lumma | 227447de76c7bcb29130c5b22705a2bf09bf8d648fc3448cb832ce8e6f9be15a

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yollskare.zip
Size

35.0MB
MD5

4887b175958a86cd26d2a117066a363c
SHA1

a168a2c626ab02254a6e4b7f00352e9ee549d4cf
SHA256

227447de76c7bcb29130c5b22705a2bf09bf8d648fc3448cb832ce8e6f9be15a
SHA512

3cb6347662cb5b16e3bf6b7b43ddf8f4a0720d00c23ffd7c0ff4d14fdca5860284ca2b91e5d6c348d5845736206f87eb4792771efab8c3ebb45a8b41d29f2d98
SSDEEP

786432:hMuCrZX2d1wN+KLj/BMWCJd/B2VgmrJD4KrtQHRfekgr5B+pe7Q/2bFK9+O++vtZ:qGd6N+k/ed/B8gcCKWRKvu2JK/

Score

10^/10

lumma redline infostealer spyware stealer

Malware Config

Extracted

Family

redline

185.196.9.26:6302

Extracted

Family

lumma

https://employeedscratshj.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4404-2399-0x0000000000800000-0x0000000000850000-memory.dmp family_redline
Executes dropped EXE 2 IoCs

Processes:

devoscart1.exedevoscart2.exe

pid process

2004 devoscart1.exe
3448 devoscart2.exe
Loads dropped DLL 2 IoCs

Processes:

devoscart1.exedevoscart2.exe

pid process

2004 devoscart1.exe
3448 devoscart2.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 2 IoCs

Processes:

devoscart1.exedevoscart2.exe

description pid process target process

PID 2004 set thread context of 4404 2004 devoscart1.exe MSBuild.exe
PID 3448 set thread context of 2148 3448 devoscart2.exe aspnet_regiis.exe

resource	yara_rule
behavioral2/memory/4404-2399-0x0000000000800000-0x0000000000850000-memory.dmp	family_redline

pid	process
2004	devoscart1.exe
3448	devoscart2.exe

pid	process
2004	devoscart1.exe
3448	devoscart2.exe

description	pid	process	target process
PID 2004 set thread context of 4404	2004	devoscart1.exe	MSBuild.exe
PID 3448 set thread context of 2148	3448	devoscart2.exe	aspnet_regiis.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

MSBuild.exe

pid	process
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2368 7zFM.exe

pid	process
2368	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exe7zFM.exeMSBuild.exe

description	pid	process
Token: SeRestorePrivilege	728	7zFM.exe
Token: 35	728	7zFM.exe
Token: SeRestorePrivilege	2368	7zFM.exe
Token: 35	2368	7zFM.exe
Token: SeSecurityPrivilege	2368	7zFM.exe
Token: SeDebugPrivilege	4404	MSBuild.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exe7zFM.exe

pid process

728 7zFM.exe
2368 7zFM.exe
2368 7zFM.exe
2368 7zFM.exe

pid	process
728	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

devoscart1.exedevoscart2.exe

description	pid	process	target process
PID 2004 wrote to memory of 4404	2004	devoscart1.exe	MSBuild.exe
PID 2004 wrote to memory of 4404	2004	devoscart1.exe	MSBuild.exe
PID 2004 wrote to memory of 4404	2004	devoscart1.exe	MSBuild.exe
PID 2004 wrote to memory of 4404	2004	devoscart1.exe	MSBuild.exe
PID 2004 wrote to memory of 4404	2004	devoscart1.exe	MSBuild.exe
PID 2004 wrote to memory of 4404	2004	devoscart1.exe	MSBuild.exe
PID 2004 wrote to memory of 4404	2004	devoscart1.exe	MSBuild.exe
PID 2004 wrote to memory of 4404	2004	devoscart1.exe	MSBuild.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe
PID 3448 wrote to memory of 2148	3448	devoscart2.exe	aspnet_regiis.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\yollskare.zip
1⤵
PID:3452

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\PopEnter.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1844

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_yollskare.zip\vakeboard.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2368

C:\Users\Admin\Desktop\vakeboard\devoscart1.exe
"C:\Users\Admin\Desktop\vakeboard\devoscart1.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Users\Admin\Desktop\vakeboard\devoscart2.exe
"C:\Users\Admin\Desktop\vakeboard\devoscart2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE0491E219\vakeboard\data\allonator\eyes\test\bg.pak.info
Filesize
554KB

MD5
8a679c02bfbb88c2760ca0d962c0b1c8

SHA1
70b1528af5c62336043b2531fa7b477f9412278d

SHA256
bda7bd9f39a00b007f21a4e9b82fcd2267f4dfbd53800379210ab4f91e982529

SHA512
df1031975a8acdcc471638dc21642c5081c9edb704382fd05c63ca638c61c637ceb97a480a18cfd3a1c784c020a2f2cf853f8c9bad5e3b3e3857c7ee25ea26a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0491E219\vakeboard\data\allonator\ipv6\lib\browser\jsbn.js
Filesize
14KB

MD5
2a4325e2473367762683c8cfaa431e5e

SHA1
cd9abab16600becbbd25dbd460de044f8ec6835d

SHA256
61de67d61cf9977a30ebbd11f82570d4472620e3e15af06e4c6564d96faa091a

SHA512
4c0132997381bbf074232857874ef0bf052f42be78abe23ea9c30c10735292f1580710df63c8eb78ae70979db301d43fb53ca3ceadc4bda4dcd7fabe13fac8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0491E219\vakeboard\data\teans\locale\sl\LC_MESSAGES\vlc.mo
Filesize
587KB

MD5
57df9e2d44f84a5e7e87c90f68315065

SHA1
9970f89466e835133c9c32359d5ae50335b44bb2

SHA256
5d0aac392bbefee9db6dfcadef1d10c58e047cad3b49a45eb2dd1b2e99fe8efc

SHA512
68e80de2f7cd5b65ace061aecf897cdd1106afb52b6aa6a4736f26392bdfec2cb1b055820659c1c6922368c13ffdd86dd807731110916c82ae8ca167601beb1b

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
419KB

MD5
88dafe97bd572d99687b75b73b802142

SHA1
bd93f0ddd324bb36947fe6d536eb7c926042af48

SHA256
0d777d8460555f21cede4f74eaac43112471dc1a1ab8750becc218ecfb760605

SHA512
8d2fe96b05ede3151797cb7cdcbabca782a816f5bd86dc6f959a56c420f6f60a909088e5e1388f3df192da447e76f3140ca1704dafc7950770ee473fbf27e985

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
424KB

MD5
2f0aea36f4a2fb2ea61aa91ab095434d

SHA1
f51f0c9438911270b98d43e9c67dde4fa28183b0

SHA256
b0c3bd026ff77bcf5d8bc3f8fdeac4fab69fdb1617474cec91b78bd07736886e

SHA512
50813c0dd6e89403da7dd281f4c3414c5198b67ab1032b0bfb13d589454bd0e75abe37aa24740268d452453ffd7689b902578eebc7248fcdd09056569cfd5831

Download Submit
C:\Users\Admin\Desktop\vakeboard\devoscart1.exe
Filesize
1.5MB

MD5
e0dd6e92acb812288757a0084faa49d1

SHA1
a11722441cc8036036222821e0f0b161c9e33d06

SHA256
db5b39f624a7c0de87da23fb3d073f2f31da072a8c0af6a46669e69f96a111cf

SHA512
67c92ebe6ad1ef84649aa51730b3b2066b8065099807bb21d175b0cd171c50f3f4f73ff1a46f8f778841f727734e3e1fd0235927a3b02c55cdf4a7ed445073c1

Download Submit
C:\Users\Admin\Desktop\vakeboard\devoscart2.exe
Filesize
1.5MB

MD5
9aa54e2c5aa32236e901e17b88058499

SHA1
ba4c2a7c6a0fb81ad9a439e1c4d4e85c150d96f3

SHA256
a101ee722996df142c3e75bd65ef49dfc9b0dce802cd6a6dbc6364ff774d2705

SHA512
aab2cf956d0084509174b1ca5c82128a0afad375f6151b0509922939915158fe0a995e32ce5321297e1dfc19241c8e9fe9244e982752cc86dea4de501b8dcc39

Download Submit
memory/2004-2392-0x0000000000F80000-0x0000000001114000-memory.dmp

Filesize
1.6MB

Download
memory/2148-2415-0x0000000000780000-0x00000000007D4000-memory.dmp

Filesize
336KB

Download
memory/2148-2419-0x0000000000780000-0x00000000007D4000-memory.dmp

Filesize
336KB

Download
memory/2148-2414-0x0000000000780000-0x00000000007D4000-memory.dmp

Filesize
336KB

Download
memory/3448-2406-0x0000000000770000-0x00000000008FE000-memory.dmp

Filesize
1.6MB

Download
memory/4404-2399-0x0000000000800000-0x0000000000850000-memory.dmp

Filesize
320KB

Download
memory/4404-2403-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

Filesize
40KB

Download
memory/4404-2402-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/4404-2401-0x00000000051F0000-0x0000000005794000-memory.dmp

Filesize
5.6MB

Download
memory/4404-2420-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/4404-2421-0x00000000050E0000-0x00000000051EA000-memory.dmp

Filesize
1.0MB

Download
memory/4404-2422-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

Filesize
72KB

Download
memory/4404-2423-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/4404-2424-0x0000000005070000-0x00000000050BC000-memory.dmp

Filesize
304KB

Download
memory/4404-2425-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/4404-2426-0x00000000066B0000-0x0000000006700000-memory.dmp

Filesize
320KB

Download
memory/4404-2427-0x0000000006C20000-0x0000000006DE2000-memory.dmp

Filesize
1.8MB

Download
memory/4404-2428-0x0000000007320000-0x000000000784C000-memory.dmp

Filesize
5.2MB

Download