Analysis Overview
SHA256
0f40b111497b78b928a42f3c4f2e0c988be7ee5b3b0d523300685b75a2aadf06
Threat Level: Known bad
The file LummaC2-corps.exe was found to be: Known bad.
Malicious Activity Summary
Detect Lumma Stealer payload V2
Lumma family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-30 15:57
Signatures
Detect Lumma Stealer payload V2
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-30 15:57
Reported
2023-04-30 16:00
Platform
win10v2004-20230220-en
Max time kernel
60s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe
"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-30 15:57
Reported
2023-04-30 16:00
Platform
win7-20230220-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Processes
C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe
"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"
Network
| Country | Destination | Domain | Proto |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp | |
| BG | 195.123.226.167:80 | tcp |