lumma | cc7d98da7930799936b4d026ea13e2d5023faa9b26f97b482662d5dab138cc4d

General

Target

18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe
Size

210KB
MD5

ebd42ae578479719653b35c33554ccc5
SHA1

da79aceadb98f5198c218438e1ff13900b206ec9
SHA256

18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3
SHA512

0eaf3f62705ddab16e14a077bc29c52b22a99dd9b2212dcd0aeec9d92843b79b65bdde3b14a9170fc424aace760a6c80970916547039fa697814e7be639c1f12
SSDEEP

1536:gMQuk7EPCnpn2XcxezpkQYCPt9ldnXEp6Zd5X581Z1EnVx7C0NDuYHCx3IkwLuTy:gMXWEo+/hd5p73762CxYXSNti

Score

10^/10

lumma smokeloader backdoor spyware stealer trojan

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2376-133-0x0000000002C20000-0x0000000002C29000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

caeduavE848.exe

pid process

4188 caeduav
748 E848.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4188	caeduav
748	E848.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

caeduav18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	caeduav
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	caeduav
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	caeduav

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe

pid	process
2376	18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe
2376	18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016
2016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2016
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.execaeduav

pid process

2376 18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe
4188 caeduav

pid	process
2016

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 2016 wrote to memory of 748	2016	E848.exe
PID 2016 wrote to memory of 748	2016	E848.exe
PID 2016 wrote to memory of 748	2016	E848.exe

C:\Users\Admin\AppData\Local\Temp\18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe
"C:\Users\Admin\AppData\Local\Temp\18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2376

C:\Users\Admin\AppData\Roaming\caeduav
C:\Users\Admin\AppData\Roaming\caeduav
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4188

C:\Users\Admin\AppData\Local\Temp\E848.exe
C:\Users\Admin\AppData\Local\Temp\E848.exe
1⤵
- Executes dropped EXE
PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E848.exe
Filesize
276KB

MD5
9a636854eb16b6ae20d0152747ccdc87

SHA1
839ad2590dc91881058abf89c41cdde28e3c40ed

SHA256
730d01a6a7eedbf59ff5fc88ca0e7bf3d2a1fc7d5ede1232f31aa7a06e7b9adc

SHA512
d5b88e441a3c609ad59fbc50472d8ae5114543832109532c8d1e9dbf015b2e63b33227cbd904689ea8e2ce308dd8e65d61cfedfa3eae23696d0de3a5d9d2761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E848.exe
Filesize
276KB

MD5
9a636854eb16b6ae20d0152747ccdc87

SHA1
839ad2590dc91881058abf89c41cdde28e3c40ed

SHA256
730d01a6a7eedbf59ff5fc88ca0e7bf3d2a1fc7d5ede1232f31aa7a06e7b9adc

SHA512
d5b88e441a3c609ad59fbc50472d8ae5114543832109532c8d1e9dbf015b2e63b33227cbd904689ea8e2ce308dd8e65d61cfedfa3eae23696d0de3a5d9d2761f

Download Submit
C:\Users\Admin\AppData\Roaming\caeduav
Filesize
210KB

MD5
ebd42ae578479719653b35c33554ccc5

SHA1
da79aceadb98f5198c218438e1ff13900b206ec9

SHA256
18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3

SHA512
0eaf3f62705ddab16e14a077bc29c52b22a99dd9b2212dcd0aeec9d92843b79b65bdde3b14a9170fc424aace760a6c80970916547039fa697814e7be639c1f12

Download Submit
C:\Users\Admin\AppData\Roaming\caeduav
Filesize
210KB

MD5
ebd42ae578479719653b35c33554ccc5

SHA1
da79aceadb98f5198c218438e1ff13900b206ec9

SHA256
18dc8fac237e8cb22397fe44f64c54863b4ed5f490042d759689d149856b8dd3

SHA512
0eaf3f62705ddab16e14a077bc29c52b22a99dd9b2212dcd0aeec9d92843b79b65bdde3b14a9170fc424aace760a6c80970916547039fa697814e7be639c1f12

Download Submit
memory/748-141-0x0000000000000000-mapping.dmp

Download
memory/748-146-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/748-145-0x0000000000590000-0x00000000005BA000-memory.dmp

Filesize
168KB

Download
memory/748-144-0x000000000072D000-0x0000000000747000-memory.dmp

Filesize
104KB

Download
memory/2376-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2376-132-0x0000000002C68000-0x0000000002C78000-memory.dmp

Filesize
64KB

Download
memory/2376-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2376-133-0x0000000002C20000-0x0000000002C29000-memory.dmp

Filesize
36KB

Download
memory/4188-140-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4188-139-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/4188-138-0x0000000002DF8000-0x0000000002E08000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads