lumma | 4bb96e207766072dbccf4efd5fb7345de8dcdba89ea59716084a64ba80ad20fc

Analysis

max time kernel
125s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2023 16:49

Target

be24e8da3ef7d56098e6f1f72fee8e8b.exe
Size

2.7MB
MD5

be24e8da3ef7d56098e6f1f72fee8e8b
SHA1

5f3b0d7775fa4b245d1d43e0991a184eab81170e
SHA256

4bb96e207766072dbccf4efd5fb7345de8dcdba89ea59716084a64ba80ad20fc
SHA512

a5576530038e6c246d68ada97a4fe13b6d98a6c4361e7989fc96c49849c056bb2d6bb0af50afc2c7a42a9166274b2272bf5f3b5f01f7eee9cdd01c81b0d14412
SSDEEP

49152:r+ZJQkNnxM4zAHxcXnU6lzje+CtrDXXTU0YomSPS4bqAg7Qf:SZJQ2zcuXnU6lzje+CtrDXXTUPSPS4Oq

Score

10^/10

lumma stealer

Detect Lumma Stealer payload V4 5 IoCs

resource	yara_rule
behavioral2/memory/1180-0-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/1180-1-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/1180-2-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/1180-3-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4
behavioral2/memory/1180-4-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3392 set thread context of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3152	1180	WerFault.exe	98

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98
PID 3392 wrote to memory of 1180	3392	be24e8da3ef7d56098e6f1f72fee8e8b.exe	98

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1180 -ip 1180
1⤵
PID:2088

memory/1180-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1180-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1180-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1180-3-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1180-4-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download