Overview

overview

10

Static

static

9

Release/Xeno.exe

windows7-x64

10

Release/Xeno.exe

windows10-2004-x64

10

Release/au...in.dll

windows7-x64

3

Release/au...in.dll

windows10-2004-x64

3

Release/au...al.dll

windows7-x64

3

Release/au...al.dll

windows10-2004-x64

3

Release/au...ts.dll

windows7-x64

3

Release/au...ts.dll

windows10-2004-x64

3

Release/lo...ng.dll

windows7-x64

1

Release/lo...ng.dll

windows10-2004-x64

1

Release/lo...ng.dll

windows7-x64

1

Release/lo...ng.dll

windows10-2004-x64

1

Release/lo...ng.dll

windows7-x64

1

Release/lo...ng.dll

windows10-2004-x64

1

Release/lo...er.dll

windows7-x64

1

Release/lo...er.dll

windows10-2004-x64

1

Release/lo...-1.dll

windows7-x64

1

Release/lo...-1.dll

windows10-2004-x64

1

Release/ru...er.dll

windows7-x64

1

Release/ru...er.dll

windows10-2004-x64

1

Release/ru...er.dll

windows7-x64

1

Release/ru...er.dll

windows10-2004-x64

1

Release/ru...er.dll

windows7-x64

3

Release/ru...er.dll

windows10-2004-x64

3

Release/sc...Dex.js

windows7-x64

3

Release/sc...Dex.js

windows10-2004-x64

3

Release/sc...eld.js

windows7-x64

3

Release/sc...eld.js

windows10-2004-x64

3

Release/sc...Env.js

windows7-x64

3

Release/sc...Env.js

windows10-2004-x64

3

Release/wo...re.dll

windows7-x64

1

Release/wo...re.dll

windows10-2004-x64

1

Resubmissions

08/03/2025, 15:37

250308-s2xtrsyrz3 10

08/03/2025, 08:36

250308-khk2vstyfx 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release/Xeno.exe

  • Size

    170.0MB

  • MD5

    1be9acba391286c29ef5e385615affa9

  • SHA1

    86e63d16ecca6f301ca471c7c8868d88d3ca1155

  • SHA256

    12ef7d95da3af71fa220b44d3fba210e11e67ae1a11e2a933a5b361794fb3ddf

  • SHA512

    76d13f211853db7816d949cd80f2fe154c9211cb8d682170c6e555375d0f477b69f246691621bdcfd516a09e72431e77bfb0db92133bc27c3adb434f495c9f58

  • SSDEEP

    49152:pGbdnE2gcDHphKyc5TrdOWZ+4A6rzlLke1uZVq2brb:prqRWdv9kxC2Xb

Score
10/10
lummadiscoveryspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://tonedanswered.today/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://sterpickced.digital/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe
    "C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c expand Sake.mpeg Sake.mpeg.bat & Sake.mpeg.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\expand.exe
        expand Sake.mpeg Sake.mpeg.bat
        3⤵
        • System Location Discovery: System Language Discovery
        PID:864
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1888
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2812
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3964
      • C:\Windows\SysWOW64\findstr.exe
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4960
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 627100
        3⤵
        • System Location Discovery: System Language Discovery
        PID:216
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Commissioners.mpeg
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2160
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Depth" Baghdad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1664
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 627100\Elite.com + Iv + Pen + Specialized + Entirely + Routine + Prediction + Dance + Helmet + Governor 627100\Elite.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Alleged.mpeg + ..\Violations.mpeg + ..\Better.mpeg + ..\Der.mpeg + ..\Informed.mpeg + ..\Library.mpeg + ..\Sample.mpeg q
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4784
      • C:\Users\Admin\AppData\Local\Temp\627100\Elite.com
        Elite.com q
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4900
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\627100\Elite.com
    Filesize

