lumma | 25bedb839070a35a6195fec683ca363d031fb265e10ddc9d5537199be60c4fab | Triage

Submit
Reports

Overview

overview

Static

static

1

expressvpn...all.7z

windows7-x64

3

expressvpn...all.7z

windows10-2004-x64

Sharing

General

Target

expressvpn_windows_install_pass1234.zip
Size

48.5MB
Sample

230322-jy1ltahe8z
MD5

88f51bb2c544d11cdf493c6082a7eabd
SHA1

78b9942ed7c81312df12d232379fa2412ea7913e
SHA256

25bedb839070a35a6195fec683ca363d031fb265e10ddc9d5537199be60c4fab
SHA512

7449b9129d5d207f24b428735e140478afa8e0de7f49649f520010918726556ced4a3ca5edd32e4e6f8b2ada89d4ebef7368de4c8c9ca1e04f1076921a0863d3
SSDEEP

786432:kOjgCSRBYxWy0WXMGMVcvPKI0+mOafSmyEXa0Lsn7kEGYEKbKjGHV7/ijz8p:fkRBf6LwcKyafY+a0ukEmjGHdp

Score

10^/10

lumma discovery spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

expressvpn_windows_install.7z

Resource

win7-20230220-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

expressvpn_windows_install.7z

Resource

win10v2004-20230220-en

lumma discovery spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

lumma

C2

82.117.255.80

Targets

- Target
  
  expressvpn_windows_install.7z
- Size
  
  45.5MB
- MD5
  
  453d0bcc246d8f9def6d542fd846c3d4
- SHA1
  
  5e35087c69cbd0425c02ce7edc5192feea82722a
- SHA256
  
  f6be94dd7fa4acd3775553af020ed4bd07bdd8070383926b3e2ad62c3c30a9ae
- SHA512
  
  e674fbd76f5919436780d9bf75918b1202dffcf279708aad0a000ae7bd489a9bdf55d6f7a2b4f7b738a66080a59b18403c702e43d58d3c764b22f848e6752c61
- SSDEEP
  
  786432:IOjgCSRBYxWy0WXMGMVcvPKI0+mOafSmyEXa0Lsn7kEGYEKbKjGHV7/ijz/:DkRBf6LwcKyafY+a0ukEmjGHO
Score

10^/10

lumma discovery spyware stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

lummadiscoveryspywarestealer

© 2018-2024

Terms | Privacy