lumma | 85a0c372af048319fbfc8b65770508df7caca682338577534d5c03e17877d8c6

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#Néw_FɨLé-!PằŜSwṟd--24819/Setup.exe
Size

2.4MB
MD5

9fb4770ced09aae3b437c1c6eb6d7334
SHA1

fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256

a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512

140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
SSDEEP

49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://preachbusstyoiwo.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Loads dropped DLL 1 IoCs

Processes:

tracewpp.exe

pid process

2216 tracewpp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 3956 set thread context of 2176 3956 Setup.exe netsh.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exenetsh.exe

pid process

3956 Setup.exe
3956 Setup.exe
2176 netsh.exe
2176 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exenetsh.exe

pid process

3956 Setup.exe
2176 netsh.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Setup.exe

pid process

3956 Setup.exe
3956 Setup.exe

pid	process
2216	tracewpp.exe

description	pid	process	target process
PID 3956 set thread context of 2176	3956	Setup.exe	netsh.exe

pid	process
3956	Setup.exe
3956	Setup.exe
2176	netsh.exe
2176	netsh.exe

pid	process
3956	Setup.exe
2176	netsh.exe

pid	process
3956	Setup.exe
3956	Setup.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Setup.exenetsh.exe

description	pid	process	target process
PID 3956 wrote to memory of 2176	3956	Setup.exe	netsh.exe
PID 3956 wrote to memory of 2176	3956	Setup.exe	netsh.exe
PID 3956 wrote to memory of 2176	3956	Setup.exe	netsh.exe
PID 3956 wrote to memory of 2176	3956	Setup.exe	netsh.exe
PID 2176 wrote to memory of 2216	2176	netsh.exe	tracewpp.exe
PID 2176 wrote to memory of 2216	2176	netsh.exe	tracewpp.exe
PID 2176 wrote to memory of 2216	2176	netsh.exe	tracewpp.exe
PID 2176 wrote to memory of 2216	2176	netsh.exe	tracewpp.exe

C:\Users\Admin\AppData\Local\Temp\#Néw_FɨLé-!PằŜSwṟd--24819\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#Néw_FɨLé-!PằŜSwṟd--24819\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
3⤵
- Loads dropped DLL
PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\de682dee
Filesize
1.2MB

MD5
65a948039bdafe17b9daac887ad8f0f4

SHA1
1b223a81702e68561ac5291d92eed6e735930533

SHA256
42402c05244aa6cdcf283ed4b10c956c0e2b3ddbbb8d04951facb530ee4e6376

SHA512
b9cdcd5aa7b3999f58d2dfd54faed751bce706eaeba7eaee071938e79329132a4d9f00775cac2ccc9107f7a897c7fee593e1a78cec0aaf9f01f3abc1919cdab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
Filesize
207KB

MD5
0930890f83efad2a3091d1e3f0b82707

SHA1
e0dcdefdde9dddd482e0b72504b35e96b795b27e

SHA256
e8be7f038dd98179a1a27d5b176d23a60ad44426442699a3b9b714f9778c5cf2

SHA512
608e2a169a9eb3c1b8e4459704e87123e5d04de57937175811a3f67559f0ead77b09e48562c1df732552a6aca7a8089528f43cda83bcdad1644a089b11a0e9f6

Download Submit
memory/2176-17-0x00000000735E0000-0x000000007375B000-memory.dmp

Filesize
1.5MB

Download
memory/2176-9-0x00000000735E0000-0x000000007375B000-memory.dmp

Filesize
1.5MB

Download
memory/2176-11-0x00007FFAA1EB0000-0x00007FFAA20A5000-memory.dmp

Filesize
2.0MB

Download
memory/2176-13-0x00000000735E0000-0x000000007375B000-memory.dmp

Filesize
1.5MB

Download
memory/2176-14-0x00000000735E0000-0x000000007375B000-memory.dmp

Filesize
1.5MB

Download
memory/2216-19-0x00007FFAA1EB0000-0x00007FFAA20A5000-memory.dmp

Filesize
2.0MB

Download
memory/2216-20-0x0000000000610000-0x0000000000663000-memory.dmp

Filesize
332KB

Download
memory/2216-22-0x0000000000D20000-0x0000000000DA4000-memory.dmp

Filesize
528KB

Download
memory/2216-23-0x0000000000610000-0x0000000000663000-memory.dmp

Filesize
332KB

Download
memory/3956-7-0x00000000735E0000-0x000000007375B000-memory.dmp

Filesize
1.5MB

Download
memory/3956-6-0x00000000735E0000-0x000000007375B000-memory.dmp

Filesize
1.5MB

Download
memory/3956-0-0x00000000735E0000-0x000000007375B000-memory.dmp

Filesize
1.5MB

Download
memory/3956-1-0x00007FFAA1EB0000-0x00007FFAA20A5000-memory.dmp

Filesize
2.0MB

Download