General

  • Target

    ⧉ 𝙄𝙣𝙨𝙩𝙖𝙑𝙑 ⧉ π™Žπ™€π™π™π™‹ ⧉ π™π™‹π˜Ώπ˜Όπ™π™€ ⧉ 𝙉𝙀𝙒.7z

  • Size

    22.8MB

  • Sample

    250704-vkeyqswwgs

  • MD5

    8018b50f06484390df01cd01b6a29993

  • SHA1

    586967e2f4127b4e3eb8cf8d5977c9380f74b53f

  • SHA256

    3c6348cfde0c2a86888faae3edff794add3b141e5f51265e995c5940e3fb6239

  • SHA512

    a8307f9cc0cdf47f4a9453a842aea8c05468444e7997ccc85660941c86eb3985e636e9ef8ce86eb917fad39bb2cebe616572c471e2baca2c6ba40dae9337f943

  • SSDEEP

    393216:PZV5l4RMrfwNdFfUZQrsR3x7pdDqWKHYBR/P/8RFAERp5+2N:TrqdF8Us5x7ZBFP/8RfROy

Malware Config

Extracted

Family

lumma

C2

https://t.me/sadwq223123asdsad

https://giyewf.shop/gbtw

https://ycvduc.xyz/trie

https://nbcsfar.xyz/tpxz

https://cbakk.xyz/ajng

https://trsuv.xyz/gait

https://sqgzl.xyz/taoa

https://cexpxg.xyz/airq

https://urarfx.xyz/twox

https://liaxn.xyz/nbzh

Attributes
  • build_id

    87d6d96b7dff409b5339f2d55997fc666193

Targets

    • Target

      ⧉ 𝙄𝙣𝙨𝙩𝙖𝙑𝙑 ⧉ π™Žπ™€π™π™π™‹ ⧉ π™π™‹π˜Ώπ˜Όπ™π™€ ⧉ 𝙉𝙀𝙒.7z

    • Size

      22.8MB

    • MD5

      8018b50f06484390df01cd01b6a29993

    • SHA1

      586967e2f4127b4e3eb8cf8d5977c9380f74b53f

    • SHA256

      3c6348cfde0c2a86888faae3edff794add3b141e5f51265e995c5940e3fb6239

    • SHA512

      a8307f9cc0cdf47f4a9453a842aea8c05468444e7997ccc85660941c86eb3985e636e9ef8ce86eb917fad39bb2cebe616572c471e2baca2c6ba40dae9337f943

    • SSDEEP

      393216:PZV5l4RMrfwNdFfUZQrsR3x7pdDqWKHYBR/P/8RFAERp5+2N:TrqdF8Us5x7ZBFP/8RfROy

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v16

Tasks