Overview

overview

10

Static

static

1

ETool.exe

windows10-2004-x64

10

$TEMP/Exposure.doc

windows10-2004-x64

1

$TEMP/Surrey.doc

windows10-2004-x64

1

$TEMP/Tramadol.doc

windows10-2004-x64

1

SpringPrer...ck.doc

windows10-2004-x64

1

SpringPrer...ge.doc

windows10-2004-x64

1

SpringPrer...ne.doc

windows10-2004-x64

1

SpringPrer...em.doc

windows10-2004-x64

1

SpringPrer...on.doc

windows10-2004-x64

1

SpringPrer...nt.doc

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ETool.zip

  • Size

    1.6MB

  • Sample

    250410-wapwmayvft

  • MD5

    43f8cc5a00d8872c42946d2a4ae4e4c4

  • SHA1

    6491e9caa3de159d226229224ed06961477485c8

  • SHA256

    c31fcf4ae345721271c1d64da659787b620ae9da29d9f80cf175a4bcafcc060d

  • SHA512

    86b2b36b47e8e5d96f9346d8b34b2c997f60536a29e4c95519059c0232fbb5fb10d0a2bc781f5892de7f0fa3b2fdb3cb4fb7b85fc1df2a16ded2bbafa24360b1

  • SSDEEP

    49152:dYHNCRQhD4P0orIEGeStYtjeTWf+38f8S:dYtgU/KIlifIG8S

Score
10/10
lummadefense_evasiondiscoverypersistencespywarestealer

Malware Config

Extracted

Family

lumma

C2

https://infuzoriatufelka.com/api

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://easyupgw.live/eosz

https://liftally.top/xasj

https://upmodini.digital/gokk

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://xcelmodo.run/nahd

Targets

    • Target

      ETool.exe

    • Size

      127.0MB

    • MD5

      9201fd8086ed6252d3fd04426a89aca6

    • SHA1

      ef2439d69b10217304d86f1d0a084a3525a2bf59

    • SHA256

      2327e82bad470c955053d011b1b23481b16ace2a30ac1ec655d5ac457213d0cf

    • SHA512

      eb6102d67f9d8067d62dfba0127669491a215fd2b4470c16a4cd90d499c09be594856da2a14d3d31c71ee8254d3dc46e8ecfcc8570c6111aa19edfb49b3675dc

    • SSDEEP

      24576:10aVFANlrs0kwTD+r0DyheNjEmqj4tC8yjarmo8nf+Z82vIW9:1mNipwTD+r0+hiEmE4tCtjar0f+Z8vW9

    Score
    10/10
    lummadefense_evasiondiscoverypersistencespywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Enumerates processes with tasklist

      discovery
    behavioral1

    • Target

      $TEMP/Exposure.doc

    • Size

      60KB

    • MD5

      021f91244aa361e6766c1347664b688a

    • SHA1

      a71c6f54dab43cf2f478b7b063392fcec9a9cfd5

    • SHA256

      829bc78f9621aba3d57f0ce61f571d573dde9016977d4e184f975787eba3ae85

    • SHA512

      0d744ee8cda9f71b2e55414d40fb9c35815082312df07e907752e7704552850adfb6406d6102ae5fd363537a3878a3e5a761af3588e3bfba4156b521bb657901

    • SSDEEP

      1536:BjandnEvCK0Itej8EkS7SO2OaDHOYSZkf34Gki/kv40:JanJEvlUAe2OaOW34RVvn

    Score
    1/10
    behavioral2

    • Target

      $TEMP/Surrey.doc

    • Size

      86KB

    • MD5

      2562d60d0ce8500a33f91910eb602e72

    • SHA1

      6f54357ee23017093e9f6e23053fb5bb6c714487

    • SHA256

      175779c0f23e28a62fd2b7e9f7a04756b671292dd19ef3e074efe1f90aa6e216

    • SHA512

      677607ecd8c411abee75c040a42cfbce6bfd7e9b01cba2f8635eac2d76326b39a89635b6d2676a386b4ffbe86aeea91831c931ba2f14ee83661a8e89497a9670

    • SSDEEP

      1536:IYa7jMjJ9gICkQTdY8nRlENdlDIUWUqRzrKO0FP8Ip9ypPbKT4VKW:IYcQJ9gG+XRl2D4HKO0VRepmmx

    Score
    1/10
    behavioral3

    • Target

      $TEMP/Tramadol.doc

    • Size

      30KB

    • MD5

      ba928ff2ffaf2db2cfc33eed3c33f4f0

    • SHA1

      04cb1297b00303d0144223848acb22f1cf5be258

    • SHA256

      bf25816ff4a451c19c7f964d4fb5bd8d35fc4311835769d5aae759d49313852b

    • SHA512

      e573ea80f10b54139f47d8cfdcf20d68824ff11a1fee94f34de77f1fc2b6f7bc62ca4ca7769a98ac4c780cf632244684e601e503a522a5043e8e56961ea7a120

    • SSDEEP

      768:5kq8YSScrLSn9EVLdan4cgSJfnaM7y7PcFDU5hjCdb5REHBOpVIF1tYxA6tY:5WLhpanZg4aay7cFDQjMb5GkW9

