lumma | 6c8dfbba2dfc6053ef6de63a3eb88e980c4f31fdbd249d30d854314a666fff30

Sharing

Copy URL

Twitter E-mail

General

Target

Themida_x32_x64_v3.1.4.18_Licensed.zip
Size

57.2MB
Sample

230525-gzt5bagc96
MD5

eba3e9b809024626bb337719649b84dc
SHA1

3e4f0a322fe032eea54639da8e27a2ae1b7ce5ef
SHA256

6c8dfbba2dfc6053ef6de63a3eb88e980c4f31fdbd249d30d854314a666fff30
SHA512

6beab22ea15b133aa5deeec08460993d5a9c6677627543d449e5c2df32fc235496ce64edb654823ec1ff227b13f38c5c8d79ba14a5583cae3b94415a4bebab7d
SSDEEP

1572864:fUCFH7EITfh4HDtlfng+UN4oy/cRvz8VkmliSDRBmLT/EGa3jn:sCFf4jtlY+UKoy/qANiSdBmLKzn

Score

10^/10

Malware Config

Targets

- Target
  
  Themida.exe
- Size
  
  27.8MB
- MD5
  
  edd5dd7c99e8eb348975c07141c37ee7
- SHA1
  
  3070564b9446b86825fbdccd0e51e29b7480c2cc
- SHA256
  
  d09924511b04573e4ab90024a1d34803badbe02c803fa9c866802329721fedbb
- SHA512
  
  45b842259c3fd81a157caeeaf1be00e010ff8603e82920cffb3b723e1bb31b68f01c01adcf899e8b2ecd88d0e4d9b9f87e74b447780fed76cb598de4e3c46306
- SSDEEP
  
  393216:8nqcmcSBE/dfB9NjwtLzRQiV8v9cxcBxkxI+iTNMrYc1o+v3hdAw+G:8BmxBE1p99ARQiV8v9BVAYcK+Ew
Score

10^/10

lumma bootkit evasion persistence stealer trojan
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  Themida64.exe
- Size
  
  28.0MB
- MD5
  
  32fc28621507bfcc035bb2ab6c139d23
- SHA1
  
  a2531c635b30aaeca192b185f2c7510bbf6bb638
- SHA256
  
  3e93c31b8146d46996dff4936d9f716d839fb0d3526226b43113a550004b3766
- SHA512
  
  aa4f33e7e6e3ccf8455712af1ea9de2e96b5c7b3602f909addcd3f1af20217312ecb0d357eb39755cdb1a509053487c0c6c1a51a553cbddbc9c77ec26e45f485
- SSDEEP
  
  786432:OYcabYtPjQy3wvrR09LQlSIoJq6DuPNN4N7j:7c6YtH3s09MlSIAg4N
Score

10^/10

lumma bootkit evasion persistence stealer trojan
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2
- Target
  
  ThemidaHelp.chm
- Size
  
  1.4MB
- MD5
  
  5b17a38c19fdeb9da763f9ce6212e483
- SHA1
  
  b5e930593a51ba93b8e87b8178c1113f75adf96d
- SHA256
  
  2e013c688cb06dc6d08c9e5420dcaca0a189e5d5f093090aad4fc6d12a9c0540
- SHA512
  
  d90f86845b6c429e8591cbfa8eb0c984972fc0262b20fbf19068abdd11a3921615b694dbbe6b15c447964442684dd719a6e4e677163c1aeda2d79f306ef31b63
- SSDEEP
  
  24576:BxtKslp35/TDYgRtaVGdgJiYEm+Z63NbztNgigjyjoeF2Hq08JSBcdZcs:BxtKwjfYOtawyiY8ZCbpxgsF2K5JSBIj
Score

1^/10
behavioral3
- Target
  
  ThemidaSDK/ExamplesSDK/Plugins/Examples/C/TestPlugin/TestPlugin.vcproj
- Size
  
  7KB
- MD5
  
  61a5e554c6496e41c4300f5fd5078e4c
- SHA1
  
  0ac60568eae3ce594b1c9b430440a6ae3f046a59
- SHA256
  
  afd5ecde10cd874cd8e82cc837014768c1db3ee68b8de402e05fa31cf86b2597
- SHA512
  
  8576e334a1e2f7ffa82e0ebb3559916cda94d6e6e4b2114a16f6568345db2ff28bfa392914ca4470b8b310e679342593d35ccd2efb29809d444b36dea36c2763
- SSDEEP
  
