lumma | e0c8aa49c095bb2eeb36aefcff26ac3d4ed020e08d21cbe73fbd502b9a1c2a18

General

Target

e0c8aa49c095bb2eeb36aefcff26ac3d4ed020e08d21cbe73fbd502b9a1c2a18
Size

209KB
Sample

230115-zt3hlsgb8y
MD5

5a9a3831305f5d032a276d15c633329e
SHA1

7e83aba10ce7b8ef643fb00385ac77cbcf7ac5ee
SHA256

e0c8aa49c095bb2eeb36aefcff26ac3d4ed020e08d21cbe73fbd502b9a1c2a18
SHA512

6f5410ea8358e6ae5d8796dfc5d3bd2d975acc3fc009e2c3e715491f7c83a5ebeab12baefbc023beae294415c3fe877af8400d6263e18736746c8e41c23f41b4
SSDEEP

3072:FXXmCk1HJK5XPj8e2Y5u+Q3bscaj3zeinMsWki:FHUH88e2YTQITjeiT

Score

10^/10

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Targets

- Target
  
  e0c8aa49c095bb2eeb36aefcff26ac3d4ed020e08d21cbe73fbd502b9a1c2a18
- Size
  
  209KB
- MD5
  
  5a9a3831305f5d032a276d15c633329e
- SHA1
  
  7e83aba10ce7b8ef643fb00385ac77cbcf7ac5ee
- SHA256
  
  e0c8aa49c095bb2eeb36aefcff26ac3d4ed020e08d21cbe73fbd502b9a1c2a18
- SHA512
  
  6f5410ea8358e6ae5d8796dfc5d3bd2d975acc3fc009e2c3e715491f7c83a5ebeab12baefbc023beae294415c3fe877af8400d6263e18736746c8e41c23f41b4
- SSDEEP
  
  3072:FXXmCk1HJK5XPj8e2Y5u+Q3bscaj3zeinMsWki:FHUH88e2YTQITjeiT
Score

10^/10

lumma smokeloader backdoor collection discovery persistence spyware stealer trojan
- Detects Smokeloader packer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1