    Score
    1/10
    behavioral4

    • Target

      SpringPrerequisite/Click.doc

    • Size

      76KB

    • MD5

      b6a810b4b1ce28f016bccff1d52f2147

    • SHA1

      5590bc8521c201f44ccf9427ce34acfb35c66db2

    • SHA256

      3f640b7668a38ec1b3f2dfd2a4a2032ce85c503fbcd7dd27bb414cede27a5e8e

    • SHA512

      45822bfd060ffd528e96d76cb2b59a0c07b038451bf984cf13d617c59188854cf657b4e9a72d99b7d81fc147ef451588568454bc3b9cff5522eb49156d698464

    • SSDEEP

      1536:Bj5oO3oVM550Yc7rjH5kt7YE4XjvwulWqqnh7JDnnDfs8d1M8x:Bj5oO3tX1UkezIkWTnFR1W8x

    Score
    1/10
    behavioral5

    • Target

      SpringPrerequisite/Dosage.doc

    • Size

      86KB

    • MD5

      a01cca989c46bf218b897676b4ff419c

    • SHA1

      540fb787b394095b4cb1f83df03c6e4d621f229e

    • SHA256

      e70a95895f6ea8492644c77f2b5763c38bf069fb78581474f855f82362e5696b

    • SHA512

      bb0a6b6512cd81cb1f49aea427c2e3cecbdc83ea5de1c1f01ccbb6968f545a88cfd09ecc39f40141174b9c277a3bf8aecda8bbb6d11cb17a928d142dda1b6aaf

    • SSDEEP

      1536:CAmbKF77WTL0shozhdrAh2nr8UytPTEQBFaSRe7HKfJ+1raHFUzyUeP//f1+:0KdcYLhdrXr8UShrRVAQlJh/31+

    Score
    1/10
    behavioral6

    • Target

      SpringPrerequisite/Hurricane.doc

    • Size

      59KB

    • MD5

      3ab779ed45de152d80aa68e8d5b6b025

    • SHA1

      997ddc9b0841c067fef81dbc683076e115d06407

    • SHA256

      1ff967545525b752f371b319dcc8efe78d2f35b5049c8aef312beb4b811d00bf

    • SHA512

      0837f528ef92f43630b5e4f3c667e3963f85487090f877916f2d2bec5233b61312292fb2e6c9ff67c55b56c7004d326219eaaca8748a3cadaadf6b120f350482

    • SSDEEP

      1536:CPp+3p0J+SeK5ym2awJst8uBbWre0uQaQSGGYS497eVis4:gp+3iQSxx2aw4/ByUVQSGGl49KVG

    Score
    1/10
    behavioral7

    • Target

      SpringPrerequisite/Jerusalem.doc

    • Size

      73KB

    • MD5

      a41bca9961381c4af3948289c8353483

    • SHA1

      0cdf822532be14b318f7cfd2ad7b3dbe6a11772c

    • SHA256

      58c64d95f86d2fcc3f2d9e9c4324944b1d57ab2dc299ee32264f2b78fc7f2df8

    • SHA512

      b6e51e926d74a17522127a72b1d354ba0c240107f5094746800cc61928fb057dda79477fe4d16aa93e6b29117aa4ab26c34733f87a6df5948ff631ff0d01469c

    • SSDEEP

      1536:XLuIFtxP4Ty6lWMLFfG26wEH/wWR2rYGGliZtNLStyX50820:buIHxSfLNG2JyIWRiBfStC5085

    Score
    1/10
    behavioral8

    • Target

      SpringPrerequisite/Replication.doc

    • Size

      60KB

    • MD5

      3aacde3acd5fb86ac3ff0039ec0c1c25

    • SHA1

      f46599080cd55389392ce516818c9385e4f44037

    • SHA256

      a9f85f7d7beaac38d8fa0c43368207d23d515079125ad2124ead74290c7ad6a9

    • SHA512

      3e592723efee5193f5bb80db3d85ce44db4ba0d8583f8d8399ebb7a2c6284fb9463992d207849c0c7cb369a9f692243a15fe45f0ceaf7eb00de12ab5322a00f5

    • SSDEEP

      1536:oV5ej6wl2xLHJ7IKeoDDbGDaTHTtcLNIhtXZI6m8U:ic6wlmLp74oD2DihcLNclm6m8U

    Score
    1/10
    behavioral9

    • Target

      SpringPrerequisite/Vincent.doc

    • Size

      58KB

    • MD5

      44a7c75577931d2fa7f514978c9c0a3b

    • SHA1

      247058c24da6e0f8b29edfc6fd14558575c145b5

    • SHA256

      fc668ed3cd65fe5b25f6412c122dabe4c58b3b04a5a42b662930a810241907fe

    • SHA512

      03b52a8207e92bf6cc1d75aaf0f77f827edba43b81ddbe5d3ac53590196df563275b08bb73a51c3152efe501f621b983937db21f8d09cc58ae0e2d66646050c8

    • SSDEEP

      1536:CiQ7KoR9epjSJXDNAIEY5v1U4AIeSOTRgZJNKd:YmoR97TNADY5v1peSOTWZ8

    Score
    1/10
    behavioral10

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks