lumma | 8e6e186ef33495fa843335654f0ce888e59272caa2245eb123afaff3b5c21992

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#!NewFiile_7474_ṔḁṨṨCṏḌḙ$/Setup.exe
Size

2.4MB
MD5

9fb4770ced09aae3b437c1c6eb6d7334
SHA1

fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256

a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512

140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
SSDEEP

49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://preachbusstyoiwo.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Loads dropped DLL 1 IoCs

Processes:

tracewpp.exe

pid process

3204 tracewpp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 5040 set thread context of 3824 5040 Setup.exe netsh.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exenetsh.exe

pid process

5040 Setup.exe
5040 Setup.exe
3824 netsh.exe
3824 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exenetsh.exe

pid process

5040 Setup.exe
3824 netsh.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Setup.exe

pid process

5040 Setup.exe
5040 Setup.exe

pid	process
3204	tracewpp.exe

description	pid	process	target process
PID 5040 set thread context of 3824	5040	Setup.exe	netsh.exe

pid	process
5040	Setup.exe
5040	Setup.exe
3824	netsh.exe
3824	netsh.exe

pid	process
5040	Setup.exe
3824	netsh.exe

pid	process
5040	Setup.exe
5040	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup.exenetsh.exe

description	pid	process	target process
PID 5040 wrote to memory of 3824	5040	Setup.exe	netsh.exe
PID 5040 wrote to memory of 3824	5040	Setup.exe	netsh.exe
PID 5040 wrote to memory of 3824	5040	Setup.exe	netsh.exe
PID 5040 wrote to memory of 3824	5040	Setup.exe	netsh.exe
PID 3824 wrote to memory of 3204	3824	netsh.exe	tracewpp.exe
PID 3824 wrote to memory of 3204	3824	netsh.exe	tracewpp.exe
PID 3824 wrote to memory of 3204	3824	netsh.exe	tracewpp.exe
PID 3824 wrote to memory of 3204	3824	netsh.exe	tracewpp.exe
PID 3824 wrote to memory of 3204	3824	netsh.exe	tracewpp.exe

C:\Users\Admin\AppData\Local\Temp\#!NewFiile_7474_ṔḁṨṨCṏḌḙ$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!NewFiile_7474_ṔḁṨṨCṏḌḙ$\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
3⤵
- Loads dropped DLL
PID:3204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\91cc0e6e
Filesize
1.2MB

MD5
5190f32d6668fc03281aa6df36736ffc

SHA1
0cc747aa94a38cdfd636ae9d9107fbc83b7c41d6

SHA256
b5acdf46b54a4e006778cdcc36d249fd0576faecbe928622e17d5274e4bc26b5

SHA512
408261cb24197e48d997064aa2136f6d55b4eaecea3c38d7760c8a9149841f570b28f7a10116213ec655b9431188fb9ac90c5b0358a3d574a0ad50513baeffea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
Filesize
207KB

MD5
0930890f83efad2a3091d1e3f0b82707

SHA1
e0dcdefdde9dddd482e0b72504b35e96b795b27e

SHA256
e8be7f038dd98179a1a27d5b176d23a60ad44426442699a3b9b714f9778c5cf2

SHA512
608e2a169a9eb3c1b8e4459704e87123e5d04de57937175811a3f67559f0ead77b09e48562c1df732552a6aca7a8089528f43cda83bcdad1644a089b11a0e9f6

Download Submit
memory/3204-26-0x0000000000CC0000-0x0000000000D12000-memory.dmp

Filesize
328KB

Download
memory/3204-25-0x0000000000CC0000-0x0000000000D12000-memory.dmp

Filesize
328KB

Download
memory/3204-24-0x0000000000810000-0x0000000000894000-memory.dmp

Filesize
528KB

Download
memory/3204-20-0x0000000000CC0000-0x0000000000D12000-memory.dmp

Filesize
328KB

Download
memory/3204-19-0x00007FFF020F0000-0x00007FFF022E5000-memory.dmp

Filesize
2.0MB

Download
memory/3824-11-0x00007FFF020F0000-0x00007FFF022E5000-memory.dmp

Filesize
2.0MB

Download
memory/3824-16-0x0000000073DA0000-0x0000000073F1B000-memory.dmp

Filesize
1.5MB

Download
memory/3824-14-0x0000000073DA0000-0x0000000073F1B000-memory.dmp

Filesize
1.5MB

Download
memory/3824-9-0x0000000073DA0000-0x0000000073F1B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-0-0x0000000073DA0000-0x0000000073F1B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-7-0x0000000073DA0000-0x0000000073F1B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-6-0x0000000073DA0000-0x0000000073F1B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-1-0x00007FFF020F0000-0x00007FFF022E5000-memory.dmp

Filesize
2.0MB

Download