lumma | eb0bc9c7fbca78566ab61f91c8f6f98a5761c81b77aa173d2b98c76c59401315

Analysis

max time kernel
61s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f73c64753f24b31ec687dd1d4bbb7ad.exe
Size

89KB
MD5

1f73c64753f24b31ec687dd1d4bbb7ad
SHA1

1f48f0aba73a2d0b0d316335a13cfe7da623d238
SHA256

eb0bc9c7fbca78566ab61f91c8f6f98a5761c81b77aa173d2b98c76c59401315
SHA512

f08b98c4364551039c9034ce93a6487d9d6fd53e8cb889cc59b662ce2bf2946f556fa53202c1eab7678d383a52da990dc7c7ea1d22ad9c1e917f7d3b937ba3fc
SSDEEP

1536:qeOoLRMgjQfcZQvddwmtAOHqs3gRDYHnJjfxFZh28KfkG0AHs8e9PnD6xg7/nout:hbMxfJfpz9fxsl8G9s8+nDOWvout

Score

10^/10

lumma stealer upx

Malware Config

Signatures

Detect Lumma Stealer payload V4 22 IoCs

resource	yara_rule
behavioral1/memory/1704-0-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2860-12-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/1704-14-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2860-15-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2756-20-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2756-22-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2828-27-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2828-29-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2180-33-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2180-35-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2400-40-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2180-39-0x0000000002660000-0x00000000026EB000-memory.dmp	family_lumma_v4
behavioral1/memory/2400-42-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/1444-47-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/1444-49-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/1328-54-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/1328-56-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2936-60-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/2936-62-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/480-67-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/480-69-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral1/memory/624-73-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 5 IoCs

pid	Process
2860	rar.exe
2756	rar.exe
2828	rar.exe
2180	rar.exe
2400	rar.exe

Loads dropped DLL 10 IoCs

pid	Process
1704	1f73c64753f24b31ec687dd1d4bbb7ad.exe
1704	1f73c64753f24b31ec687dd1d4bbb7ad.exe
2860	rar.exe
2860	rar.exe
2756	rar.exe
2756	rar.exe
2828	rar.exe
2828	rar.exe
2180	rar.exe
2180	rar.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1704-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2860-12-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1704-14-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x000d00000001224d-4.dat	upx
behavioral1/memory/2860-15-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2756-20-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2756-22-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2828-27-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2828-29-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2180-33-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2180-35-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2400-40-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x000d00000001224d-37.dat	upx
behavioral1/files/0x000d00000001224d-36.dat	upx
behavioral1/memory/2400-42-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1444-47-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1444-49-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x000d00000001224d-50.dat	upx
behavioral1/memory/1328-54-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x000d00000001224d-52.dat	upx
behavioral1/files/0x000d00000001224d-51.dat	upx
behavioral1/memory/1328-56-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2936-60-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2936-62-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/480-67-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x000d00000001224d-64.dat	upx
behavioral1/files/0x000d00000001224d-63.dat	upx
behavioral1/memory/480-69-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/624-73-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x000d00000001224d-71.dat	upx
behavioral1/files/0x000d00000001224d-70.dat	upx

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rar.exe	1f73c64753f24b31ec687dd1d4bbb7ad.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	1f73c64753f24b31ec687dd1d4bbb7ad.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2860	1704	1f73c64753f24b31ec687dd1d4bbb7ad.exe	16
PID 1704 wrote to memory of 2860	1704	1f73c64753f24b31ec687dd1d4bbb7ad.exe	16
PID 1704 wrote to memory of 2860	1704	1f73c64753f24b31ec687dd1d4bbb7ad.exe	16
PID 1704 wrote to memory of 2860	1704	1f73c64753f24b31ec687dd1d4bbb7ad.exe	16
PID 2860 wrote to memory of 2756	2860	rar.exe	29
PID 2860 wrote to memory of 2756	2860	rar.exe	29
PID 2860 wrote to memory of 2756	2860	rar.exe	29
PID 2860 wrote to memory of 2756	2860	rar.exe	29
PID 2756 wrote to memory of 2828	2756	rar.exe	30
PID 2756 wrote to memory of 2828	2756	rar.exe	30
PID 2756 wrote to memory of 2828	2756	rar.exe	30
PID 2756 wrote to memory of 2828	2756	rar.exe	30
PID 2828 wrote to memory of 2180	2828	rar.exe	31
PID 2828 wrote to memory of 2180	2828	rar.exe	31
PID 2828 wrote to memory of 2180	2828	rar.exe	31
PID 2828 wrote to memory of 2180	2828	rar.exe	31
PID 2180 wrote to memory of 2400	2180	rar.exe	34
PID 2180 wrote to memory of 2400	2180	rar.exe	34
PID 2180 wrote to memory of 2400	2180	rar.exe	34
PID 2180 wrote to memory of 2400	2180	rar.exe	34

