lumma | 6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7

General

Target

6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7
Size

210KB
Sample

230115-y1vwnsff61
MD5

9ab2e2eb1ac2586e07d6104d01cd1b90
SHA1

b6f267f80605be7aa59691f4ce0779572a59abb7
SHA256

6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7
SHA512

c7863e97837427614eac42e64c89b5e0cb943ee4978c3267146cd977055a57476ca4cdf80a033120584ad5f66cbbd427496bceeebc6dc8103f76d577ca3dac45
SSDEEP

3072:HX1QDSkCkos5p4msqoovTbx/np2u7LBwcri:343EmNDPmuv

Score

10^/10

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Targets

- Target
  
  6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7
- Size
  
  210KB
- MD5
  
  9ab2e2eb1ac2586e07d6104d01cd1b90
- SHA1
  
  b6f267f80605be7aa59691f4ce0779572a59abb7
- SHA256
  
  6ced9e727c4a65bccd446cfd6b6222f5261c5ac97a798ddb729a931492c654b7
- SHA512
  
  c7863e97837427614eac42e64c89b5e0cb943ee4978c3267146cd977055a57476ca4cdf80a033120584ad5f66cbbd427496bceeebc6dc8103f76d577ca3dac45
- SSDEEP
  
  3072:HX1QDSkCkos5p4msqoovTbx/np2u7LBwcri:343EmNDPmuv
Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan
- Detects Smokeloader packer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1