Overview

overview

10

Static

static

3

πŸŒΌπ’©οΏ½...up.exe

windows10-ltsc 2021-x64

10

πŸŒΌπ’©οΏ½...up.exe

windows11-21h2-x64

10

πŸŒΌπ’©οΏ½...up.exe

windows7-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    πŸŒΌπ’©π‘’π“Œβœ³π‚π“Έπ’Ήπ‘’βœ¨πΞ±Ο„Β’Π½-π“˜nst𝒢[email protected]

  • Size

    19.0MB

  • Sample

    250301-p4v66ssjz2

  • MD5

    b1e5ad03c9ae112c0a28c9e8797637b8

  • SHA1

    d0529c665b57cd9f9ded1c4ba0a984b1adf18f6e

  • SHA256

    472c8528cf703590758b4d7297e6042b7aea91b81c3e097472444282584520f5

  • SHA512

    66ea1a4ad2d0c3a596a72c576aae6e54306148cab8b1531d37900d846a35d98392545226bce1fe354d2151a642f828e70fc442cb458d1570db13f385c3c738f5

  • SSDEEP

    393216:BhqKk8zd1T+mnYpZWHY8F0oawc3A0vVh1QG4vmjmqPqD9eDB:B8LAVnYOxyoawcQAT4OqO

Score
10/10
lummadiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Targets

    • Target

      πŸŒΌπ’©π‘’π“Œβœ³π‚π“Έπ’Ήπ‘’βœ¨πΞ±Ο„Β’Π½-π“˜nst𝒢ll@9192/Setup.exe

    • Size

      168KB

    • MD5

      aef6452711538d9021f929a2a5f633cf

    • SHA1

      205b7fab75e77d1ff123991489462d39128e03f6

    • SHA256

      e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

    • SHA512

      7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

    • SSDEEP

      3072:+CNUaViEqjY1uimO3soWBgZNENeo0TzSCOtCUon/BA2gGaA44:dwEq7HO8ohEsxHSC+CUO/Bxk4

    Score
    10/10
    lummadiscoveryexecutionspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks