Overview

overview

10

Static

static

3

Lunacy.exe

windows10-2004-x64

10

Lunacy.exe

windows10-ltsc 2021-x64

10

Resubmissions

13-01-2025 04:06

250113-epekrsxnhj 10

12-01-2025 14:50

250112-r7rdhawqdz 10

Analysis

  • max time kernel
    12s
  • max time network
    14s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    12-01-2025 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lunacy.exe

  • Size

    65.5MB

  • MD5

    a8604ed6963fbd500f7ddbdc2974087f

  • SHA1

    711ee4517ba5057b3f2b77f353bc5baf8907d3ee

  • SHA256

    fad34259cb3d3755be673a6d68b260410886c8a331d521cce755f5c2b901c266

  • SHA512

    33fe9b16210bdc68d4bc98a66886f9792d089ec71c21a707ae53a62bf558e910022f11d82d5bb72801b67bb3d90179e433bd2734942b5458835f71b4e4deeea3

  • SSDEEP

    1572864:mDrVnCeLskhmYGTltzFsz33Us7MCnp70KGnfHlD86dqyVr:0rAeLnpGTlKd7MCnp70BfHq6dNVr

Score
10/10
discordratlummadiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMyNjI3MzE5MjI2MzY4NDE1Nw.GqZTXC.3wU7sojPUYgFVOMUMGVxSZ4fuH7Ie5zAU4zEQE

  • server_id

    1325932201975484416

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lunacy.exe
    "C:\Users\Admin\AppData\Local\Temp\Lunacy.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1136
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\client.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe
    Filesize

    393KB

    MD5

    3c4161be295e9e9d019ce68dae82d60a

    SHA1

    36447fc6418e209dff1bb8a5e576f4d46e3b3296

    SHA256

    0f6481dabf7871823f259eb95f3b85c37d1de8a7d1884ac77a97d887cf96f75d

    SHA512

    cfa2d491a5d28beb8eb908d5af61254ac4c4c88e74c53d5d00ae15ef0731df1654304199996545d1074814c0ea8a032957b28d70774f05347616428e667f70e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\client.exe
    Filesize

    78KB

    MD5

    38d14abf3ed05168a0f464c97eb3a2fc

    SHA1

    b0d53153e6680a7e39d02f6005ca34ef19d8a4f9

    SHA256

    06304fe64d26a1a7591267c6dc509621705e1c246a685f884f0563ab893ff326

    SHA512

    d67f0e0c01c4352c8d2b90b8c3bc434e2be66cac68f22adeee7a08cf2e8d4ac806904068fbd2ff712a7a67146827fc9251862e7da36d8a9977d5323ce6f0510f

    Download Submit

  • memory/1136-105-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1136-113-0x0000000000400000-0x0000000000456000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1136-122-0x0000000000ED0000-0x0000000000F38000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2064-123-0x00007FFAF1803000-0x00007FFAF1805000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2064-124-0x000001ADC8EF0000-0x000001ADC8F08000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2064-125-0x000001ADE3460000-0x000001ADE3622000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2064-126-0x000001ADE3C60000-0x000001ADE4188000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2064-127-0x00007FFAF1803000-0x00007FFAF1805000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4448-104-0x0000000000EEA000-0x0000000000EEB000-memory.dmp

    Filesize

    4KB

    Download