    121KB

    MD5

    fda4847b06dd5efd664ebb34254c56a1

    SHA1

    a8dfe78a99f846e4965c98d965578702c6d1d636

    SHA256

    ac7be232ccca7c2571a4fca0e7c952e28c1105380da2a3352271183d7078104b

    SHA512

    6b34b03293350d16ac1f65df2114a3c93e161d4dc537ba8522a33cad552fca693a0fde70f3271fd0185e7d8a5986e68a6df5e488c755537ad9bcbc4df4c95829

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\627100\Elite.com
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\627100\q
    Filesize

    512KB

    MD5

    ac70fbd1211cbdfa66cb6587bc4ecc55

    SHA1

    a2c00dacb75b4dcd52046297b7e73a154c0e1288

    SHA256

    c32a5069e5c067dfdd701c57b8a7639f2f2da094f28eb0fba4e7d7fd400ddd3f

    SHA512

    de14c2ec4db7d0028cd1de205bc402a627628b6cc702cb2333f3541bc49dac433f4225fa8142a0a497787853be60c9c7c17e5b94e029c59124ce90bc7ad059be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Alleged.mpeg
    Filesize

    75KB

    MD5

    1829cf2cda1b1e4c1af4aa48a5ac4ab1

    SHA1

    b227182ee9cc580b77483d4c4587fecb7039f077

    SHA256

    94238b145e9343b60cbc9f694f30ac007c7abb44514d78c4abb71e0dee2d0657

    SHA512

    f4cae01dbeb67da1d3a8f424efeb116e99f3cabdf8a167e0a80fe6645072af26e0e927e91de72b4b85bdb271f7dc0f836b01e75c9291042d78d46a2af9eda852

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Baghdad
    Filesize

    1KB

    MD5

    af8375cb7a9727382d08ebbd612b79a0

    SHA1

    63263ef10d46b3f15bf94242b97cbe6af652a63e

    SHA256

    14f0770a5e9f63db995798aaf30a9828a1da9b87f3f8e9dfabca4ca2a77af68f

    SHA512

    d227afbb7cbaaa286703045cf44bf48ce67c4fe7ac6d73f5dc40376e7d20c29f8449ae018334062cf720a90a0337bb3b2da678efef7624ca810d2828419f7337

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Better.mpeg
    Filesize

    78KB

    MD5

    146d4cc09fd20005b2899f6b44f68bbf

    SHA1

    368eed4a19670ac9444015ff2194ee2e0b0b859c

    SHA256

    d17e6317079a94e74f6fe31d3772d398144f2924bc18e7abe6569c3096e4511e

    SHA512

    700cd119b2cb576351fec997aaaca627a05ee15e74440669e27ec3b2158946c3fb6286f3c3a4ed9a39bd6a7764f0b25ed55a3b9a473c8a240c7755f7ae933e52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Commissioners.mpeg
    Filesize

    477KB

    MD5

    4ccd46acee34c369ec34a8c621e19f17

    SHA1

    2b0b10f3766d37f624810f29c6612e5790408608

    SHA256

    24b1b6cecd27d0289eff8b7683d527115c48c8e2bf63f88d59e8d9d4159ff489

    SHA512

    2d1da02fafaff11880e1a738896036f1e7a2aaeabe94f5fc95bc3ccd6393863e9800583949a7e9f26047c5b24a9cb67348db32c2806c025a205e3675437865bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Dance
    Filesize

    89KB

    MD5

    b6e206f75cfb297db4e5b66b21f2b23a

    SHA1

    fb8d49c71e7cde19ecbf298c23330b1c058e874f

    SHA256

    86d9324f288c5c2a6547d065b4e0a93eb2bc62d7f8a33741ef17e77ff0a50c59

    SHA512

    40614328fd7ba50fdc123039b25df20e71e3e12c7d867e4697f2d51a684b4611f0990485013edc6e490f0ad8dbb4ed8b4692c01173d4beefa076a56720dcfb8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Der.mpeg
    Filesize

