Extracted

Extracted

• • Target

    cf1e8fbe1883beeb75fdad0c3633808aba2a3774aab804b94da3a8df796b0922

  • Size

    15.9MB

  • MD5

    ca6db5259796a727275dfd1f6f3dc966

  • SHA1

    2fc76eefc50d1da33477e70ada32ec25c62c2daa

  • SHA256

    cf1e8fbe1883beeb75fdad0c3633808aba2a3774aab804b94da3a8df796b0922

  • SHA512

    a066f3c69fe3b0ce496b651c5054816f2ee7ff5f8a7c88db7db9121f3c70ba49912075e5dae99dff51cec94cd37f251b7c4cf3db8714ede261517a670a94745b

  • SSDEEP

    393216:e00j8jEIgX3bBDBkXFG19ve5yDYZeOmSlb444SI4f+ysz8:n0j8jEIgH4qBOmSK47fuI

  Score

  10^/10

  cryptbotlummadefense_evasiondiscoveryspywarestealer

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Cryptbot family

    cryptbot

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Enumerates VirtualBox registry keys

    defense_evasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates processes with tasklist

    discovery

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2