lumma | f3fdf6767230e2ed451062ed1469c244ce983f6eb08cb3d5d47c2c4325c18eca

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

!@!Active_$etUp_2024_pAs$W0rd/Setup.exe
Size

94KB
MD5

9a4cc0d8e7007f7ef20ca585324e0739
SHA1

f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256

040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA512

54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3
SSDEEP

1536:9M/AhIxHHWMpdPa5wiE21M8kJIGFvb1Cwn/ZDs5yf:9M4SwMpdCq/IM8uIGfV/ZDso

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://harassretunrstiwo.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 1244 set thread context of 2448 1244 Setup.exe netsh.exe
Loads dropped DLL 1 IoCs

Processes:

tracewpp.exe

pid process

3124 tracewpp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exenetsh.exe

pid process

1244 Setup.exe
1244 Setup.exe
2448 netsh.exe
2448 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exenetsh.exe

pid process

1244 Setup.exe
2448 netsh.exe

description	pid	process	target process
PID 1244 set thread context of 2448	1244	Setup.exe	netsh.exe

pid	process
3124	tracewpp.exe

pid	process
1244	Setup.exe
1244	Setup.exe
2448	netsh.exe
2448	netsh.exe

pid	process
1244	Setup.exe
2448	netsh.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup.exenetsh.exe

description	pid	process	target process
PID 1244 wrote to memory of 2448	1244	Setup.exe	netsh.exe
PID 1244 wrote to memory of 2448	1244	Setup.exe	netsh.exe
PID 1244 wrote to memory of 2448	1244	Setup.exe	netsh.exe
PID 1244 wrote to memory of 2448	1244	Setup.exe	netsh.exe
PID 2448 wrote to memory of 3124	2448	netsh.exe	tracewpp.exe
PID 2448 wrote to memory of 3124	2448	netsh.exe	tracewpp.exe
PID 2448 wrote to memory of 3124	2448	netsh.exe	tracewpp.exe
PID 2448 wrote to memory of 3124	2448	netsh.exe	tracewpp.exe
PID 2448 wrote to memory of 3124	2448	netsh.exe	tracewpp.exe

C:\Users\Admin\AppData\Local\Temp\!@!Active_$etUp_2024_pAs$W0rd\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!@!Active_$etUp_2024_pAs$W0rd\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
3⤵
- Loads dropped DLL
PID:3124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a735eca5
Filesize
1.2MB

MD5
8bceb7e6c3153c942d8a39f54b786a89

SHA1
620974d67d51f0c8e42c6a09f236b9faf26b19c9

SHA256
599c62d3b3d47f902c2738e0813c55a457941b23c81e62b83e34aeca9889b8a8

SHA512
05dcadf720c50015d60f00516a0de5650375630586cf541adc4292026b33c266bf29b615f2c3313918e1a038e8a331475d855dcf280ee747bda341c23efdde9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
Filesize
207KB

MD5
0930890f83efad2a3091d1e3f0b82707

SHA1
e0dcdefdde9dddd482e0b72504b35e96b795b27e

SHA256
e8be7f038dd98179a1a27d5b176d23a60ad44426442699a3b9b714f9778c5cf2

SHA512
608e2a169a9eb3c1b8e4459704e87123e5d04de57937175811a3f67559f0ead77b09e48562c1df732552a6aca7a8089528f43cda83bcdad1644a089b11a0e9f6

Download Submit
memory/1244-0-0x00007FFF798F0000-0x00007FFF79A62000-memory.dmp

Filesize
1.4MB

Download
memory/1244-5-0x00007FFF798F0000-0x00007FFF79A62000-memory.dmp

Filesize
1.4MB

Download
memory/1244-6-0x00007FFF798F0000-0x00007FFF79A62000-memory.dmp

Filesize
1.4MB

Download
memory/2448-13-0x0000000073EC0000-0x000000007403B000-memory.dmp

Filesize
1.5MB

Download
memory/2448-11-0x0000000073EC0000-0x000000007403B000-memory.dmp

Filesize
1.5MB

Download
memory/2448-14-0x0000000073EC0000-0x000000007403B000-memory.dmp

Filesize
1.5MB

Download
memory/2448-9-0x00007FFF889B0000-0x00007FFF88BA5000-memory.dmp

Filesize
2.0MB

Download
memory/3124-17-0x00007FFF889B0000-0x00007FFF88BA5000-memory.dmp

Filesize
2.0MB

Download
memory/3124-18-0x00000000005B0000-0x0000000000607000-memory.dmp

Filesize
348KB

Download
memory/3124-20-0x0000000000060000-0x00000000000E4000-memory.dmp

Filesize
528KB

Download
memory/3124-21-0x00000000005B0000-0x0000000000607000-memory.dmp

Filesize
348KB

Download
memory/3124-22-0x00000000005B0000-0x0000000000607000-memory.dmp

Filesize
348KB

Download