    87KB

    MD5

    784bb120449ddcc0877119dd9adb58ad

    SHA1

    1069a0220aaa122c41727647a02d5f9beeb15b75

    SHA256

    55a857e4a2a37c21ae1702597126219fe073f22cdf80be35ab16569390be2920

    SHA512

    3a40a37e8805d07af385510bb605408cee53a50125c153595f21da5ca650a41d288f50fc6fcd7c390053e461184fff27497083139c9b50931d04c6151c09dc43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Entirely
    Filesize

    82KB

    MD5

    341c79d83d7ac8c8b4c34c1906a5e77d

    SHA1

    e88e60eb44945bef37e177bbba4f7b26e2a55a9c

    SHA256

    047a19ad0bf30a97576eaf443862c64630edb10b6b6f6f7222d0931fa5b89b37

    SHA512

    00820d2fd05f2333169754b5f411e51c774bdb3a581ecf3b7f4e6d3b4c50bfb35154fe30685ccc1521cda24a2f8b7f61da82f06def68b6c7671dd17f971e7757

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Governor
    Filesize

    62KB

    MD5

    e4431d379c5423df0e30aa6de7371da9

    SHA1

    1378fc682ee7d1cbe1a5d4f7cf8d2f08c53092fe

    SHA256

    de69cd1f6001d0f35a920ef3dee39569f9a2fd2747391b31285cdd78d1ed1823

    SHA512

    f1226e20c6a0e49da4affbba6e0426846d5b91bea8a92a4515617da45e314ff3feeb4da1f660193ae1a2d4b81104a069b4fc6470cde3df024a627647e37cafd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Helmet
    Filesize

    107KB

    MD5

    e8bf5faafb1291519c0f81849ef4e446

    SHA1

    0c5b4aba22fdeb4b2be21aa7aaa5d69113cb0bba

    SHA256

    63e18608ff015b2c0d203c0c54576f0e6ca60493d7b284eb5bfbb262cf0beebe

    SHA512

    0336851a0f01e33a1e771083bae01fdc865327c9963d22a3f8d1a94b281d2fec8c7731099f0a2241053e3017591f8bdcc71a94c866905f9e34b3624fbc635439

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Informed.mpeg
    Filesize

    91KB

    MD5

    366eaa00de650c7e0c51dfbd64689f05

    SHA1

    cc682a87230b291a82cb23c1b5e754b69e45b5f8

    SHA256

    a92e044fcd9cc433d5f8aac78afd72da4ed31877b25d259dc1d259452ffe7bbc

    SHA512

    8df6672481c775d39a6f7c957086a304f3ccfa2790dd551848c08c36969491265ed6be0d32e28b8c64013cb3433d0049e3f237185bb3bc045cc2acd226c66fbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Iv
    Filesize

    120KB

    MD5

    c4ef7dd056d4c31db48d9da03b732648

    SHA1

    79893fafe734ccf66d792eaa8047a6c5326a865c

    SHA256

    36d402a58d390d2c14ca9566a6c319ffd090d1e8be5826af0bc148b4d8d02258

    SHA512

    d643ac5b9dcf36a7982a37284a6d34db92682e8777301d3c54c7cd61496c1c8dea25342a17e4a06d957796f871813688aa2441a8f4a056beb4780994b7d9a535

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Library.mpeg
    Filesize

    86KB

    MD5

    d74575fc1a31a85be78cdb8596f7cd61

    SHA1

    0074b4239aee3187df21d114ceb4adc4a0e6673c

    SHA256

    9ead7ce6cfc377bf27a9482964853b22983c779d4cf57551760544e0f308a9d2

    SHA512

    e7f1a28f6bb068a196f9eb8dd5833ca1525002762f216d509a22bd61a2d83cbd0c0dc4738ccc024b8d083ad1bfac83c9b69285ad6f7a7a1aaabe3b98b9782482

