lumma | 50fd84dfcc9be1f3791a97764ca2b27c29d4e2aaa18170eba2fc43a3d40fa02f

Analysis

max time kernel
132s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50fd84dfcc9be1f3791a97764ca2b27c29d4e2aaa18170eba2fc43a3d40fa02f.exe
Size

247KB
MD5

02bc1fc1329b17e4d13a4d781b26fc18
SHA1

6e6220623433816f8e11d828d95f95f27640e3bc
SHA256

50fd84dfcc9be1f3791a97764ca2b27c29d4e2aaa18170eba2fc43a3d40fa02f
SHA512

03001c80f4961dfc88344b2d90de82024b5709e28c211f03cc20369bd89c6124c02a13362207ff256eb4bbddbb82b4267f8683e33b6e89d4f2c7498f61ccfc9b
SSDEEP

3072:Cp/k17KLaP41vDk1MD1ccPwSxO4CAEWWnCFpCGgJysoHBtwTlib/YNJDKyQ/ughd:Wc1GLhDcSPwoPbSGgPJaHQlisNJDHXG

Score

10^/10

lumma spyware stealer

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3396 4968 WerFault.exe 50fd84dfcc9be1f3791a97764ca2b27c29d4e2aaa18170eba2fc43a3d40fa02f.exe

pid	pid_target	process	target process
3396	4968	WerFault.exe	50fd84dfcc9be1f3791a97764ca2b27c29d4e2aaa18170eba2fc43a3d40fa02f.exe

C:\Users\Admin\AppData\Local\Temp\50fd84dfcc9be1f3791a97764ca2b27c29d4e2aaa18170eba2fc43a3d40fa02f.exe
"C:\Users\Admin\AppData\Local\Temp\50fd84dfcc9be1f3791a97764ca2b27c29d4e2aaa18170eba2fc43a3d40fa02f.exe"
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1352
2⤵
- Program crash
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4968 -ip 4968
1⤵
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4968-132-0x000000000069E000-0x00000000006B8000-memory.dmp

Filesize
104KB

Download
memory/4968-133-0x00000000005E0000-0x000000000060A000-memory.dmp

Filesize
168KB

Download
memory/4968-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download