lumma | 2c329e073c0332b62859ee25d3953388d521961a5731d43633a948459c2a80fc

General

Target

Lutrix.exe
Size

4.5MB
MD5

8a0dfeea924d5faf4025d9ac7aa393a4
SHA1

1da14c08a5f6c6b7efc4ddf4ba8087de7578c1e4
SHA256

2c329e073c0332b62859ee25d3953388d521961a5731d43633a948459c2a80fc
SHA512

b4b752d2b16616f62074890ed5483f5944cf5d578ba5d802da2eafa1c550e2595e87245ad91d93ec7a7401980efe885065f08d5e58d41889778c08b52c978361
SSDEEP

49152:jjk7QkVV6AtEz7BYU8+/391+SUAx5lPqy4U/m4HccJYAYbEr8vzTwSgO79Ku:jjk7StYUjvllq4/mZ1AYbEr8F

Score

10^/10

lumma stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

CfHyZ4Bmoi.exe

pid process

1620 CfHyZ4Bmoi.exe
Loads dropped DLL 1 IoCs

Processes:

Lutrix.exe

pid process

624 Lutrix.exe

pid	process
624	Lutrix.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Lutrix.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Lutrix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Lutrix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Lutrix.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CfHyZ4Bmoi.exeLutrix.exe

pid	process
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
1620	CfHyZ4Bmoi.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe
624	Lutrix.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CfHyZ4Bmoi.exe

description pid process

Token: SeDebugPrivilege 1620 CfHyZ4Bmoi.exe

description	pid	process
Token: SeDebugPrivilege	1620	CfHyZ4Bmoi.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Lutrix.exeCfHyZ4Bmoi.exe

description	pid	process	target process
PID 624 wrote to memory of 1620	624	Lutrix.exe	CfHyZ4Bmoi.exe
PID 624 wrote to memory of 1620	624	Lutrix.exe	CfHyZ4Bmoi.exe
PID 624 wrote to memory of 1620	624	Lutrix.exe	CfHyZ4Bmoi.exe
PID 624 wrote to memory of 1620	624	Lutrix.exe	CfHyZ4Bmoi.exe
PID 1620 wrote to memory of 632	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 632	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 632	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 632	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 632	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 632	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 632	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1048	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1048	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1048	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1048	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1048	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1048	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1048	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1732	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1732	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1732	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1732	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1732	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1732	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1732	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1556	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1556	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1556	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1556	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1556	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1556	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1556	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1520	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1520	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1520	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1520	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1520	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1520	1620	CfHyZ4Bmoi.exe	AppLaunch.exe
PID 1620 wrote to memory of 1520	1620	CfHyZ4Bmoi.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Lutrix.exe
"C:\Users\Admin\AppData\Local\Temp\Lutrix.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Public\CfHyZ4Bmoi.exe
C:/Users/Public/CfHyZ4Bmoi.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1731.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Public\CfHyZ4Bmoi.exe
Filesize
1.7MB

MD5
b329525d2d62f10d7a8fdb25bb9d9a43

SHA1
43190e85312bd69cda8c094a0085ea188832bbbc

SHA256
e7cf16e7e4fac1aafb98e10b36c5b129df9a372d03bdebcc5cb77f7bb1139be7

SHA512
053f1ff542bf1ac0bbbfc4f320c62cc5b63092f7ff0b882c0d7d8bf7b3a3609c42b817d2d527f9f8841035d5883eea91676b93fbc60779d68d119ee1e1460ad1

Download Submit
C:\Users\Public\CfHyZ4Bmoi.exe
Filesize
1.7MB

MD5
b329525d2d62f10d7a8fdb25bb9d9a43

SHA1
43190e85312bd69cda8c094a0085ea188832bbbc

SHA256
e7cf16e7e4fac1aafb98e10b36c5b129df9a372d03bdebcc5cb77f7bb1139be7

SHA512
053f1ff542bf1ac0bbbfc4f320c62cc5b63092f7ff0b882c0d7d8bf7b3a3609c42b817d2d527f9f8841035d5883eea91676b93fbc60779d68d119ee1e1460ad1

Download Submit
\Users\Public\CfHyZ4Bmoi.exe
Filesize
1.7MB

MD5
b329525d2d62f10d7a8fdb25bb9d9a43

SHA1
43190e85312bd69cda8c094a0085ea188832bbbc

SHA256
e7cf16e7e4fac1aafb98e10b36c5b129df9a372d03bdebcc5cb77f7bb1139be7

SHA512
053f1ff542bf1ac0bbbfc4f320c62cc5b63092f7ff0b882c0d7d8bf7b3a3609c42b817d2d527f9f8841035d5883eea91676b93fbc60779d68d119ee1e1460ad1

Download Submit
memory/624-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/624-111-0x0000000000400000-0x0000000000889000-memory.dmp

Filesize
4.5MB

Download
memory/624-118-0x0000000000400000-0x0000000000889000-memory.dmp

Filesize
4.5MB

Download
memory/624-123-0x0000000000400000-0x0000000000889000-memory.dmp

Filesize
4.5MB

Download
memory/1620-116-0x00000000009A0000-0x0000000000B56000-memory.dmp

Filesize
1.7MB

Download
memory/1620-117-0x0000000000590000-0x00000000005EA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads