Malware Analysis Report

2025-08-06 00:52

Sample ID 230430-tebtfsca5t
Target LummaC2-corps.exe
SHA256 0f40b111497b78b928a42f3c4f2e0c988be7ee5b3b0d523300685b75a2aadf06
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f40b111497b78b928a42f3c4f2e0c988be7ee5b3b0d523300685b75a2aadf06

Threat Level: Known bad

The file LummaC2-corps.exe was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Detect Lumma Stealer payload V2

Lumma family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-30 15:57

Signatures

Detect Lumma Stealer payload V2

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-30 15:57

Reported

2023-04-30 16:00

Platform

win10v2004-20230220-en

Max time kernel

60s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe

"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-30 15:57

Reported

2023-04-30 16:00

Platform

win7-20230220-en

Max time kernel

31s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Processes

C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe

"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"

Network

Country Destination Domain Proto
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp

Files

N/A