cryptbot | f25fab3f64bad2cd989035dd854b761fe06b97e76291bd180991d21d91ea5c22

General

Target

whites1213.exe
Size

7.9MB
MD5

8398fc4aa3a5a5ab6ae7ed394b449d0a
SHA1

820ce4bb8eb51e31effa41e6829e84089b728760
SHA256

f25fab3f64bad2cd989035dd854b761fe06b97e76291bd180991d21d91ea5c22
SHA512

a44ff33aa8b477ee8a2bae6a3ac93da85df9a5fdf906baaa54b2513396df94b304bc626159e4d95561097bd3d112826e4254069320fc95f3fc167d9350234c61
SSDEEP

98304:mHZ28VaNl6GdtOjCiEj5P6pziE5Psj1ZC/bIMqiiTpYXHQtG5nuPAUV:m6ThtSpeqso4iKG5n

Score

10^/10

cryptbot lumma discovery evasion spyware stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

cryptbot

C2

http://home.twelve12vs.top/AvWHJxAVCxPehbRictmJ173

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	Set-up.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	LummaC2.exe
2108	Set-up.exe

Loads dropped DLL 4 IoCs

pid	Process
2112	whites1213.exe
2112	whites1213.exe
2112	whites1213.exe
2112	whites1213.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x00080000000164db-13.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whites1213.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2108	Set-up.exe
2108	Set-up.exe
2108	Set-up.exe
2108	Set-up.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2152	2112	whites1213.exe	30
PID 2112 wrote to memory of 2152	2112	whites1213.exe	30
PID 2112 wrote to memory of 2152	2112	whites1213.exe	30
PID 2112 wrote to memory of 2152	2112	whites1213.exe	30
PID 2112 wrote to memory of 2108	2112	whites1213.exe	31
PID 2112 wrote to memory of 2108	2112	whites1213.exe	31
PID 2112 wrote to memory of 2108	2112	whites1213.exe	31
PID 2112 wrote to memory of 2108	2112	whites1213.exe	31

C:\Users\Admin\AppData\Local\Temp\whites1213.exe
"C:\Users\Admin\AppData\Local\Temp\whites1213.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\LummaC2.exe
  "C:\Users\Admin\AppData\Local\Temp\LummaC2.exe"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\Set-up.exe
  "C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\LummaC2.exe

Filesize
320KB

MD5
8da89b163d506be4a73b987517a1b9e4

SHA1
2e110cf5160c511fa3d5843e890b8e9316754f34

SHA256
ea56e7f640355598346fa0b356699298314e25d809f3aa7cfce1804a3d1964e5

SHA512
a85969bcda0b31caf0cec79f45bec068a498c7ac190fe17d7b7c03f88f5c91f5f6221fcc4fcb46604695d5b95e9047dfc1d2cf31207540c23e929fcca08d14f5

Download Submit
\Users\Admin\AppData\Local\Temp\Set-up.exe

Filesize
7.6MB

MD5
53d48938c0ec850eb316cf433ecfc045

SHA1
4415a85e1376c1a8f6661a2cc9d23ec06557d176

SHA256
f63f7d8db3ae8ed7448672263cf9333e8b867bdba7a30d73cf3966cfd8a8a909

SHA512
21a69b5969f95e4dfd404e6c415ec502282f4e54aa73c0752a29af52bdbf603837ddab640bca47c317f391f91a5f60818d5f06662c600f5e01e43e2473408c99

Download Submit
memory/2108-20-0x0000000001290000-0x0000000001A25000-memory.dmp

Filesize
7.6MB

Download
memory/2108-30-0x0000000001290000-0x0000000001A25000-memory.dmp

Filesize
7.6MB

Download
memory/2112-0-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2112-1-0x0000000000E30000-0x0000000001616000-memory.dmp

Filesize
7.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads