cryptbot | 7f186c311fc66ceb1f59beba9e6f9bb07a00fba7994d85c760848753adf1129d

General

Target

lionda.exe
Size

7.2MB
MD5

9a66454e4c0feb4cd1bebc8871aa850e
SHA1

cc7975b8807f3d72067dc8452a3098a0f6097f25
SHA256

7f186c311fc66ceb1f59beba9e6f9bb07a00fba7994d85c760848753adf1129d
SHA512

b90c7b5e77d0a465fa6872904d9ed752adfeae1671329c4414c61a5182643d9b9cf2add6c9f3d014ab24583eef441c7ff3c7acd6419855b9eacc85b3d7b0c932
SSDEEP

98304:0kN4q49j3XvABCrK0/cjTSsbLwnzrROD18uB0H8oy5OW:67zyCpcTSTROBHB0c/A

Score

10^/10

cryptbot lumma defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://berserkyfir.click/api

Extracted

Family

cryptbot

C2

http://home.fourteenff14pn.top/BVpYRBXNVJewGOxay73803

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	start-this-467.exe

Executes dropped EXE 2 IoCs

pid	Process
1180	LummaC2.exe
1904	start-this-467.exe

Loads dropped DLL 7 IoCs

pid	Process
1684	lionda.exe
1684	lionda.exe
1684	lionda.exe
1684	lionda.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000800000001932a-17.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2380	1904	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lionda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start-this-467.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1904	start-this-467.exe
1904	start-this-467.exe
1904	start-this-467.exe
1904	start-this-467.exe
1904	start-this-467.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1180	1684	lionda.exe	30
PID 1684 wrote to memory of 1180	1684	lionda.exe	30
PID 1684 wrote to memory of 1180	1684	lionda.exe	30
PID 1684 wrote to memory of 1180	1684	lionda.exe	30
PID 1684 wrote to memory of 1904	1684	lionda.exe	31
PID 1684 wrote to memory of 1904	1684	lionda.exe	31
PID 1684 wrote to memory of 1904	1684	lionda.exe	31
PID 1684 wrote to memory of 1904	1684	lionda.exe	31
PID 1904 wrote to memory of 2380	1904	start-this-467.exe	33
PID 1904 wrote to memory of 2380	1904	start-this-467.exe	33
PID 1904 wrote to memory of 2380	1904	start-this-467.exe	33
PID 1904 wrote to memory of 2380	1904	start-this-467.exe	33

C:\Users\Admin\AppData\Local\Temp\lionda.exe
"C:\Users\Admin\AppData\Local\Temp\lionda.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\LummaC2.exe
  "C:\Users\Admin\AppData\Local\Temp\LummaC2.exe"
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\start-this-467.exe
  "C:\Users\Admin\AppData\Local\Temp\start-this-467.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 464
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\start-this-467.exe

Filesize
6.9MB

MD5
973951ef7134a54ee9031e4f9c1c04d3

SHA1
def129184ad6ad341f9cf08582db3ee664c6a2e0

SHA256
112ba934300da8274f790013312034d142d090cc663d1c62073deba180b1e922

SHA512
190d1fb6926b0a6410ce70fc20422d5487407d2137dd50ecec0585d8f062134255ca110377db4abdee0f1e5038f61dddca162628466782642d047554eebb21a4

Download Submit
\Users\Admin\AppData\Local\Temp\LummaC2.exe

Filesize
320KB

MD5
8da89b163d506be4a73b987517a1b9e4

SHA1
2e110cf5160c511fa3d5843e890b8e9316754f34

SHA256
ea56e7f640355598346fa0b356699298314e25d809f3aa7cfce1804a3d1964e5

SHA512
a85969bcda0b31caf0cec79f45bec068a498c7ac190fe17d7b7c03f88f5c91f5f6221fcc4fcb46604695d5b95e9047dfc1d2cf31207540c23e929fcca08d14f5

Download Submit
memory/1684-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/1684-1-0x0000000001190000-0x00000000018D4000-memory.dmp

Filesize
7.3MB

Download
memory/1904-20-0x0000000000BC0000-0x00000000012B4000-memory.dmp

Filesize
7.0MB

Download
memory/1904-23-0x0000000000BC0000-0x00000000012B4000-memory.dmp

Filesize
7.0MB

Download
memory/1904-30-0x0000000000BC0000-0x00000000012B4000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads