lumma | 482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd

General

Target

482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe
Size

207KB
MD5

3a61ec110bb167c8e3a0cac282c1d3e7
SHA1

888b06642f643b8b36c5db2b4cda28a17f6affaa
SHA256

482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd
SHA512

5176bb10cf36e018689f030514cf7180a5ca74c8b63ed12037896813ea4267987f062c825c68d0b0b11aa6e3702ab627c528bf34292f0d19d3a5b572c93bd679
SSDEEP

3072:XXtTlv1Y3V7I50QVzPRSRC1VvTdnUx3cOfg6o5W/i:Hj12uVOGvTNUxmI

Score

10^/10

lumma smokeloader backdoor spyware stealer trojan

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3256-133-0x0000000002DF0000-0x0000000002DF9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

1018.exe

pid process

2712 1018.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4340 2712 WerFault.exe 1018.exe

pid	process
2712	1018.exe

pid	pid_target	process	target process
4340	2712	WerFault.exe	1018.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe

pid	process
3256	482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe
3256	482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132
1132

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1132
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe

pid process

3256 482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1132
Token: SeCreatePagefilePrivilege 1132

pid	process
1132

description	pid	process
Token: SeShutdownPrivilege	1132
Token: SeCreatePagefilePrivilege	1132

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 1132 wrote to memory of 2712	1132	1018.exe
PID 1132 wrote to memory of 2712	1132	1018.exe
PID 1132 wrote to memory of 2712	1132	1018.exe

C:\Users\Admin\AppData\Local\Temp\482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe
"C:\Users\Admin\AppData\Local\Temp\482f9a21893127c2bf7477236533dc2db007ad1eb1fe6cc9ae7135bc71742abd.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3256

C:\Users\Admin\AppData\Local\Temp\1018.exe
C:\Users\Admin\AppData\Local\Temp\1018.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1344
2⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2712 -ip 2712
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1018.exe

Filesize
245KB

MD5
0ccbec377710f5e58b2d01685f1ecb72

SHA1
af747d213c4a3dad010b455f42439bf60b9880a1

SHA256
aa3a7343485d41c250d2ccfe85d8efd16e9e9f1a4c648e67c109998fa6b049b5

SHA512
dabb331a125b87726c387ca24380f8d58074773ebb75dd526cbbe9ef8304efeafb81f0b7dea4dd4546c3ffd7a78fbf2bbe3afdaeb57f98f96ec3ec36902820e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018.exe

Filesize
245KB

MD5
0ccbec377710f5e58b2d01685f1ecb72

SHA1
af747d213c4a3dad010b455f42439bf60b9880a1

SHA256
aa3a7343485d41c250d2ccfe85d8efd16e9e9f1a4c648e67c109998fa6b049b5

SHA512
dabb331a125b87726c387ca24380f8d58074773ebb75dd526cbbe9ef8304efeafb81f0b7dea4dd4546c3ffd7a78fbf2bbe3afdaeb57f98f96ec3ec36902820e7

Download Submit
memory/2712-136-0x0000000000000000-mapping.dmp

Download
memory/2712-140-0x0000000002E10000-0x0000000002E3A000-memory.dmp

Filesize
168KB

Download
memory/2712-139-0x0000000002ED9000-0x0000000002EF3000-memory.dmp

Filesize
104KB

Download
memory/2712-141-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/2712-142-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/3256-132-0x0000000002EA8000-0x0000000002EB8000-memory.dmp

Filesize
64KB

Download
memory/3256-133-0x0000000002DF0000-0x0000000002DF9000-memory.dmp

Filesize
36KB

Download
memory/3256-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download
memory/3256-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

Filesize
39.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads