Overview

overview

10

Static

static

3

MultiHack ...er.exe

windows7-x64

10

MultiHack ...er.exe

windows10-2004-x64

10

MultiHack ...al.dll

windows7-x64

1

MultiHack ...al.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    95s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MultiHack v1.8/Loader.exe

  • Size

    345KB

  • MD5

    af8c79e72618067111d02f743943d915

  • SHA1

    1a570b532bd5ddef3a4ee9c6266dcaee59cfe3aa

  • SHA256

    e36248278653c3a331c82d8bbf0faf9c96a07ed2f1ae694e239a6060c712a665

  • SHA512

    bd2ac826f4fe7b4c25c7a136bf5c1ef031ea764e0a6e0ce337a605679207450a2d801478faa83500acc32f28236aa4651c80f841f2de8e1af181b2979595a2b3

  • SSDEEP

    6144:dVQyGO2hf4TnxD6RZdxFaaa4H2vXvFNDxwY3El8o/WMcZIjKH2LlgH1rzArF:XQJhhf4Lodx0aai2PNNa4ElPwi+of

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://truculengisau.biz/api

https://spookycappy.biz/api

https://punishzement.biz/api

https://nuttyshop/api

https://nuttyshopr.biz/api

https://marketlumpe.biz/api

https://littlenotii.biz/api

https://grandiouseziu.biz/api

https://fraggielek.biz/api

Extracted

Family

lumma

C2

https://fraggielek.biz/api

https://grandiouseziu.biz/api

https://littlenotii.biz/api

https://marketlumpe.biz/api

https://nuttyshopr.biz/api

https://punishzement.biz/api

https://spookycappy.biz/api

https://truculengisau.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MultiHack v1.8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\MultiHack v1.8\Loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Users\Admin\AppData\Local\Temp\MultiHack v1.8\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\MultiHack v1.8\Loader.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3460
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 808
      2⤵
      • Program crash
      PID:3820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 3840
    1⤵
      PID:4564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3460-5-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/3460-6-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/3460-8-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/3460-9-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/3840-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3840-1-0x00000000009F0000-0x0000000000A4E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/3840-2-0x00000000057C0000-0x0000000005D64000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3840-7-0x0000000074B90000-0x0000000075340000-memory.dmp

      Filesize

      7.7MB

      Download