General
-
Target
https://bebetter-fivem.space/download
-
Sample
250412-x19jdszns5
Malware Config
Extracted
lumma
https://zealjkh.digital/qpte
https://kjawdedmirror.run/ewqd
https://changeaie.top/geps
https://mlonfgshadow.live/xawi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://5zestmodp.top/zeda
https://owlflright.digital/qopy
Extracted
rhadamanthys
https://185.125.50.38:3034/739bd3e91cd40ca83/pancake.api
Targets
-
-
Target
https://bebetter-fivem.space/download
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Probable phishing domain
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Defense Evasion
Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1