256

a8f611076c461e67ad46fb3c7dc118abb1ec9d9cc71076f12a372202dd302c91
SHA512

862c44ef6d1239fe0e47cb7aa1ebf951c84bf6aed771fe907dc540ea29730f136dabc4d113982bab8695f94b7f01abf2eaddd5104e616f6f9af33e5fcbdf560c
SSDEEP

1572864:j+rewmxQqMrlpA+Ql4oKErkZkcJDucqXZCxiJg:j9wmxyklDKErqkchuc3xii

Score

10^/10

Detects RedTiger Stealer 7 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000300000002087a-736.dat	redtigerv122
behavioral1/files/0x000300000002087a-736.dat	redtigerv22
behavioral1/files/0x000300000002087a-736.dat	redtiger_stealer_detection
behavioral1/files/0x000300000002087a-736.dat	redtiger_stealer_detection_v2
behavioral1/files/0x000300000002087a-736.dat	staticSred
behavioral1/files/0x000300000002087a-736.dat	staticred
behavioral1/files/0x000300000002087a-736.dat	redtiger_stealer_detection_v1

Matches Luna Grabber Rule For Entry 1 IoCs

Detects behavior indicative of Luna Grabber malware

resource	yara_rule
behavioral1/files/0x000300000002087a-736.dat	LunaGrabber

Loads dropped DLL 1 IoCs

pid	Process
868	adm-hub.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000300000002087a-736.dat	upx
behavioral1/memory/868-738-0x000007FEF6000000-0x000007FEF6466000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 868	3068	adm-hub.exe	30
PID 3068 wrote to memory of 868	3068	adm-hub.exe	30
PID 3068 wrote to memory of 868	3068	adm-hub.exe	30

C:\Users\Admin\AppData\Local\Temp\adm-hub.exe
"C:\Users\Admin\AppData\Local\Temp\adm-hub.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\adm-hub.exe
  "C:\Users\Admin\AppData\Local\Temp\adm-hub.exe"
  2⤵
  - Loads dropped DLL
  PID:868

C:\Users\Admin\AppData\Local\Temp\_MEI30682\python310.dll

Filesize
1.4MB

MD5
2eac43445089be54e8fc98a8ef1a45de

SHA1
ec0bcb5bbf781b104a351668c15f5b63775bb9b9

SHA256
8503edb23e050affeb895fe647253493a172a5aeff5062aad2fa3c8c4dcaae93

SHA512
a604c169c4e27db450a904cb5437a692da0b114ac1793eb7c470a81831dcc09a6091528f052a48039ae5f7496d0f8498cafa6485f38221466d34d9e757e5e7a4

Download Submit
memory/868-738-0x000007FEF6000000-0x000007FEF6466000-memory.dmp

Filesize
4.4MB

Download