lumma | 29c4b0c3f3dbf51a8e8cc9e45e6c551022edeec770163dffb66dd030c75e1302

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#@!NewFiile_8855_ṔḁṨṨCṏḌḙ$#/Setup.exe
Size

2.3MB
MD5

5d52ef45b6e5bf144307a84c2af1581b
SHA1

414a899ec327d4a9daa53983544245b209f25142
SHA256

26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512

458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
SSDEEP

49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://preachbusstyoiwo.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 660 set thread context of 3504 660 Setup.exe netsh.exe
Loads dropped DLL 1 IoCs

Processes:

tracewpp.exe

pid process

4468 tracewpp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Setup.exenetsh.exe

pid process

660 Setup.exe
660 Setup.exe
3504 netsh.exe
3504 netsh.exe
3504 netsh.exe
3504 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exenetsh.exe

pid process

660 Setup.exe
3504 netsh.exe

description	pid	process	target process
PID 660 set thread context of 3504	660	Setup.exe	netsh.exe

pid	process
4468	tracewpp.exe

pid	process
660	Setup.exe
660	Setup.exe
3504	netsh.exe
3504	netsh.exe
3504	netsh.exe
3504	netsh.exe

pid	process
660	Setup.exe
3504	netsh.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup.exenetsh.exe

description	pid	process	target process
PID 660 wrote to memory of 3504	660	Setup.exe	netsh.exe
PID 660 wrote to memory of 3504	660	Setup.exe	netsh.exe
PID 660 wrote to memory of 3504	660	Setup.exe	netsh.exe
PID 660 wrote to memory of 3504	660	Setup.exe	netsh.exe
PID 3504 wrote to memory of 4468	3504	netsh.exe	tracewpp.exe
PID 3504 wrote to memory of 4468	3504	netsh.exe	tracewpp.exe
PID 3504 wrote to memory of 4468	3504	netsh.exe	tracewpp.exe
PID 3504 wrote to memory of 4468	3504	netsh.exe	tracewpp.exe
PID 3504 wrote to memory of 4468	3504	netsh.exe	tracewpp.exe

C:\Users\Admin\AppData\Local\Temp\#@!NewFiile_8855_ṔḁṨṨCṏḌḙ$#\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#@!NewFiile_8855_ṔḁṨṨCṏḌḙ$#\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
    C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
    3⤵
    - Loads dropped DLL
    PID:4468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\869bfaea

Filesize
1.2MB

MD5
eefbdfb3ff9581f15259dac5dba4d1d6

SHA1
1cf5a6e2053af6c393172895dcf0ee4ec0a08faa

SHA256
c04c3f9f46d9fb9300d06e85bc910a15585b1f16d3de72b52beff212289fefca

SHA512
c337ad9bdd0ca24d2baaef95791a471207ff8497f9347ef6ec49ef9100c817cd5173fa3940c87de727b21741d9c21a64901d6ec7f1e15b197ae3c3c646f73454

Download Submit
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe

Filesize
207KB

MD5
0930890f83efad2a3091d1e3f0b82707

SHA1
e0dcdefdde9dddd482e0b72504b35e96b795b27e

SHA256
e8be7f038dd98179a1a27d5b176d23a60ad44426442699a3b9b714f9778c5cf2

SHA512
608e2a169a9eb3c1b8e4459704e87123e5d04de57937175811a3f67559f0ead77b09e48562c1df732552a6aca7a8089528f43cda83bcdad1644a089b11a0e9f6

Download Submit
memory/660-15-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/660-21-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/660-13-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/660-10-0x0000000074060000-0x00000000741DB000-memory.dmp

Filesize
1.5MB

Download
memory/660-1-0x00007FFB75AD0000-0x00007FFB75CC5000-memory.dmp

Filesize
2.0MB

Download
memory/660-19-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/660-20-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/660-18-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/660-0-0x0000000074060000-0x00000000741DB000-memory.dmp

Filesize
1.5MB

Download
memory/660-11-0x0000000074060000-0x00000000741DB000-memory.dmp

Filesize
1.5MB

Download
memory/660-17-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/3504-22-0x00007FFB75AD0000-0x00007FFB75CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3504-24-0x0000000074060000-0x00000000741DB000-memory.dmp

Filesize
1.5MB

Download
memory/3504-26-0x0000000074060000-0x00000000741DB000-memory.dmp

Filesize
1.5MB

Download
memory/3504-16-0x0000000074060000-0x00000000741DB000-memory.dmp

Filesize
1.5MB

Download
memory/4468-29-0x00007FFB75AD0000-0x00007FFB75CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4468-30-0x0000000000E40000-0x0000000000E8F000-memory.dmp

Filesize
316KB

Download
memory/4468-32-0x0000000000C80000-0x0000000000D04000-memory.dmp

Filesize
528KB

Download
memory/4468-33-0x0000000000E40000-0x0000000000E8F000-memory.dmp

Filesize
316KB

Download
memory/4468-34-0x0000000000E40000-0x0000000000E8F000-memory.dmp

Filesize
316KB

Download