  96:tpmzwaGS66LzCa9Nt6gz9a9Sd6AzRa9Nk6ottAipfwpfnpfRp56AebI4:tuw+tCWJ9RHRW9iFwFnFRyAO
Score

1^/10
behavioral4
- Target
  
  ThemidaSDK/ExamplesSDK/Plugins/Examples/Delphi/TestPlugin.dll
- Size
  
  2.0MB
- MD5
  
  e08135766e6d14cf1ead4393eb33eeb4
- SHA1
  
  760f16fd201dc55fc68a8c030aaa7e98f6f5f519
- SHA256
  
  e67fa2a9c9fe7dbf8e29143d8bd1222422bfe08ef368e8e046bbee9a8dd731ee
- SHA512
  
  3bc9d6e8ee3690e1adcd667faa3e5eb35731b4c6d1abfde518959e704f50806493453133be7d1f6a419e87ac9df0aa09dac7dd6f65e23de37435c0a3a827952f
- SSDEEP
  
  24576:50Xy3Vsv/hQMcUGBZ4/NEZfqYfMWj1YT/hBUSMmPTfQAYe5ft07VBCgZkQlFE3:aC+/lKtMtbhCStP0A4UbQlF
Score

3^/10
behavioral5
- Target
  
  ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/CBuilder/Project1.bpr
- Size
  
  6KB
- MD5
  
  35294d4f45b5a763b29f52c9b494f0d6
- SHA1
  
  7f246eb52cb1da7552c5cf1278cb6329a51f64e4
- SHA256
  
  6d615505216bc09c3a65195c179b4c100b017da9f3ee07cd1478eb2942979031
- SHA512
  
  a7df4ad8ce93d6ba643c6690151bf877201b1c7fb38bf561c6e4e529a4bfe45a00563eeb273ff70cd6f36b70c788b3610d869213fc41a0cc990ddf660d8dbf4c
- SSDEEP
  
  192:NigwlwSLXLIh3DXS7JewGas2FLmL8LwLFSgpi:Nirl2IV
Score

1^/10
behavioral6
- Target
  
  ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/CBuilder/Project1.cpp
- Size
  
  1KB
- MD5
  
  93b812faa14fc235204acc81cb6256c3
- SHA1
  
  c8a2907eb28940efaeb3e3aaf5816f85edc0c419
- SHA256
  
  8ef2ed5bdd6c0172b53ba70b31481e0209d51c0cb6d67871642371c5638ac672
- SHA512
  
  804983cc99118e8c609d1f0177ab77b835247640cc75b4d9f6a44094fb7eddce1ff8aa76d7da8e85e92bc6d7072e424b109ef11fd0dffacf40f16f06d39e8f87
Score

1^/10
behavioral7
- Target
  
  ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/Visual C++/vc_example.plg
- Size
  
  1KB
- MD5
  
  97ea28334d67d71e4a96b56d76fe0d15
- SHA1
  
  caffb42a57d09d6b8246c583f0d76004fd003d86
- SHA256
  
  9965e660e07492e5c45bc7c52b981d1d65f6341a415979742418f5f699c1e771
- SHA512
  
  0f2c0e693dd4e83e3c0bd2b68f6015a878f77b87dd0c84da836416b74e4284e8787c19b5d361732ab0d45c2b9c924746d73dba1493d1722b93731db6229120a3
Score

1^/10
behavioral8
- Target
  
  ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/Visual C++/vc_example.vcproj
- Size
  
  11KB
- MD5
  
  429e2cb8cf9f7de1b2002ae00cefcf36
- SHA1
  
  05c0f85bd470c3a985eeb070b73fd0d336f9bc0f
- SHA256
  
  0a0196a87764dca2d6649f7e979a60b3192bd8fdde5b917f994472df6dc6621b
- SHA512
  
  4061718b73fd03b15b93b15d9f84971f11e81ad4c02aa73e3835aa08938b2b5ca5a8df72fafd97cf8a160387bac7e30b1f1f0859dcfad682a6da3ac68971f0db
- SSDEEP
  
  192:Q7kEqgkPp4T6U53CEqpCQ7EqCkPp4T6U53CEqbfQjwZibRZnpwwi6Rwnl:jDvqCrCQ7ZvqC5fQjwZibRZnpwwi6Rwl
Score

1^/10
behavioral9
- Target
  
  ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/Visual C++/vc_example.vcproj.7.10.old
- Size
  
  5KB
- MD5
  
  6894204de7162973f0998cf9540dfa04
- SHA1
  
  5cb94a7ae104eaceaa73aed477b4343a70e5752f
- SHA256
  
  17334d94ef99dddba6f60e80f8c86fd6ef7dae003545dbf178504f6dc28ba37a
- SHA512
  
  c3c92579ae1a78bce420e4aed1b90fe2a3917380f898f7672250a64c928b2d2b043160e4cbca86578609e866f8eeb22084a6dbb3bdcef0e3335f8fb4c709a9cd
- SSDEEP
  
  96:N7Pld/p4TZcUZ3Dx/9DFawxOcOD+9DFaFp+Cdp0L+C00FvbI4:N7PlVp4TZcUZ3lCwocOkCb0qC00F
Score

1^/10
behavioral10
- Target
  
  ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/Rust/hello.rs
- Size
  
  730B
- MD5
  
  f531a993991b46659f6e8a9aea0e1080
- SHA1
  
  569c9e7f701b69569be1d3c90cd2e6e04b982fd5
- SHA256
  
  7dc08c77295abd41a19f385c6d55ad9c938745ff0bce55dedc2394df38c9b2bb
- SHA512
  
  fde9e5409788ebadbafe485f11435b8f53b470688f726e1a7a751c1cd8054c68dc779b9ba5ca45d8c4c715a63353f42f493a3a7efd33932723e752ab1e610a1a
Score

1^/10
behavioral11
- Target
  
  ThemidaSDK/ExamplesSDK/Protection Macros/C/CBuilder/Project1.bpr
- Size
  
  7KB
- MD5
  
  99caa04789d6906ec9a0c322f941b667
- SHA1
  
  99fae7fa8bbdec1135c5101b405b459b17dd9227
- SHA256
  
  ff9d38f8ec6c22ac23eabbd34bd508dc606db4596af6648b267bc3f98a50a1f8
- SHA512
  
  283295e0f8ad3ae756309c8d7194b2c92c6c60d938acdcc9e796ee0d79b18b4ba3b33838e652daed00e9d205c33f12e6f3a77ffcb607c61b1c6b17ecf0a40122
- SSDEEP
  
  192:NigwlwSLXLIh3DXS7JewGas2/LQLtLAL7LwLxLFSgpi:Nirl2WV
Score

1^/10
behavioral12
- Target
  
  ThemidaSDK/ExamplesSDK/Protection Macros/C/CBuilder/Project1.cpp
- Size
  
  1KB
- MD5
  
  93b812faa14fc235204acc81cb6256c3
- SHA1
  
  c8a2907eb28940efaeb3e3aaf5816f85edc0c419
- SHA256
  
  8ef2ed5bdd6c0172b53ba70b31481e0209d51c0cb6d67871642371c5638ac672
- SHA512
  
  804983cc99118e8c609d1f0177ab77b835247640cc75b4d9f6a44094fb7eddce1ff8aa76d7da8e85e92bc6d7072e424b109ef11fd0dffacf40f16f06d39e8f87
Score

1^/10
behavioral13
- Target
  
  ThemidaSDK/ExamplesSDK/Protection Macros/C/Visual C++(via ASM module)/vc_example.vcproj
- Size
  
  11KB
- MD5
  
  179859857a2960f22142026f075534f5
- SHA1
  
  3cb45d1e4b76fdcdeb52ec804b3802ddbb18de2e
- SHA256
  
  c76408e442991448f4c05dc3462d28db32c4fe85515431716e1a4f31473f44d0
- SHA512
  
  f203c460bd52b4b86b2be0878180a43f5c94fa9f101b97fa1b6b72bbf8dbc015f80d28aac89795bc95e18cb15c79aee0cd521ade94d3c0db807cf0d6d13ba9dc
- SSDEEP
  
  192:E7kEqgkPp4T6U53CEqpCQ7EqCkPp4T6U53CEqbfQjwZibRZnpwwi6Rwnl:vDvqCrCQ7ZvqC5fQjwZibRZnpwwi6Rwl
Score

1^/10
behavioral14
- Target
  
  ThemidaSDK/ExamplesSDK/Protection Macros/Rust/hello.rs
- Size
  
  730B
- MD5
  
  f531a993991b46659f6e8a9aea0e1080
- SHA1
  
  569c9e7f701b69569be1d3c90cd2e6e04b982fd5
- SHA256
  
  7dc08c77295abd41a19f385c6d55ad9c938745ff0bce55dedc2394df38c9b2bb
- SHA512
  
  fde9e5409788ebadbafe485f11435b8f53b470688f726e1a7a751c1cd8054c68dc779b9ba5ca45d8c4c715a63353f42f493a3a7efd33932723e752ab1e610a1a
Score

1^/10
behavioral15
- Target
  
  ThemidaSDK/ExamplesSDK/Protection Macros/Visual Basic/Vb6NoOpt.bak
- Size
  
  24KB
- MD5
  
  7cdbde7a57046f1cc4be6bc05aea2092
- SHA1
  
  181f077b774dd823775166062ea39fbc10de8acd
- SHA256
  
  626529d17acd7cb7040d7d0e3d006d6f3d7f522e30202fec5e79e70a86b70516
- SHA512
  
  d58d986f72a130d1fddbad2ecb4dc90052bd1b2a9e81715ed044e8f5cc88e39c17ee4fca46552a60e0ac525efb7b5acd086cfd8a516e57166245d64a1eeef87c
- SSDEEP
  
  192:/TWTToKTIZEP9JTIEqiY38B+5gyWx62wspLM:/TWH1TR1OEqakB2wspLM
Score

1^/10
behavioral16
- Target
  
  ThemidaSDK/Include/C/Via ASM module/How to add ASM files in your Solution.pdf
- Size
  
  143KB
- MD5
  
  fa1cd447a7563f9f3ab781603be8fe74
- SHA1
  
  199386d987576725d1061e661da266065114cc1d
- SHA256
  
  57c54fc2e3551950a3721a97ffc5ff187be67e858fd078aec27ad313d3c5377a
- SHA512
  
  0be0725d7c72e86ae0a8b3d956e8e20a55df28b1b664e94e2a160446f308481804c3cfaa58b3406addc5e2db777a190548f458cb462f95ab8a7d852fc174a4f7
- SSDEEP
  
  3072:GxWQKotRiBw5z+i9IMmGrjXdIN//6XOy1QOO5XMK23c7cJ2pWESscNq5AorSA7eK:IWQBR95rZpI1/MOEQOO5XMK2YzSscirf
Score

1^/10
behavioral17
- Target
  
  ThemidaSDK/SecureEngineSDK32.dll
- Size
  
  28KB
- MD5
  
  0114de893690b4649b232e47129b1524
- SHA1
  
  4d5f0bbe2c13ec0ef65249876ef64a79a688c9f5
- SHA256
  
  e2f064755265bc9d393e691217b24708c80143c6b8562112e206b7c2a48fe89f
- SHA512
  
  0ee5401efecb0e3d83debaffb41423c4bac8bea49126e168a23500ec7fc1187e977a823f969511b2e780046482d9a63de7d6c2f3d07728726ebc4b5aa49d8578
- SSDEEP
  
  192:W8s5GUuxBd/KCeotPpWZlNCry+9XYqX5xS5caV7UcSAfM5IBizxhv:WkxBQCeqPpWZ49XXfnvA05
Score

1^/10
behavioral18
- Target
  
  ThemidaSDK/SecureEngineSDK64.dll
- Size
  
  28KB
- MD5
  
  6d8722b257230e3f691197715ec2b4b1
- SHA1
  
  bf141f3aff5b5e1cd2f02a5d81125931ba4a842d
- SHA256
  
  175a75ca524b269b25fb5144dc0abb4ac9b1673852df3abfbd4f6c449e01827d
- SHA512
  
  b6d077c57780ab6d58649cee36a1016573adfcafcfa8c823297a19f8bb1d1ea0c1b613044076bcd805a0c18dc37a78208ebaa4d0e19c192b65415028355f1069
- SSDEEP
  
  192:3Mi08s5GvuxBdzbNEQaSpqX5xS5haVWUcSAfMVIBizxhv:cdZxBhaHfSsA0V
Score

1^/10
behavioral19
- Target
  
  WinlicenseSDK.dll
- Size
  
  214KB
- MD5
  
  89cf33cbe62f8b7c15d0cb47d3ae4ffd
- SHA1
  
  81ca15044476606cf5ef13a1372c6f5e06ba2eb2
- SHA256
  
  9063dc5b7a3e57fc94b8b753e4aa869efcab683637776335f5723c4140a751e3
- SHA512
  
  b8e39e3d55482c707f54f491a11e7f9fbd9f5aca4439b9cdce164b595f0cccb176134d716bbc3f9e29acc856cf6351319769cf3dcc159eb0947912ddd451b8ce
- SSDEEP
  
  3072:+jwj/ejqrLuDGNBwROk5vIPqpoGpMQIs6QIVhiy6q:Qwzj9BE9vISik4Qe6q
Score

3^/10
behavioral20
- Target
  
  demangler.dll
- Size
  
  75KB
- MD5
  
  cc74ea40bb1b4eb866f6ee84f6b41a79
- SHA1
  
  42023cfd5af17afa02538a5f99141dcda15268e0
- SHA256
  
  47d5b5bf9fb06be2fef9f60da10e4b538e4d034937cb98cea143ffbf923c7d02
- SHA512
  
  1acc9f478ded50884f2bc9c6b6b5949de3e249696a0b744fecf3322ff306d822469e2e287a629d094735a4123e470b8b1253649a1b9d2dbabac856fc71e2d4d5
- SSDEEP
  
  1536:9KoHXYTGjqwOMdjN6A7dzrJBEJszChI5SteqG8Go/fWYyN:9jXYpLMdjAAzB0huStz/fz
Score

3^/10
behavioral21
- Target
  
  libspv.dll
- Size
  
  868KB
- MD5
  
  6c8042af9e749f6406b7bd7dcf98d7eb
- SHA1
  
  b7395c27c72eb4b78d8459bb379c613d5f2bb365
- SHA256
  
  8338de9a14e5bea902708b00d25c16ec5549639167b96ae162dcdd22f65ec955
- SHA512
  
  098a8292a4e35fd21bd4f35c729581dd59e5640b46c2761790864a4f6195c78c7014f33201d2b63ab990cdcb66bc9bbc1b7d76fd46df745e8586e111b159c3ad
- SSDEEP
  
  24576:JsB1pU8fkfwILenP0EooIvVXLb40mc4D4RP6vX:Js57kfwVIRW4RP6vX
Score

1^/10
behavioral22
- Target
  
  vcomp140.dll
- Size
  
  135KB
- MD5
  
  6b2739f7a5238c8fb4442355dcfdbb0d
- SHA1
  
  eff490909fbea9a3f6593fbf401f797730cea8eb
- SHA256
  
  41db8ab344bde359137d6a7d5be5dbf79c4bf2b52d8263c4fad3eac525606ab9
- SHA512
  
  f061a61ce4dbc499afbb8f18c2f2af5fd56286399253aa3e2ab86073e22148c56a044167acae81856b48cb03c4cfd060c8e1b74eb958083d182041a7c3e1ea89
- SSDEEP
  
  3072:cyrx4kf0ZGQ62xfOW6Z34bL/AmPVgN/7aG5fhqyENt:WGQ+ZaL/m/WXt
Score

3^/10
behavioral23

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Lumma Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Lumma Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23