lumma | 2ba315ff4d5e4d85b85759fffad1152c3388a8e761c32dfde8c72fff1b96bfe5

Resubmissions

17-04-2024 07:33

240417-jdvvtsae31 10

17-04-2024 06:33

240417-ha7jsahe7s 10

Analysis

max time kernel
139s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

2.3MB
MD5

5d52ef45b6e5bf144307a84c2af1581b
SHA1

414a899ec327d4a9daa53983544245b209f25142
SHA256

26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512

458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
SSDEEP

49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://explocommisiowsa.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 408 set thread context of 3524	408	Setup.exe	90

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
408	Setup.exe
408	Setup.exe
3524	netsh.exe
3524	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
408	Setup.exe
3524	netsh.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3524	408	Setup.exe	90
PID 408 wrote to memory of 3524	408	Setup.exe	90
PID 408 wrote to memory of 3524	408	Setup.exe	90
PID 408 wrote to memory of 3524	408	Setup.exe	90
PID 3524 wrote to memory of 1820	3524	netsh.exe	99
PID 3524 wrote to memory of 1820	3524	netsh.exe	99
PID 3524 wrote to memory of 1820	3524	netsh.exe	99
PID 3524 wrote to memory of 1820	3524	netsh.exe	99

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2bee8a68

Filesize
1016KB

MD5
d6281e21b8dcb60196424e445deae8df

SHA1
1d45240cfef89b14d6f664f5123a03ecb8d6d3fc

SHA256
7dc95a307b6ffe0cd2a4c67d0ce4ec49f1621438f360c5b2d679930108e75983

SHA512
49926b17ac863af0ae196bec5183311ebde18cfed0e0d9358026cf24cba29db75b8a511e203c78784b96432664e08f15a704fa1a9037ad13ecc0a432bf64e4db

Download Submit
memory/408-21-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/408-18-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/408-11-0x00000000748B0000-0x0000000074A2B000-memory.dmp

Filesize
1.5MB

Download
memory/408-20-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/408-1-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

Filesize
2.0MB

Download
memory/408-15-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/408-13-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/408-19-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/408-0-0x00000000748B0000-0x0000000074A2B000-memory.dmp

Filesize
1.5MB

Download
memory/408-10-0x00000000748B0000-0x0000000074A2B000-memory.dmp

Filesize
1.5MB

Download
memory/408-17-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1820-28-0x0000000000440000-0x0000000000491000-memory.dmp

Filesize
324KB

Download
memory/1820-27-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

Filesize
2.0MB

Download
memory/1820-30-0x0000000000440000-0x0000000000491000-memory.dmp

Filesize
324KB

Download
memory/1820-29-0x0000000000860000-0x0000000000C93000-memory.dmp

Filesize
4.2MB

Download
memory/3524-22-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

Filesize
2.0MB

Download
memory/3524-23-0x00000000748B0000-0x0000000074A2B000-memory.dmp

Filesize
1.5MB

Download
memory/3524-24-0x00000000748B0000-0x0000000074A2B000-memory.dmp

Filesize
1.5MB

Download
memory/3524-26-0x00000000748B0000-0x0000000074A2B000-memory.dmp

Filesize
1.5MB

Download
memory/3524-14-0x00000000748B0000-0x0000000074A2B000-memory.dmp

Filesize
1.5MB

Download