lumma | eb0bc9c7fbca78566ab61f91c8f6f98a5761c81b77aa173d2b98c76c59401315

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f73c64753f24b31ec687dd1d4bbb7ad.exe
Size

89KB
MD5

1f73c64753f24b31ec687dd1d4bbb7ad
SHA1

1f48f0aba73a2d0b0d316335a13cfe7da623d238
SHA256

eb0bc9c7fbca78566ab61f91c8f6f98a5761c81b77aa173d2b98c76c59401315
SHA512

f08b98c4364551039c9034ce93a6487d9d6fd53e8cb889cc59b662ce2bf2946f556fa53202c1eab7678d383a52da990dc7c7ea1d22ad9c1e917f7d3b937ba3fc
SSDEEP

1536:qeOoLRMgjQfcZQvddwmtAOHqs3gRDYHnJjfxFZh28KfkG0AHs8e9PnD6xg7/nout:hbMxfJfpz9fxsl8G9s8+nDOWvout

Score

10^/10

lumma stealer upx

Malware Config

Signatures

Detect Lumma Stealer payload V4 16 IoCs

resource	yara_rule
behavioral2/memory/2468-7-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/4952-8-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/2468-9-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/3288-11-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/3288-13-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/1928-15-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/1928-17-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/3592-21-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/3248-23-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/3248-25-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/3232-29-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/1280-31-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/1280-33-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/3300-37-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/5084-41-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4
behavioral2/memory/4700-44-0x0000000000400000-0x000000000048B000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 10 IoCs

pid	Process
2468	rar.exe
3288	rar.exe
1928	rar.exe
3592	rar.exe
3248	rar.exe
3232	rar.exe
1280	rar.exe
3300	rar.exe
5084	rar.exe
4700	rar.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4952-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/files/0x000700000002322f-5.dat	upx
behavioral2/memory/2468-7-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4952-8-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2468-9-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3288-11-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3288-13-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/1928-15-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/1928-17-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3592-19-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3592-21-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3248-23-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3248-25-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3232-27-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3232-29-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/1280-31-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/1280-33-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3300-35-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/3300-37-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/5084-39-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/5084-41-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/4700-44-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	1f73c64753f24b31ec687dd1d4bbb7ad.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	1f73c64753f24b31ec687dd1d4bbb7ad.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File opened for modification	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe
File created	C:\Windows\SysWOW64\rar.exe	rar.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2468	4952	1f73c64753f24b31ec687dd1d4bbb7ad.exe	89
PID 4952 wrote to memory of 2468	4952	1f73c64753f24b31ec687dd1d4bbb7ad.exe	89
PID 4952 wrote to memory of 2468	4952	1f73c64753f24b31ec687dd1d4bbb7ad.exe	89
PID 2468 wrote to memory of 3288	2468	rar.exe	95
PID 2468 wrote to memory of 3288	2468	rar.exe	95
PID 2468 wrote to memory of 3288	2468	rar.exe	95
PID 3288 wrote to memory of 1928	3288	rar.exe	98
PID 3288 wrote to memory of 1928	3288	rar.exe	98
PID 3288 wrote to memory of 1928	3288	rar.exe	98
PID 1928 wrote to memory of 3592	1928	rar.exe	100
PID 1928 wrote to memory of 3592	1928	rar.exe	100
PID 1928 wrote to memory of 3592	1928	rar.exe	100
PID 3592 wrote to memory of 3248	3592	rar.exe	101
PID 3592 wrote to memory of 3248	3592	rar.exe	101
PID 3592 wrote to memory of 3248	3592	rar.exe	101
PID 3248 wrote to memory of 3232	3248	rar.exe	102
PID 3248 wrote to memory of 3232	3248	rar.exe	102
PID 3248 wrote to memory of 3232	3248	rar.exe	102
PID 3232 wrote to memory of 1280	3232	rar.exe	103
PID 3232 wrote to memory of 1280	3232	rar.exe	103
PID 3232 wrote to memory of 1280	3232	rar.exe	103
PID 1280 wrote to memory of 3300	1280	rar.exe	104
PID 1280 wrote to memory of 3300	1280	rar.exe	104
PID 1280 wrote to memory of 3300	1280	rar.exe	104
PID 3300 wrote to memory of 5084	3300	rar.exe	105
PID 3300 wrote to memory of 5084	3300	rar.exe	105
PID 3300 wrote to memory of 5084	3300	rar.exe	105
PID 5084 wrote to memory of 4700	5084	rar.exe	106
PID 5084 wrote to memory of 4700	5084	rar.exe	106
PID 5084 wrote to memory of 4700	5084	rar.exe	106

C:\Users\Admin\AppData\Local\Temp\1f73c64753f24b31ec687dd1d4bbb7ad.exe
"C:\Users\Admin\AppData\Local\Temp\1f73c64753f24b31ec687dd1d4bbb7ad.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\rar.exe
  C:\Windows\system32\rar.exe 1032 "C:\Users\Admin\AppData\Local\Temp\1f73c64753f24b31ec687dd1d4bbb7ad.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\rar.exe
    C:\Windows\system32\rar.exe 1144 "C:\Windows\SysWOW64\rar.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\rar.exe
      C:\Windows\system32\rar.exe 1104 "C:\Windows\SysWOW64\rar.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 1128 "C:\Windows\SysWOW64\rar.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3592
      - C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 1136 "C:\Windows\SysWOW64\rar.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 1132 "C:\Windows\SysWOW64\rar.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 1148 "C:\Windows\SysWOW64\rar.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 1140 "C:\Windows\SysWOW64\rar.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 1168 "C:\Windows\SysWOW64\rar.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\rar.exe
        
        C:\Windows\system32\rar.exe 980 "C:\Windows\SysWOW64\rar.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rar.exe

Filesize
89KB

MD5
1f73c64753f24b31ec687dd1d4bbb7ad

SHA1
1f48f0aba73a2d0b0d316335a13cfe7da623d238

SHA256
eb0bc9c7fbca78566ab61f91c8f6f98a5761c81b77aa173d2b98c76c59401315

SHA512
f08b98c4364551039c9034ce93a6487d9d6fd53e8cb889cc59b662ce2bf2946f556fa53202c1eab7678d383a52da990dc7c7ea1d22ad9c1e917f7d3b937ba3fc

Download Submit
memory/1280-33-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1280-31-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1928-15-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1928-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2468-7-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2468-9-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3232-29-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3232-27-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3248-23-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3248-25-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3288-11-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3288-13-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3300-35-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3300-37-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3592-21-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3592-19-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4700-44-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4952-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4952-8-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5084-39-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5084-41-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download