lumma | c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

General

Target

c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe
Size

5.1MB
MD5

7f4f98a26d4835578f46224112cc6a15
SHA1

c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0
SHA256

c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276
SHA512

c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b
SSDEEP

49152:P+YP67CyHtopnQluz8CTtagvrvdNVELjMmPQt+yJQ1EErwVeCbrrqe8t6WmfFXAA:02YtaHDvdXEvPgwtTCo6R9wJLYtk+L/j

Score

10^/10

Malware Config

Signatures

Detect Lumma Stealer payload V4 5 IoCs

resource	yara_rule
behavioral2/memory/3604-21-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/3604-23-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/3604-26-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/3604-20-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/3604-28-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/2720-0-0x0000000000B20000-0x0000000001034000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4584	3604	WerFault.exe	74

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 4132	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	76
PID 2720 wrote to memory of 4132	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	76
PID 2720 wrote to memory of 4132	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	76
PID 2720 wrote to memory of 2256	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	75
PID 2720 wrote to memory of 2256	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	75
PID 2720 wrote to memory of 2256	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	75
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74
PID 2720 wrote to memory of 3604	2720	c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe	74

C:\Users\Admin\AppData\Local\Temp\c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe
"C:\Users\Admin\AppData\Local\Temp\c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 676
    3⤵
    - Program crash
    PID:4584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:4132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/2720-25-0x0000000007E50000-0x0000000007F50000-memory.dmp

Filesize
1024KB

Download
memory/2720-0-0x0000000000B20000-0x0000000001034000-memory.dmp

Filesize
5.1MB

Download
memory/2720-3-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/2720-4-0x0000000005B70000-0x0000000005C0C000-memory.dmp

Filesize
624KB

Download
memory/2720-5-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/2720-6-0x0000000005B40000-0x0000000005B4A000-memory.dmp

Filesize
40KB

Download
memory/2720-7-0x0000000006450000-0x0000000006678000-memory.dmp

Filesize
2.2MB

Download
memory/2720-14-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/2720-1-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-17-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/2720-2-0x0000000005E50000-0x000000000634E000-memory.dmp

Filesize
5.0MB

Download
memory/2720-15-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/2720-8-0x00000000077B0000-0x0000000007942000-memory.dmp

Filesize
1.6MB

Download
memory/2720-27-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-16-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/2720-22-0x0000000007E50000-0x0000000007F50000-memory.dmp

Filesize
1024KB

Download
memory/2720-18-0x0000000007E50000-0x0000000007F50000-memory.dmp

Filesize
1024KB

Download
memory/2720-19-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/3604-20-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3604-26-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3604-21-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3604-23-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3604-28-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing