lumma | d3ec28c089d98942413d9d197ff38b0bd2c336df708564307467edb58f23ea37 | Triage

Submit
Reports

Overview

overview

Static

static

1

particovl.bat

windows7-x64

8

particovl.bat

windows10-2004-x64

Sharing

General

Target

particovl.zip
Size

855KB
Sample

230321-mrpgrabg91
MD5

aa755552111760cbec58b6732f2911fc
SHA1

3c77f0366d7d492e3cdf16006b2fe312f3ee89b8
SHA256

d3ec28c089d98942413d9d197ff38b0bd2c336df708564307467edb58f23ea37
SHA512

2bd8d82a0f16b4bc49065afc7967008ceb94e777b36247c529169e00be85a6022148a0560560d14cc773321e912e50921d96f201f9e6c4764b4260cbee216470
SSDEEP

384:ynnK9MGosyer556ig9WCc8BN9gCjUslRfDhGkjr/eaLgCbo39dSrYC:ynKe7sPR6N+NsLFGGr/HgC836

Score

10^/10

lumma evasion persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

particovl.bat

Resource

win7-20230220-en

evasion persistence

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

particovl.bat

Resource

win10v2004-20230220-en

lumma evasion persistence spyware stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  particovl.bat
- Size
  
  699.1MB
- MD5
  
  85e4843ddbeb2ef9a3cdea6497bbdfa9
- SHA1
  
  5556ac2aa0d52daa7240877e6df1b60d3969ecec
- SHA256
  
  4049b93a33911701f2b975d19db0f91e4ae70ccbeee83a93f3352aa76a0152d8
- SHA512
  
  6c875856504f70ac80912f88e61fd67e9e37e0001d4c0a3c1f6703f69f0e3194142b6c93d941a85d2d721e53a2c1c2e1c59665ccd8fbb803419388d1908e8684
- SSDEEP
  
  384:Yi56N+inFXIvK0NgMzIR9tFhnvOTSMnZdqEoyZZd5hJUvCUvcmS/lggNbQRq55en:8X+K8xwvWSpmZ5emKAbJ55hz0h
Score

10^/10

evasion persistence lumma spyware stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistence

behavioral2

lummaevasionpersistencespywarestealer

© 2018-2024

Terms | Privacy