Managed XDR

raid-kostada2-outputs_...6a130b8031364.oa.oa.oa (LummaC2) — malware analysis report

File info

Filename: raid-kostada2-outputs_reduced_dataset-mab_1772715072-minimal-bazaar.2023.04__heur-trojan-psw.win32.stealerc_stealerc.gen-15f7f1e52909648e38d62c3b4dfa1f7fc62e718abe50f373a0a6a130b8031364.oa.oa.oa
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 7.3 MB
First seen: 2026-03-05 19:17
Last seen: 2026-03-05 19:17

Environment

w10/x64 en

Hashes

SHA1: 62b878abed225c29ffe771b2516b2cbd605ad819
SHA256: 95508cf4a462f116d4f28e092f87c29fca6be8c547c9be951680775bd1d41a4c
MD5: b96712c52453ecbed671301b6d1efcc6

Malwares

LummaC2

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1497.001 antivm_firmware: Attempts to detect VM by firmware

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1503 infostealer_browser: Retrieves personal information from local Internet browsers

T1552 infostealer_browser: Retrieves personal information from local Internet browsers

T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets

T1552 infostealer_mail: Collects personal data from local email clients

T1552 cookie_files: Accesses cookie files

T1555.003 cookie_files: Accesses cookie files

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_firmware: Attempts to detect VM by firmware

T1518 recon_programs: Collects information about installed programs

T1518 locates_browser: Attempts to identify where browsers are installed

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1082 checks_firmware: Attempts to read firmware information (potentially for evasion)

Collection

T1114 infostealer_mail: Collects personal data from local email clients

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules

dead_host: Connects to IP addresses that do not respond to requests

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

has_pdb: This executable file has a PDB path

origin_langid: Unconventional language of the executable file

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay

Related reports

Managed XDR