lumma | cff5bfbcc6fde58110e968d0476d64135459e69691856bbd3c58d1c45fc4441d

Analysis

max time kernel
143s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 15:17

Target

0367292a18cefaa80dddab05c1a59987.exe
Size

67KB
MD5

0367292a18cefaa80dddab05c1a59987
SHA1

76dc505f228f44eb95c73ab012bf5b8202ab72d5
SHA256

cff5bfbcc6fde58110e968d0476d64135459e69691856bbd3c58d1c45fc4441d
SHA512

61186ae6090eb81b9c6b5f4eb29abb614a95c2c8e39a9d8a585a426fb03ee8b3efe87c070d5ef9b64ebca7d9502d8dbf19666df7b73ae21270706ce2f56ed901
SSDEEP

1536:SIdHmGuOt0QGkPxv1NCl84mD9m8rOyawDx6b3YcDl:SSHYe0QLxNjrg0DwLYm

Score

10^/10

lumma stealer upx

Detect Lumma Stealer payload V4 2 IoCs

resource	yara_rule
behavioral1/memory/1040-1-0x0000000000400000-0x000000000045E000-memory.dmp	family_lumma_v4
behavioral1/memory/1040-13-0x0000000000400000-0x000000000045E000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
1228	devldr32.exe

Loads dropped DLL 6 IoCs

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1040-1-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral1/memory/1228-12-0x0000000000420000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1040-13-0x0000000000400000-0x000000000045E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\devldr32.exe	0367292a18cefaa80dddab05c1a59987.exe
File opened for modification	C:\Windows\SysWOW64\devldr32.exe	0367292a18cefaa80dddab05c1a59987.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2212	1228	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1228	1040	0367292a18cefaa80dddab05c1a59987.exe	28
PID 1040 wrote to memory of 1228	1040	0367292a18cefaa80dddab05c1a59987.exe	28
PID 1040 wrote to memory of 1228	1040	0367292a18cefaa80dddab05c1a59987.exe	28
PID 1040 wrote to memory of 1228	1040	0367292a18cefaa80dddab05c1a59987.exe	28
PID 1228 wrote to memory of 2212	1228	devldr32.exe	29
PID 1228 wrote to memory of 2212	1228	devldr32.exe	29
PID 1228 wrote to memory of 2212	1228	devldr32.exe	29
PID 1228 wrote to memory of 2212	1228	devldr32.exe	29

\Windows\SysWOW64\devldr32.exe

Filesize
67KB

MD5
0367292a18cefaa80dddab05c1a59987

SHA1
76dc505f228f44eb95c73ab012bf5b8202ab72d5

SHA256
cff5bfbcc6fde58110e968d0476d64135459e69691856bbd3c58d1c45fc4441d

SHA512
61186ae6090eb81b9c6b5f4eb29abb614a95c2c8e39a9d8a585a426fb03ee8b3efe87c070d5ef9b64ebca7d9502d8dbf19666df7b73ae21270706ce2f56ed901

Download Submit
memory/1040-0-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/1040-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1040-4-0x00000000026F0000-0x0000000002750000-memory.dmp

Filesize
384KB

Download
memory/1040-13-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1228-12-0x0000000000420000-0x000000000047E000-memory.dmp

Filesize
376KB

Download