Overview

overview

10

Static

static

3

87d1e92e5f...38.exe

windows7-x64

8

87d1e92e5f...38.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    87d1e92e5fd151e6d1fe577ac1a29a209ef249cf4072590c884cda381cef3238.exe

  • Size

    15KB

  • Sample

    250117-kfm4fayndy

  • MD5

    42883419315d3cfefe00e016f7b90ec3

  • SHA1

    3f5907a938d5fec88e2255f991a8bb51319277e7

  • SHA256

    87d1e92e5fd151e6d1fe577ac1a29a209ef249cf4072590c884cda381cef3238

  • SHA512

    2d1d8defd6302e1efca80cbca5cdc92ec0b8b574324adf87ecd36e8ae2fbbcb5db0c2b69b59c082cca917e5bd3deaf0f2d2b1ffd9a1a48df9626ad50ba2e5537

  • SSDEEP

    384:B23iPe9ydCzrtx2M9XyXhCqYCln6ve55VXQ:BzgyM9eWve559Q

Score
10/10
lummadiscoveryexecutionstealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Targets

    • Target

      87d1e92e5fd151e6d1fe577ac1a29a209ef249cf4072590c884cda381cef3238.exe

    • Size

      15KB

    • MD5

      42883419315d3cfefe00e016f7b90ec3

    • SHA1

      3f5907a938d5fec88e2255f991a8bb51319277e7

    • SHA256

      87d1e92e5fd151e6d1fe577ac1a29a209ef249cf4072590c884cda381cef3238

    • SHA512

      2d1d8defd6302e1efca80cbca5cdc92ec0b8b574324adf87ecd36e8ae2fbbcb5db0c2b69b59c082cca917e5bd3deaf0f2d2b1ffd9a1a48df9626ad50ba2e5537

    • SSDEEP

      384:B23iPe9ydCzrtx2M9XyXhCqYCln6ve55VXQ:BzgyM9eWve559Q

    Score
    10/10
    discoveryexecutionlummastealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks