Overview

overview

10

Static

static

3

Instll.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2025, 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Instll.exe

  • Size

    956KB

  • MD5

    5d1f29374f9a4d974f228932a5124e0e

  • SHA1

    58a617ffb55a865e1a75e10a18f4f6ade2bd82e8

  • SHA256

    a3758d74b179a3b9451c592c873cb6c452f466424d31a3146490659eb8871340

  • SHA512

    2cdba9d5d5686669ebd92d1304758998d10d57001ad963e08bf63683a2a4cd7cb50dc5e58d585f5a58d5a8203fa0ce9fe3d006be6b90861b4ff8d8917485cfe9

  • SSDEEP

    12288:fwUwBIZ+x5TmTDaF+baUNGZQ64TcoekVLo/Va8apJUOtaPccTrpFjUy/pS47SETy:fwlIExtUXbaVQfcZe1wOScy1VMwShxY

Score
10/10
lummadiscoveryspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://clarmodq.top/qoxo

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://qeasyupgw.live/eosz

https://liftally.top/xasj

https://wupmodini.digital/gokk

https://bsalaccgfa.top/gsooz

https://zestmodp.top/zeda

https://xcelmodo.run/nahd

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Instll.exe
    "C:\Users\Admin\AppData\Local\Temp\Instll.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:6096
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:4668
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:832

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/832-0-0x0000000000400000-0x0000000000461000-memory.dmp

      Filesize

      388KB

      Download

    • memory/832-2-0x0000000000400000-0x0000000000461000-memory.dmp

      Filesize

      388KB

      Download

    • memory/832-3-0x0000000000400000-0x0000000000461000-memory.dmp

      Filesize

      388KB

      Download

    • memory/832-4-0x0000000000400000-0x0000000000461000-memory.dmp

      Filesize

      388KB

      Download