Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
10/04/2025, 18:44
General
-
Target
qhjMWht.exe
-
Size
1.8MB
-
MD5
155b5a37e0139ae41470d962cb52d724
-
SHA1
8205240e38cd52ceacf9ea8c3341df000e9d3d1e
-
SHA256
7d97bf7503ab66494f677393827135a6bab046e140994562b851af8e8e5e9d72
-
SHA512
91daf5395c85dad4894b350544e26767856b3af2e3e34f2eebe71410b9f9ceb7a88c518beda22ed280ca1efc90e045acd68ad37ae4ae01529e33433905632fc7
-
SSDEEP
24576:Hk57bnOnbJhKEuINJwfBLiHrxgubghRVBQsJjq5xhCJyITQsg4cSSgkiv06+:Hkt7UJVJQLiHFehRUsohCrQJSDkiMb
Malware Config
Extracted
lumma
https://0liftally.top/xasj
https://soursopsf.run/gsoiao
https://.changeaie.top/geps
https://easyupgw.live/eosz
https://liftally.top/xasj
https://upmodini.digital/gokk
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://xcelmodo.run/nahd
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\qhjMWht.exe"C:\Users\Admin\AppData\Local\Temp\qhjMWht.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
176KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB