lumma | 19cf5c9f250d27c1ff53f81a0ebad37428ca71a2647e358c8b3f2bfda102a8ef

General

Target

@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe
Size

3.5MB
MD5

f3926079722ea980ed43703b7e56c578
SHA1

c91f413aaed6a2c97cef6ceea4b821faabe35994
SHA256

19cf5c9f250d27c1ff53f81a0ebad37428ca71a2647e358c8b3f2bfda102a8ef
SHA512

9157bab3d721fbe835250a2b864f7a8ea2a3b4e9e21bc527ca08589bd90446e887fc6797554157419a2efa2466ee30e6171746ee0e71ccfa224395ea33fa7828
SSDEEP

98304:ZYnY0iuf1ZByTLpwiaOZu2u3YP21sr7wx4oDIouiIOiUq:ZYnLI1witJu3A5wCoehH3

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

C2

https://harassretunrstiwo.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe

Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

4524 Setup.exe
Loads dropped DLL 3 IoCs

Processes:

Setup.exetracewpp.exe

pid process

4524 Setup.exe
4524 Setup.exe
1620 tracewpp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 4524 set thread context of 2716 4524 Setup.exe netsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Setup.exenetsh.exe

pid process

4524 Setup.exe
4524 Setup.exe
2716 netsh.exe
2716 netsh.exe
2716 netsh.exe
2716 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exenetsh.exe

pid process

4524 Setup.exe
2716 netsh.exe

pid	process
4524	Setup.exe

pid	process
4524	Setup.exe
4524	Setup.exe
1620	tracewpp.exe

description	pid	process	target process
PID 4524 set thread context of 2716	4524	Setup.exe	netsh.exe

pid	process
4524	Setup.exe
4524	Setup.exe
2716	netsh.exe
2716	netsh.exe
2716	netsh.exe
2716	netsh.exe

pid	process
4524	Setup.exe
2716	netsh.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exeSetup.exenetsh.exe

description	pid	process	target process
PID 3396 wrote to memory of 4524	3396	@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe	Setup.exe
PID 3396 wrote to memory of 4524	3396	@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe	Setup.exe
PID 4524 wrote to memory of 2716	4524	Setup.exe	netsh.exe
PID 4524 wrote to memory of 2716	4524	Setup.exe	netsh.exe
PID 4524 wrote to memory of 2716	4524	Setup.exe	netsh.exe
PID 4524 wrote to memory of 2716	4524	Setup.exe	netsh.exe
PID 2716 wrote to memory of 1620	2716	netsh.exe	tracewpp.exe
PID 2716 wrote to memory of 1620	2716	netsh.exe	tracewpp.exe
PID 2716 wrote to memory of 1620	2716	netsh.exe	tracewpp.exe
PID 2716 wrote to memory of 1620	2716	netsh.exe	tracewpp.exe

C:\Users\Admin\AppData\Local\Temp\@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe
"C:\Users\Admin\AppData\Local\Temp\@#!!New_SoftWare_2024_ṔḁṨṨCṏḌḙ#$.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\SysWOW64\netsh.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
      C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
      4⤵
      Loads dropped DLL
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\883f017d

Filesize
1.2MB

MD5
800dd9f87b348ad2be9b926d054013c9

SHA1
adc39077317b97e4033b982cc3ac0471c2c0e6e2

SHA256
101dcf7b0cab79681d9e3c63413b2d700ca79f2bc570faee703c9dbfff1176ba

SHA512
fcc4a58a5d569a9561553c1f0fa8b978df89bdfc88baa5d04e1fc499b7b8ab91a855580d86a51f51af4540edf6a4e5977a224b1cc91986e06e057ed0dd841bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\largo.doc

Filesize
915KB

MD5
1d070b44d4cfa45325bf3b89168921c5

SHA1
62f1aa9e982bb4ca3dc7d93dbb784fb2ca57751f

SHA256
9e35a20dfe967b3999761df98dea750ba5516214e3d91086d3f1a422ac4ff982

SHA512
43372cc3b20693052cb6dbb98a5c1fc3635a69ee11262e3334bbbb05c84c892f165d6bdbe0eb61b83b3297c48a13a60a22741bdc4795b131c8d25297b135e5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nursery.iso

Filesize
73KB

MD5
5a055f819fd0c3454e0d90507dc25257

SHA1
27e8af7782f080e8ea3c06cb31ddbfa768cb127b

SHA256
0566fbe3e0e3f35083ebf4304b581e03cf4eccb37da57f7c7a4bdcf6f2e2c3d8

SHA512
1a48f170895be20d6e4b3eb2c125b404376158f471cb29a2d474824457668dbaa07261049f61cad68fc341fac011e0170e8eb54aae8b10a6456ed6d910a5842d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python310.dll

Filesize
4.3MB

MD5
fc90f16df2e942d04add02e705ba9bcc

SHA1
a64997c424e6d28a2e47c347c7ae9a37073b727d

SHA256
5aa78fb7130326cc0a37cbc04854df22f890f7692e27747dbc88cf81f62ea157

SHA512
6d058416def68a7e642e679e5d42348d47b3e9c6ccbff84827b8c1bb0e076525e4b3c24b7577455ed1d83a8f3a6602ee248afd35f8463396043ac6cd183a82e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe

Filesize
207KB

MD5
0930890f83efad2a3091d1e3f0b82707

SHA1
e0dcdefdde9dddd482e0b72504b35e96b795b27e

SHA256
e8be7f038dd98179a1a27d5b176d23a60ad44426442699a3b9b714f9778c5cf2

SHA512
608e2a169a9eb3c1b8e4459704e87123e5d04de57937175811a3f67559f0ead77b09e48562c1df732552a6aca7a8089528f43cda83bcdad1644a089b11a0e9f6

Download Submit
memory/1620-248-0x0000000000160000-0x00000000001B0000-memory.dmp

Filesize
320KB

Download
memory/1620-247-0x00000000004F0000-0x0000000000574000-memory.dmp

Filesize
528KB

Download
memory/1620-245-0x0000000000160000-0x00000000001B0000-memory.dmp

Filesize
320KB

Download
memory/1620-244-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

Filesize
2.0MB

Download
memory/2716-238-0x0000000074AC0000-0x0000000074C3B000-memory.dmp

Filesize
1.5MB

Download
memory/2716-242-0x0000000074AC0000-0x0000000074C3B000-memory.dmp

Filesize
1.5MB

Download
memory/2716-239-0x0000000074AC0000-0x0000000074C3B000-memory.dmp

Filesize
1.5MB

Download
memory/2716-236-0x00007FFC92930000-0x00007FFC92B25000-memory.dmp

Filesize
2.0MB

Download
memory/4524-233-0x00007FFC74C50000-0x00007FFC74DC2000-memory.dmp

Filesize
1.4MB

Download
memory/4524-232-0x00007FFC74C50000-0x00007FFC74DC2000-memory.dmp

Filesize
1.4MB

Download
memory/4524-227-0x00007FFC74C50000-0x00007FFC74DC2000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing