lumma | e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700 | Triage

Submit
Reports

Overview

overview

Static

static

1

test.txt

windows7-x64

1

test.txt

windows10-2004-x64

Sharing

General

Target

test.txt
Size

2B
Sample

230529-e23hcsaa2t
MD5

d784fa8b6d98d27699781bd9a7cf19f0
SHA1

dd122581c8cd44d0227f9c305581ffcb4b6f1b46
SHA256

e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700
SHA512

f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0

Score

10^/10

lumma microsoft discovery persistence phishing spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

test.txt

Resource

win7-20230220-en

windows7-x64

1 signatures

1800 seconds

Behavioral task

behavioral2

Sample

test.txt

Resource

win10v2004-20230221-en

lumma microsoft discovery persistence phishing spyware stealer

windows10-2004-x64

31 signatures

1800 seconds

Malware Config

Extracted

Family

lumma

C2

195.123.227.138

Targets

- Target
  
  test.txt
- Size
  
  2B
- MD5
  
  d784fa8b6d98d27699781bd9a7cf19f0
- SHA1
  
  dd122581c8cd44d0227f9c305581ffcb4b6f1b46
- SHA256
  
  e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700
- SHA512
  
  f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0
Score

10^/10

lumma microsoft discovery persistence phishing spyware stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

lummamicrosoftdiscoverypersistencephishingspywarestealer

© 2018-2024

Terms | Privacy