lumma | 7a8db5d75ca30164236d2474a4719046a7814a4411cf703ffb702bf6319939d7

Resubmissions

11/06/2024, 01:44

03/03/2024, 10:05

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2024, 10:05

Target

2024-03-03_de6832dddc25cdfad6f3db172c331972_ryuk.exe
Size

4.1MB
MD5

de6832dddc25cdfad6f3db172c331972
SHA1

65b58a63d23cac4854dc1e4c767087531043a03a
SHA256

7a8db5d75ca30164236d2474a4719046a7814a4411cf703ffb702bf6319939d7
SHA512

f226fae894afe6b75570ce48a29fadf89ecc63409a934fd37a8c7554dd572f87aa0a095cfbb38f5307d2f6135e64fcbb20f5f179ee7fa0eafbfacff4e4d46e59
SSDEEP

49152:8Ih624a56H0Z0NyVJobHL3LwabKreD5lyTniPtIoHYWF4vCvPJywnHXZRo0i1co3:m8eLCreTyT2Io4WOWnH29

Score

10^/10

lumma stealer

Detect Lumma Stealer payload V4 1 IoCs

resource	yara_rule
behavioral2/memory/2196-15-0x0000000000790000-0x0000000000812000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Deletes itself 1 IoCs

pid	Process
1180	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 1180	880	2024-03-03_de6832dddc25cdfad6f3db172c331972_ryuk.exe	88

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
880	2024-03-03_de6832dddc25cdfad6f3db172c331972_ryuk.exe
1180	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1180	880	2024-03-03_de6832dddc25cdfad6f3db172c331972_ryuk.exe	88
PID 880 wrote to memory of 1180	880	2024-03-03_de6832dddc25cdfad6f3db172c331972_ryuk.exe	88
PID 880 wrote to memory of 1180	880	2024-03-03_de6832dddc25cdfad6f3db172c331972_ryuk.exe	88
PID 880 wrote to memory of 1180	880	2024-03-03_de6832dddc25cdfad6f3db172c331972_ryuk.exe	88
PID 1180 wrote to memory of 2196	1180	cmd.exe	94
PID 1180 wrote to memory of 2196	1180	cmd.exe	94
PID 1180 wrote to memory of 2196	1180	cmd.exe	94
PID 1180 wrote to memory of 2196	1180	cmd.exe	94
PID 1180 wrote to memory of 2196	1180	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\15b021ba

Filesize
1.1MB

MD5
0ebe2213c8fd94f1a03be9489c29f865

SHA1
84e19f4bf219ff83578ac80e343c0322041c1164

SHA256
8bfed0df98afa915ecd36c437c16f5b194c7271b57e04addad9d58222ee9785c

SHA512
78381f83f3f75a5586df70b43a613dda1d767b9134d334ffcfb68719cf2d2bd718f72e95dc422e9da4a7cd7930c294f5f3e658833ff77858d44f00a776e65815

Download Submit
memory/880-0-0x00007FFD55DD0000-0x00007FFD55F42000-memory.dmp

Filesize
1.4MB

Download
memory/880-1-0x00007FF6D6120000-0x00007FF6D6546000-memory.dmp

Filesize
4.1MB

Download
memory/880-2-0x00007FFD55DD0000-0x00007FFD55F42000-memory.dmp

Filesize
1.4MB

Download
memory/880-3-0x00007FFD55DD0000-0x00007FFD55F42000-memory.dmp

Filesize
1.4MB

Download
memory/880-5-0x00007FF6D6120000-0x00007FF6D6546000-memory.dmp

Filesize
4.1MB

Download
memory/1180-7-0x00007FFD73BD0000-0x00007FFD73DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1180-8-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

Filesize
1.5MB

Download
memory/1180-9-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

Filesize
1.5MB

Download
memory/1180-12-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

Filesize
1.5MB

Download
memory/2196-14-0x00007FFD73BD0000-0x00007FFD73DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2196-15-0x0000000000790000-0x0000000000812000-memory.dmp

Filesize
520KB

Download