Analysis

  • max time kernel
    96s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 20:34 UTC

General

  • Target

    random.exe

  • Size

    1.8MB

  • MD5

    10f6e997bed045a8c840b09bc411b19f

  • SHA1

    caf53afb90487800622d2bf05809921c6f565302

  • SHA256

    32b01a63cca8f2d7c6828280387e0c7e1a2c909a8e09b0d5f65e32d066e7ba7e

  • SHA512

    b50c19cf41e9c75feb21fd33eb5f9d7ac1f3756d200d433d31ffb3c6257a79afa8c66d4917c5379b6d352cc0c2cd6c5530a09b4b6d850f12234ccce03b963516

  • SSDEEP

    49152:3f803pPTEzyLob2TBQYIKdMTfvgG+zkg:3f80ZLtLbT0skv+zk

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2124

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tawdrydadysz.icu
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    tawdrydadysz.icu
    IN A
    Response
  • flag-us
    DNS
    nearycrepso.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    nearycrepso.shop
    IN A
    Response
  • flag-us
    DNS
    abruptyopsn.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    abruptyopsn.shop
    IN A
    Response
  • flag-us
    DNS
    abruptyopsn.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    abruptyopsn.shop
    IN A
    Response
  • flag-us
    DNS
    wholersorie.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    wholersorie.shop
    IN A
    Response
  • flag-us
    DNS
    framekgirus.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    framekgirus.shop
    IN A
    Response
  • flag-us
    DNS
    tirepublicerj.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    tirepublicerj.shop
    IN A
    Response
  • flag-us
    DNS
    noisycuttej.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    noisycuttej.shop
    IN A
    Response
  • flag-us
    DNS
    rabidcowse.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    rabidcowse.shop
    IN A
    Response
  • flag-us
    DNS
    cloudewahsj.shop
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    cloudewahsj.shop
    IN A
    Response
  • flag-us
    DNS
    steamcommunity.com
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    23.57.170.97
  • flag-ie
    GET
    https://steamcommunity.com/profiles/76561199724331900
    random.exe
    Remote address:
    23.57.170.97:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Tue, 21 Jan 2025 20:34:13 GMT
    Content-Length: 35598
    Connection: keep-alive
    Set-Cookie: sessionid=2b3cced29ad8fd30a7265533; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    159.96.196.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    159.96.196.23.in-addr.arpa
    IN PTR
    Response
    159.96.196.23.in-addr.arpa
    IN PTR
    a23-196-96-159deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    yuriy-gagarin.com
    random.exe
    Remote address:
    8.8.8.8:53
    Request
    yuriy-gagarin.com
    IN A
    Response
    yuriy-gagarin.com
    IN A
    104.21.82.94
    yuriy-gagarin.com
    IN A
    172.67.199.224
  • flag-us
    POST
    https://yuriy-gagarin.com/api
    random.exe
    Remote address:
    104.21.82.94:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: yuriy-gagarin.com
    Response
    HTTP/1.1 200 OK
    Date: Tue, 21 Jan 2025 20:34:13 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=h42joe1h0k2o72tp6jjdoqhqr1; expires=Sat, 17 May 2025 14:20:52 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dD%2FHx4iazrP2jhN9zYWG7EM0EQaW4zkyO3CpsqO4kKY84pJHY7ZqsjEplRFGumCbcYg890gopszNURfsDfWvTFRVwFkrtUNBE9nM0zl%2BP0sTgtyPWmHCU%2BSZw%2Fa68%2FnKlBXXBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 905a15729e9d418f-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27187&min_rtt=26270&rtt_var=7012&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3302&recv_bytes=607&delivery_rate=133318&cwnd=243&unsent_bytes=0&cid=30fc4edd32503a6b&ts=233&x=0"
  • flag-us
    DNS
    94.82.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    94.82.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.170.57.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.170.57.23.in-addr.arpa
    IN PTR
    Response
    97.170.57.23.in-addr.arpa
    IN PTR
    a23-57-170-97deploystaticakamaitechnologiescom
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 23.57.170.97:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    random.exe
    1.5kB
    43.2kB
    21
    36

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 104.21.82.94:443
    https://yuriy-gagarin.com/api
    tls, http
    random.exe
    1.0kB
    4.9kB
    9
    9

    HTTP Request

    POST https://yuriy-gagarin.com/api

    HTTP Response

    200
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    tawdrydadysz.icu
    dns
    random.exe
    62 B
    62 B
    1
    1

    DNS Request

    tawdrydadysz.icu

  • 8.8.8.8:53
    nearycrepso.shop
    dns
    random.exe
    62 B
    119 B
    1
    1

    DNS Request

    nearycrepso.shop

  • 8.8.8.8:53
    abruptyopsn.shop
    dns
    random.exe
    124 B
    238 B
    2
    2

    DNS Request

    abruptyopsn.shop

    DNS Request

    abruptyopsn.shop

  • 8.8.8.8:53
    wholersorie.shop
    dns
    random.exe
    62 B
    119 B
    1
    1

    DNS Request

    wholersorie.shop

  • 8.8.8.8:53
    framekgirus.shop
    dns
    random.exe
    62 B
    119 B
    1
    1

    DNS Request

    framekgirus.shop

  • 8.8.8.8:53
    tirepublicerj.shop
    dns
    random.exe
    64 B
    121 B
    1
    1

    DNS Request

    tirepublicerj.shop

  • 8.8.8.8:53
    noisycuttej.shop
    dns
    random.exe
    62 B
    119 B
    1
    1

    DNS Request

    noisycuttej.shop

  • 8.8.8.8:53
    rabidcowse.shop
    dns
    random.exe
    61 B
    118 B
    1
    1

    DNS Request

    rabidcowse.shop

  • 8.8.8.8:53
    cloudewahsj.shop
    dns
    random.exe
    62 B
    119 B
    1
    1

    DNS Request

    cloudewahsj.shop

  • 8.8.8.8:53
    steamcommunity.com
    dns
    random.exe
    64 B
    80 B
    1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    23.57.170.97

  • 8.8.8.8:53
    159.96.196.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    159.96.196.23.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    yuriy-gagarin.com
    dns
    random.exe
    63 B
    95 B
    1
    1

    DNS Request

    yuriy-gagarin.com

    DNS Response

    104.21.82.94
    172.67.199.224

  • 8.8.8.8:53
    94.82.21.104.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    94.82.21.104.in-addr.arpa

  • 8.8.8.8:53
    97.170.57.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    97.170.57.23.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    134.130.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    134.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2124-0-0x0000000000DE0000-0x000000000126B000-memory.dmp

    Filesize

    4.5MB

  • memory/2124-1-0x0000000077574000-0x0000000077576000-memory.dmp

    Filesize

    8KB

  • memory/2124-2-0x0000000000DE1000-0x0000000000E0A000-memory.dmp

    Filesize

    164KB

  • memory/2124-3-0x0000000000DE0000-0x000000000126B000-memory.dmp

    Filesize

    4.5MB

  • memory/2124-4-0x0000000000DE0000-0x000000000126B000-memory.dmp

    Filesize

    4.5MB

  • memory/2124-5-0x0000000000DE0000-0x000000000126B000-memory.dmp

    Filesize

    4.5MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.