C:\Users\Admin\AppData\Local\Temp\1f73c64753f24b31ec687dd1d4bbb7ad.exe
"C:\Users\Admin\AppData\Local\Temp\1f73c64753f24b31ec687dd1d4bbb7ad.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\rar.exe
  C:\Windows\system32\rar.exe 532 "C:\Users\Admin\AppData\Local\Temp\1f73c64753f24b31ec687dd1d4bbb7ad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\rar.exe
    C:\Windows\system32\rar.exe 524 "C:\Windows\SysWOW64\rar.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\rar.exe
      C:\Windows\system32\rar.exe 528 "C:\Windows\SysWOW64\rar.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 536 "C:\Windows\SysWOW64\rar.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 540 "C:\Windows\SysWOW64\rar.exe"
        6⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 544 "C:\Windows\SysWOW64\rar.exe"
        7⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 548 "C:\Windows\SysWOW64\rar.exe"
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 560 "C:\Windows\SysWOW64\rar.exe"
        9⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 552 "C:\Windows\SysWOW64\rar.exe"
        10⤵
        
        PID:480
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 556 "C:\Windows\SysWOW64\rar.exe"
        11⤵
        
        PID:624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rar.exe

Filesize
13KB

MD5
0e7eb09e628dfc9d91b5e61caa128388

SHA1
6c5d9ccae84c5c8cf6fc4d7b280223ad7fc4bf1b

SHA256
09ac882a07fba6e622008e4a67a8a14a64cba44ebee8acbf8a49b74d833aa50a

SHA512
3267fd4491a35ec35dd5562458dec8dda5480d1b386c0d55bb5eb780a28dec2e124d2cdbb905d37dd6ba80969f8ed0a8ac2f96fbfb29d36ddbdab5df05350af9

Download Submit
\Windows\SysWOW64\rar.exe

Filesize
89KB

MD5
1f73c64753f24b31ec687dd1d4bbb7ad

SHA1
1f48f0aba73a2d0b0d316335a13cfe7da623d238

SHA256
eb0bc9c7fbca78566ab61f91c8f6f98a5761c81b77aa173d2b98c76c59401315

SHA512
f08b98c4364551039c9034ce93a6487d9d6fd53e8cb889cc59b662ce2bf2946f556fa53202c1eab7678d383a52da990dc7c7ea1d22ad9c1e917f7d3b937ba3fc

Download Submit
\Windows\SysWOW64\rar.exe

Filesize
73KB

MD5
6e2eb9b0d61cb256a4a28384e035a863

SHA1
dd8d3c9831a1b03bc14c8bfdc143cad8d7060684

SHA256
d1d5e48b9ac9feb9ef05d877b46e015678adc0a10bd86b403fd05f87f2d05e36

SHA512
29e39cb30ba00f6aa51301b870167200542d12c882b3182483b1262ff7bd9e0644275bff911ede918b80f35730b2e1a22f5d088012076ed39ab0a93564582ca2

Download Submit
\Windows\SysWOW64\rar.exe

Filesize
4KB

MD5
01eefbed5da7df1516c1e5f90cfaba2e

SHA1
0294a0c10e2e82f2e15bbab476ca02f98e41cb94

SHA256
7bf968e9d71fd6fc41a72434b7ed1696ad21d5c2a0c1ee6f18c33f4ba4d6396c

SHA512
f3820543245751e9e0679bbbe4fe3b7d80edefe9792fd189f684fd3cad877dc6e2e1cfac195cca9dd1513628a24518e6142e452f4f80be0b7eca1165052a21e5

Download Submit
\Windows\SysWOW64\rar.exe

Filesize
12KB

MD5
4dc1fae85c8cf2321d81616b912d8e01

SHA1
1ee1b1953400259120624f9e23170a31efab96ef

SHA256
6b328cfeac5b39c05210b918071fe5d7ea9403006cee418faaffb48b8219d358

SHA512
69ffe688607f075fb37a0618f55bd486a5ae3f5c85fdfbbced4a2be8278f3f51115bb87aaf183ff0efae86b28952f3b621e953168e7794e2b415f0993f3d86f0

Download Submit
\Windows\SysWOW64\rar.exe

Filesize
32KB

MD5
186ca41d5e1416a936452f550c6f5016

SHA1
8a526725914bfa0743aa04d7974f9f62a3e61d40

SHA256
0fb5fda99e9d1f66e005cf2c9173ea26c74a112fea8c771c34ddb5e8ea3f9724

SHA512
049796a978914c7d2c27d408f6fa8849535b0ae5037accf66056f0c843a4964d9623b901ab4fa2102eb61f39ef31f99c190519dcf38f385180297ab812da9ee8

Download Submit
\Windows\SysWOW64\rar.exe

Filesize
31KB

MD5
68d627dcae3d79d21c69b210dcb3542f

SHA1
917d460dbebd405ef84f7ed6023f7be060ad3863

SHA256
b60e8296fdd36bf3107ce518ee62cf9cdf7ae76d7eed89e5024beadcf12f5401

SHA512
85dfd233ba066e6e296c89350ef2ed6c4780f6202e6288ead8008df5813b5122e61be94a5cc319c24a1fbac86cf6a68c9f1b199a4d7275bede188a43effc6d05

Download Submit
\Windows\SysWOW64\rar.exe

Filesize
29KB

MD5
177bd6e32bb784a338ebb2a7fe1fdf47

SHA1
7d3cefbb65e8be1509a81d490aac95b136039e88

SHA256
65a8a637c2a35686d389515afde2f8d12c1672b62480fc3d5b29e31406c26db6

SHA512
55db197d18b21fcda92e84bd6e05ac57350504fd4d018f7b5eb2ae48dbd9bcc3eff3def4f5b5ccb05a2e1182177c6242e88d5663bcd7ec68d265d02027431153

Download Submit
\Windows\SysWOW64\rar.exe

Filesize
4KB

MD5
0f42039490a0f59192546cbd92bbd13d

SHA1
504f75dcaa5b28129e27e437f254e82c471c868a

SHA256
cbef4d3ac7cc5cd9040490e1344f519186d95f0fecf8dae70975e375b989fa09

SHA512
743988d853f28d2264b9dfdfb629079398499e5b79b99fc329f099449d7e1783a9a4f8e67b1841569faaa0d34a9a586a55b839a65b5e37cb517c58f5a9c1f2bc

Download Submit
memory/480-69-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/480-67-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/624-73-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1328-56-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1328-54-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1444-53-0x0000000002370000-0x00000000023FB000-memory.dmp

Filesize
556KB

Download
memory/1444-49-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1444-47-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1704-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1704-14-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1704-11-0x0000000002690000-0x000000000271B000-memory.dmp

Filesize
556KB

Download
memory/2180-39-0x0000000002660000-0x00000000026EB000-memory.dmp

Filesize
556KB

Download
memory/2180-35-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2180-33-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2400-42-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2400-40-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2400-46-0x00000000023B0000-0x000000000243B000-memory.dmp

Filesize
556KB

Download
memory/2756-20-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2756-26-0x0000000000610000-0x000000000069B000-memory.dmp

Filesize
556KB

Download
memory/2756-22-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2828-29-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2828-27-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2860-12-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2860-15-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2860-19-0x0000000002370000-0x00000000023FB000-memory.dmp

Filesize
556KB

Download
memory/2936-60-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2936-66-0x00000000004D0000-0x000000000055B000-memory.dmp

Filesize
556KB

Download
memory/2936-62-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download