lumma | bb943a4b69a11e38ae79651edb071f57da2c9989d6b840eae5efcd4e722d774d | Triage

Sharing

General

Target

Spotify Actualizado.rar
Size

1.3MB
Sample

230326-qltfasae9s
MD5

55e94263d46fd2379a9738ede36d2055
SHA1

433c3c435fae5c25616154fad407bec4bd92596a
SHA256

bb943a4b69a11e38ae79651edb071f57da2c9989d6b840eae5efcd4e722d774d
SHA512

6eef26faf9ec917a9f6fa2ded093f64de21c57e708f97337cace25e6147d63c041ad10d4f697f68e6ad1382679fb79b14f2b3ab53340c6b015094101febbd308
SSDEEP

24576:roSvg0j5Jr1dCeM5EQJMT4VOF1Kgratfyw/q1xg12tm6frOlorhh+np6:DtJr1keMKTbCcsWxich+p6

Score

10^/10

lumma discovery persistence stealer

Malware Config

Targets

- Target
  
  Spotify/Block/BlockTheSpot.bat
- Size
  
  179B
- MD5
  
  c8a02d2ca0e333fc5aaa003ec36d252e
- SHA1
  
  3bdeb7a8715fb37063f5298d17ca5ba3529c2fc5
- SHA256
  
  72e4df5d74a0941cdfa21467a9cf0002ff1aafe9ab8cba37eb7901ce0d7d091a
- SHA512
  
  cad4289d4e363433edf579f1507fc1479474b11b0db34ef300905cf76cbae5531680dd325eea9347c7b325f73c277528b799b46610585b28cb2d5e6ac1e875f3
Score

8^/10
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  Spotify/Block/README.md
- Size
  
  3KB
- MD5
  
  baab820fefe5b5082749472b2c26346e
- SHA1
  
  5bb717d1856e4a04fbd352c42921d8776451cc6e
- SHA256
  
  fbd3ba7a76d383371e640778818f956d7e8e5632589e293f402d8111d40173a3
- SHA512
  
  5a9600901c7bc413343227de6df34fb09f47f9beb890cd5c9fd7372697fb31edd8ffa34a5b585b876faa547f6e648dc2ff565be921975edf2a759308af24db14
Score

1^/10
behavioral3 behavioral4
- Target
  
  Spotify/Block/install.ps1
- Size
  
  4KB
- MD5
  
  d6391efb89ccc420774799bb0185e609
- SHA1
  
  63d2b12fad84b0391cbfe00b485261f9d76ec139
- SHA256
  
  0930f42793685aaa781840f88b91b8115ad3787ebb394f29799b8266fc422eb1
- SHA512
  
  114f133f766ee0e3eebd238dfc805223f45784313ada4eb66f1e1769074cefd19bf7fedce1ede7a505e9082679678c29cab0a74ff952fa8baf58e372bb6f9435
- SSDEEP
  
  96:LwehM7b5L50xpkc6IGKcLfLpUyPsNZuy3eW22Nx6YJ:LwrbR50xpG1btEZuGNoYJ
Score

10^/10

lumma discovery stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5 behavioral6
- Target
  
  Spotify/Block/uninstall.bat
- Size
  
  816B
- MD5
  
  858ef797776e74425859746bf3f06922
- SHA1
  
  7620d3f185a03138f4eaf340df47755deea1b5b5
- SHA256
  
  0659b1daeab5f3cb7782169b05d7ca8a2876a83294b342ddcc685e434dd0baf5
- SHA512
  
  ea84032e7290dae63d8132480f030219cee70dfd2f047013bd79a10c543c1c55b532a8b2809604b1dfa1548f8ca2357b1a6e3ba7018bb0f3079ea2ac2979d164
Score

1^/10
behavioral7 behavioral8
- Target
  
  Spotify/Block/zlink/index.html
- Size
  
  56KB
- MD5
  
  21e48d108e1b0784b074e41af223ccf6
- SHA1
  
  e7d91f00be65251d0d8e3a74142cb38aa42c64fa
- SHA256
  
  d7b44de7e211aec640bdf1ff477d142987692cdb6b8f5d3f7c526856885924a3
- SHA512
  
  896c38c61f68ffde365b060663a384a3776943f64e619c598617f7d1ca304c9cafa72b95cf0c6dff8c660f475bc6bc67995a3e462fcc59d5c55dc7b99c42cce1
- SSDEEP
  
  384:OTKk8fHc33dvsNrbXANAz79bGwNUmo9bv/flxvRSCk/b:OTKkMHXws9bGhv3rRSCGb
Score

1^/10
behavioral10 behavioral9
- Target
  
  Spotify/Block/zlink/zlink.bundle.js
- Size
  
  4.2MB
- MD5
  
  74ff4f39ff0fd683b85019b39912ff3c
- SHA1
  
  0f681c54279fb7617b256244cef1152914d46711
- SHA256
  
  ac73b5d3c5ec4dd6c455b351baf8ad34dc8c35abecd37886d77471a119c19258
- SHA512
  
  099026ab22ca6b96f7e06a88a0e4dffcad6dc9dd17b8f01f92d5ad3e3e9a9ac1951f88a322f3e0008ab5efc614860356568ad54cd44d99771c14411296f7f362
- SSDEEP
  
  49152:yUJ+gsSsAV78BWsB4vPI449tMMxXCjngBCrdCqIvVs0WH3m0gI2+1NoGbEsZhlTl:yvy4lS0WH3m0gI2+1NoUfYVhyIs
Score

1^/10
behavioral11 behavioral12
- Target
  
  Spotify/Setup/SpotifySetup.exe
- Size
  
  878KB
- MD5
  
  58d0152cf6b78cf28db2096c9c06a647
- SHA1
  
  a566fe8b45c4827ac891608d49e7d06fa65349fb
- SHA256
  
  4fe8735bd23743d7c7bab8cbecb3fb6dbfd49c768e17f67dbd2ef7d3aee9eb87
- SHA512
  
  677a19617cbaa0a3c0bb9e8264ec4081ae06554668a752b4e42e083623c2869f50d897160b914ae910c255812baaca665c083998ad03d805ebf7945cd60f764a
- SSDEEP
  
  24576:wbogxqPe59uvk+AIzGiodlpk9FXDBaRw0LTWZda0DeAYOWKCrrFaDPJI:aogB9sAIzGiodl8XDBsTWT1CAYOWKCrf
Score

10^/10

lumma discovery persistence stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

lummadiscoverystealer

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

lummadiscoverypersistencestealer