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Pen
    Filesize

    139KB

    MD5

    c258a480db7eda77ee0bbbc2b956969e

    SHA1

    d180ac78dd378d3126429395ffe88ee31a9748c6

    SHA256

    74c7abaa72a3eedda6300898ecfa5c0c32f7bb508cdd76b85bcc5eeedccd9654

    SHA512

    fc61ce88b99eafd251c294c902059dcef9b9b09b4c885e913476f15375d82c254f8a3338a717b2f6f660fc43aa82ed5c1f99735c2cc5c2fe745b5053a86c44b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Prediction
    Filesize

    83KB

    MD5

    3ee499c6fc8280bc7dfb743b515a41e2

    SHA1

    30664e477f83ebd3c24c7a4a01d140b41fa0403b

    SHA256

    e0017a2f94babee8b16740aced58e1ebac872ff91ff070050d296f351576c842

    SHA512

    eaaa727784c9a7320bca74f54cdc5e7fd4b0eb89800cd1cde834297235ab19bcb093087d1468ca37ad537520b8bb4072ec8455d59440fc92b3bdf4ceb1eb7b35

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Routine
    Filesize

    108KB

    MD5

    3b15f324fc1046867c865b9209e65a5c

    SHA1

    0180edf599c00510b751fc22d8cb5b7ce0f94f2d

    SHA256

    d2ea01651c7bb6b2de7ff81f9e422b653abc6fc94f3781045c15e52b9c106f3d

    SHA512

    e929250f43ba562ddad0a659bd3ca2e95d8ed63b65d3427a40ff6167c3d2e0f0733d59ac3e028e0037bca8f327e6526c08d528643af682752c2cbebe19f24d5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Sample.mpeg
    Filesize

    10KB

    MD5

    2f60b0321e3a1e982337177b59d829ad

    SHA1

    a97d3ae408706c19b10af6046e0cf9bc2689f9cc

    SHA256

    045b6d6be2902d33ff4a4588a01384836118a911938bf1250762163f955edcfd

    SHA512

    c5ab31747a44f066f4820ef7c823d8791a80a74e08eb4f5251e370d3cc34fc1a22965b45758455fabd923f9ca6bf5bef8668245d1c93fc8193f4993d5018377f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Specialized
    Filesize

    133KB

    MD5

    c422cff1e466a6a0802b42a24d3385a5

    SHA1

    d4e4f6625ea49fdbbe5679f9e55345a0f8cd750b

    SHA256

    2a14eb03567ce41700be5156be106278f506ae3ae61254f91d5645bc84401c84

    SHA512

    5ab937cad5ddcc1b86aa3e00d083448e39ea175977c93b5012fa50f0eb53b4d5d976772e9e0ab26e4438730c0fb531b406126c3d8971196bb789d35cbda383d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Violations.mpeg
    Filesize

    85KB

    MD5

    eacb8e5f0bd07603ffac9b2284569108

    SHA1

    7fa7d2343313d316156f7487be934b14f45e2080

    SHA256

    4270eb130079192243c0f03f648c9546bf7651be3392dc3b80e38c8b301a1345

    SHA512

    12ae6b5d7eba50ceffe16d60824eb138042ca873183e10286c44d606069ae289316def4e7dfce186d3e4dabdce96bd6aaddd80b95c188c3720bf85690a6fd7cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sake.mpeg
    Filesize

    12KB

    MD5

    ef0c24bdeaedf9ce76b94ba897d61b96

    SHA1

    c8b81be9dc66e312c7551e5c46f42636fbf29b72

    SHA256

    f58a162b05c52b98dba4a1ce9bb878e3c7f9950418c459790959b38faa11ea2d

    SHA512

    a4bcfac5c8db83a81da9390151e1e714534b6b9351a7cedfee2f2114f63f001badf65cb48e41f75553f85dfb88a472f2f728612b2d18d2912cec6c2d52051699

    Download Submit

  • memory/4900-69-0x0000000004970000-0x00000000049D4000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4900-68-0x0000000004970000-0x00000000049D4000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4900-71-0x0000000004970000-0x00000000049D4000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4900-70-0x0000000004970000-0x00000000049D4000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4900-72-0x0000000004970000-0x00000000049D4000-memory.dmp

    Filesize

    400KB

    Download