Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07/01/2025, 11:25 UTC
General
-
Target
2025-01-07_184c91e797c8024ac16590a5997334f4_hijackloader_luca-stealer_magniber.exe
-
Size
2.4MB
-
MD5
184c91e797c8024ac16590a5997334f4
-
SHA1
8d4f7dc3ffd32fc9202b22612298c2de46905ea8
-
SHA256
96fd66162f8902c89cdb7c28d58ac3ded207faad681740980974c1e7d2405121
-
SHA512
73da4d4560c459f571f229a26fabe66241742969f52eee0d6d322f2c4f0c4c6fce3fc5506029c8fb479c481683614f054936027ab8a2fc2a204f510431f83c22
-
SSDEEP
24576:4+iDaUoyTa1kILQ4ei7TKh0lhSMXlgEsOyC2fOO31foF68LnXq06c8vzomZrUEH:4dDa7yQei7bwSD2dgpa0j8vcmz
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-07_184c91e797c8024ac16590a5997334f4_hijackloader_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-07_184c91e797c8024ac16590a5997334f4_hijackloader_luca-stealer_magniber.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
-
DNScheapptaxysu.clickRemote address:8.8.8.8:53Requestcheapptaxysu.clickIN AResponsecheapptaxysu.clickIN A104.21.67.146cheapptaxysu.clickIN A172.67.177.88 -
POSThttps://cheapptaxysu.click/apiRemote address:104.21.67.146:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: cheapptaxysu.click
ResponseHTTP/1.1 403 Forbidden
Date: Tue, 07 Jan 2025 11:25:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ipqVOSdObgyQ4ksQxAK%2BD0nxmPgD43xrvwAU%2Fz7ZVrps%2FcVvTyDduLWz1CcilQ36bmLr%2BS2SFkTRC5TSOOXQHA%2BEL0RJhjBrU9evoFDiGMAqEKLvzADEUIDhIs9%2Fo64JJYD2hQo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fe396cf2bdb4886-LHR
-
POSThttps://cheapptaxysu.click/apiRemote address:104.21.67.146:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=C5EOiM9GMR2pXDPL862Lq7e_.dG1gSivo6H1Ayh_s3Y-1736249146-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 42
Host: cheapptaxysu.click
ResponseHTTP/1.1 200 OK
Date: Tue, 07 Jan 2025 11:25:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=2eedhuuah387ol2bel84ud7mi0; expires=Sat, 03 May 2025 05:12:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bjnrfgtqVF%2F2Qm0rR3ngC7YZRK4LheEnYj8UEJD1d4MzRVA2WhSrc4PbWdaRvbf4s1vbG7%2Fr%2FakCV2hDJZc1ibxKfy08P8TolWaJYPmRTp7PnLcUtJTRopXYvPogH5xnXwBg2Rs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fe396cf6c1e4886-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31121&min_rtt=26198&rtt_var=9252&sent=14&recv=12&lost=0&retrans=0&sent_bytes=8149&recv_bytes=1044&delivery_rate=303602&cwnd=255&unsent_bytes=0&cid=00718df745e1391c&ts=316&x=0"
-
104.21.67.146:443https://cheapptaxysu.click/apitls, http
HTTP Request
POST https://cheapptaxysu.click/apiHTTP Response
403HTTP Request
POST https://cheapptaxysu.click/apiHTTP Response
200
-
8.8.8.8:53cheapptaxysu.clickdns
DNS Request
cheapptaxysu.click
DNS Response
104.21.67.146172.67.177.88
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
-
Filesize
360KB