lumma | d628cc0dd2db8f440f732c8ef628d99d2d97fbaac052d5bc2d4302929cfffe30 | Triage

Sharing

General

Target

d628cc0dd2db8f440f732c8ef628d99d2d97fbaac052d5bc2d4302929cfffe30
Size

306KB
Sample

240417-lxxvmsda8w
MD5

3a748e3ed487edbcb2ac8f94f78a8ff6
SHA1

5858a433f3a2b5156ebbeae4e3c5ea6c4383e530
SHA256

d628cc0dd2db8f440f732c8ef628d99d2d97fbaac052d5bc2d4302929cfffe30
SHA512

484b3e72fd2734c6eebb1376ce934990d288f2b331d3d905ea5f43dd590868efeb3392380e364f24fb8ae35870ca3c8fe0ed46451aabcd02e5335e6b0942f65c
SSDEEP

3072:Fyhm+yTiEFRF/Ru/kgP7NL8C8+XPuEKEShT1bIa4KblMd3WOZVonTiezkLpAEz2s:cyd7FDgjh8C8+chhH4KOdmOcewkyo2s

Score

10^/10

lumma smokeloader pub1 backdoor persistence stealer trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

rc4.i32

Extracted

Family

lumma

C2

https://greetclassifytalk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Targets

- Target
  
  d628cc0dd2db8f440f732c8ef628d99d2d97fbaac052d5bc2d4302929cfffe30
- Size
  
  306KB
- MD5
  
  3a748e3ed487edbcb2ac8f94f78a8ff6
- SHA1
  
  5858a433f3a2b5156ebbeae4e3c5ea6c4383e530
- SHA256
  
  d628cc0dd2db8f440f732c8ef628d99d2d97fbaac052d5bc2d4302929cfffe30
- SHA512
  
  484b3e72fd2734c6eebb1376ce934990d288f2b331d3d905ea5f43dd590868efeb3392380e364f24fb8ae35870ca3c8fe0ed46451aabcd02e5335e6b0942f65c
- SSDEEP
  
  3072:Fyhm+yTiEFRF/Ru/kgP7NL8C8+XPuEKEShT1bIa4KblMd3WOZVonTiezkLpAEz2s:cyd7FDgjh8C8+chhH4KOdmOcewkyo2s
Score

10^/10

lumma smokeloader pub1 backdoor persistence stealer trojan vmprotect
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Deletes itself
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lummasmokeloaderpub1backdoorpersistencestealertrojanvmprotect

behavioral2

smokeloaderpub1backdoortrojan