lumma | e23dbc051aa68653ec8875dd02c2c37cd81e78263858ce59b6a3fd7b8a936b3e

Resubmissions

24-02-2024 13:34

240224-qvgg4adb44 5

24-02-2024 13:32

240224-qszwnadg6y 10

Analysis

max time kernel
76s
max time network
84s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24-02-2024 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setupx32_x64.exe
Size

319KB
MD5

40120c6767de5340629ad6db820c0ee7
SHA1

c4d96d89ac3c957e0b0a53594e17a522123841a2
SHA256

e23dbc051aa68653ec8875dd02c2c37cd81e78263858ce59b6a3fd7b8a936b3e
SHA512

d9d2816e322ef57821d09b4a8408afaf8f7fb749c9989b09c39bc6f43d4fd79d016578212576c61edfe40b47464453b6c7961214c43a31c0cfa3ba6ce7a35e45
SSDEEP

6144:hJJXkh9NPGRyvRIW5ppOU4Hn/VOgurG627rLik3:LCNKQSWlO5HEhSfd3

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 4812	1100	Setupx32_x64.exe	74

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74
PID 1100 wrote to memory of 4812	1100	Setupx32_x64.exe	74

C:\Users\Admin\AppData\Local\Temp\Setupx32_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Setupx32_x64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-0-0x0000000000030000-0x0000000000082000-memory.dmp

Filesize
328KB

Download
memory/1100-1-0x00000000734C0000-0x0000000073BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-9-0x00000000734C0000-0x0000000073BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-10-0x0000000002440000-0x0000000004440000-memory.dmp

Filesize
32.0MB

Download
memory/1100-13-0x0000000002440000-0x0000000004440000-memory.dmp

Filesize
32.0MB

Download
memory/4812-4-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4812-7-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4812-11-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/4812-12-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download