General

  • Target

    https://www.youtube.com/redirect?event=backstage_event&redir_token=QUFFLUhqbU1PSWd2UGpJRC1FRzRXcXJvR2Z3enN0WnFmUXxBQ3Jtc0tsbGlCM08yWURTNm1RLTNMVEtzUzhhM3JnQ1REN1VCVTc4d0N4dnlsLVFjNzB1SE84M1YxZFJlcVp4U2M3LWIwLWEtOVJkb2NneGVycUZlb2U5OUZKQXk2ZGVGVkVuN0ZQc0Z0UzNlNzRSd3N4SjRHYw&q=https%3A%2F%2Fsites.google.com%2Fview%2Fdrcheats5

  • Sample

    250314-wtmwdawwcx

Malware Config

Extracted

Family

lumma

C2

https://hingehjan.shop/api

https://featureccus.shop/api

https://mrodularmall.top/api

https://jowinjoinery.icu/api

https://wlegenassedk.top/api

https://htardwarehu.icu/api

https://cjlaspcorne.icu/api

https://.bugildbett.top/api

https://latchclan.shop/api

Extracted

Family

latrodectus

Version

1.4

C2

https://remustarofilac.com/test/

https://horetimodual.com/test/

Attributes
  • group

    Ferrary

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Targets

    • Target

      https://www.youtube.com/redirect?event=backstage_event&redir_token=QUFFLUhqbU1PSWd2UGpJRC1FRzRXcXJvR2Z3enN0WnFmUXxBQ3Jtc0tsbGlCM08yWURTNm1RLTNMVEtzUzhhM3JnQ1REN1VCVTc4d0N4dnlsLVFjNzB1SE84M1YxZFJlcVp4U2M3LWIwLWEtOVJkb2NneGVycUZlb2U5OUZKQXk2ZGVGVkVuN0ZQc0Z0UzNlNzRSd3N4SjRHYw&q=https%3A%2F%2Fsites.google.com%2Fview%2Fdrcheats5

    • Latrodectus family

    • Latrodectus loader

      Latrodectus is a loader written in C++.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Network Share Discovery

      Attempt to gather information on host network.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks