lumma | 3b1e84e9452c52f4448e38eed17b5c280b5fe4ec69b631e712ff65e60e26c3f1

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

3.3MB
MD5

55076afc8f8de2df8f91fb2742bcda61
SHA1

c848bb01e859163b08ce4f58994b3d814dfdf700
SHA256

e3cb1b8edb969533e9299c4169b12df17a01d7516df943b486a785c986ceda30
SHA512

70bf3d76b86b28aa4209a51469a4b2161c4253313849217b5e1267cb17f6279235b9ed18cd975aa48227401b48887f594b3be149531750638091afc51a425d26
SSDEEP

98304:WNdaWWhvT90MSGmHUkC+UH9txcv0HGM62OQy:WNdaWWhvZ0MhmHUkxUH9tx1HA

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://controlopposedcallyo.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 4516	660	Set-up.exe	88

Loads dropped DLL 1 IoCs

pid	Process
3552	fm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
660	Set-up.exe
660	Set-up.exe
4516	netsh.exe
4516	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
660	Set-up.exe
4516	netsh.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 4516	660	Set-up.exe	88
PID 660 wrote to memory of 4516	660	Set-up.exe	88
PID 660 wrote to memory of 4516	660	Set-up.exe	88
PID 660 wrote to memory of 4516	660	Set-up.exe	88
PID 4516 wrote to memory of 3552	4516	netsh.exe	92
PID 4516 wrote to memory of 3552	4516	netsh.exe	92
PID 4516 wrote to memory of 3552	4516	netsh.exe	92
PID 4516 wrote to memory of 3552	4516	netsh.exe	92

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\fm.exe
    C:\Users\Admin\AppData\Local\Temp\fm.exe
    3⤵
    - Loads dropped DLL
    PID:3552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\18f263d5

Filesize
1.9MB

MD5
0a21ddb0f48ebca05b5eee14351cc94b

SHA1
72572ead791bf471baa984c42fd4cd9b6b357c3f

SHA256
f4ef7267f006294b31249ff99d161d752a25f01cc21e3177403d324802f94136

SHA512
72ee888574288fe94878dd9f8adc7b79dd7d14b7027a8026ffb2b43e2de9b695e38ad4cd97a015ef33142e089646140a9862e5b48170d1b8d016e87903778e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\fm.exe

Filesize
994KB

MD5
de0ea31558536ca7e3164c3cd4578bf5

SHA1
5cc890c3ade653bb1ed1e53dabb0410602ee52df

SHA256
6e599490e164505af796569dce30e18218b179b2b791fe69764892b3ed3e7478

SHA512
c47299cd5f3b4961f423c2ca1fef5a33eb4b0f63dc232af70ef9da39f6f82270406061dd543461de7e47abd1244e26d6190de6035120211b27d4c23f97a25aba

Download Submit
memory/660-30-0x000000006DFD0000-0x000000006DFF3000-memory.dmp

Filesize
140KB

Download
memory/660-20-0x000000006E010000-0x000000006E02C000-memory.dmp

Filesize
112KB

Download
memory/660-18-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/660-29-0x000000006DAB0000-0x000000006DACE000-memory.dmp

Filesize
120KB

Download
memory/660-24-0x000000006C370000-0x000000006C4B3000-memory.dmp

Filesize
1.3MB

Download
memory/660-26-0x000000006DBC0000-0x000000006DBCF000-memory.dmp

Filesize
60KB

Download
memory/660-23-0x000000006DC50000-0x000000006DC5D000-memory.dmp

Filesize
52KB

Download
memory/660-22-0x000000006DDC0000-0x000000006DDE0000-memory.dmp

Filesize
128KB

Download
memory/660-15-0x0000000074DF0000-0x0000000074F6B000-memory.dmp

Filesize
1.5MB

Download
memory/660-25-0x000000006DBD0000-0x000000006DBDE000-memory.dmp

Filesize
56KB

Download
memory/660-27-0x000000006DBF0000-0x000000006DBFE000-memory.dmp

Filesize
56KB

Download
memory/660-28-0x000000006DC20000-0x000000006DC48000-memory.dmp

Filesize
160KB

Download
memory/660-16-0x0000000074DF0000-0x0000000074F6B000-memory.dmp

Filesize
1.5MB

Download
memory/660-0-0x0000000074DF0000-0x0000000074F6B000-memory.dmp

Filesize
1.5MB

Download
memory/660-1-0x00007FFAA2CB0000-0x00007FFAA2EA5000-memory.dmp

Filesize
2.0MB

Download
memory/660-31-0x000000006DBE0000-0x000000006DBED000-memory.dmp

Filesize
52KB

Download
memory/3552-41-0x0000000000500000-0x000000000054B000-memory.dmp

Filesize
300KB

Download
memory/3552-40-0x00007FFAA2CB0000-0x00007FFAA2EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3552-43-0x0000000000880000-0x000000000097B000-memory.dmp

Filesize
1004KB

Download
memory/3552-44-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3552-45-0x0000000000500000-0x000000000054B000-memory.dmp

Filesize
300KB

Download
memory/4516-34-0x0000000074DF0000-0x0000000074F6B000-memory.dmp

Filesize
1.5MB

Download
memory/4516-32-0x00007FFAA2CB0000-0x00007FFAA2EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4516-38-0x0000000074DF0000-0x0000000074F6B000-memory.dmp

Filesize
1.5MB

Download
memory/4516-35-0x0000000074DF0000-0x0000000074F6B000-memory.dmp

Filesize
1.5MB

Download
memory/4516-21-0x0000000074DF0000-0x0000000074F6B000-memory.dmp

Filesize
1.5MB

Download