General

  • Target

    2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe

  • Size

    293KB

  • Sample

    250120-cl5xfawqep

  • MD5

    67b572b8fed9bb8e91b26c6bd9fec2a3

  • SHA1

    91dd3124155f24c31ba86c6ccd3a13b4d6f6ddab

  • SHA256

    2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e

  • SHA512

    6f7edc4c8438b5730cc2b118160266423cba857d9ca8ed0bb16bee40fc84f2e8a1f98b028e50ffaa4f8a3bf67c33da9abcd932bdc2d001b665ef030880f61357

  • SSDEEP

    6144:6bs68FnNynbfZoOzbEWGSHVXWC8lCk1SHM70v9:6bs6anNi3bEWGSHdWCvFM70v9

Malware Config

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:18194

soon-logical.gl.at.ply.gg:18194

Mutex

APoxCrOmNOvTLB4L

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    chrome.exe

aes.plain

Targets

    • Target

      2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe

    • Size

      293KB

    • MD5

      67b572b8fed9bb8e91b26c6bd9fec2a3

    • SHA1

      91dd3124155f24c31ba86c6ccd3a13b4d6f6ddab

    • SHA256

      2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e

    • SHA512

      6f7edc4c8438b5730cc2b118160266423cba857d9ca8ed0bb16bee40fc84f2e8a1f98b028e50ffaa4f8a3bf67c33da9abcd932bdc2d001b665ef030880f61357

    • SSDEEP

      6144:6bs68FnNynbfZoOzbEWGSHVXWC8lCk1SHM70v9:6bs6anNi3bEWGSHdWCvFM70v9

    • Detect Xworm Payload

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks