lumma | a6928d78afaa376c901a8671a597367bad805b5b3629547f78eec3762c143b5e

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

@#!Open_MainFile_5443_Pa$ṣW0rD%$/Setup.exe
Size

94KB
MD5

9a4cc0d8e7007f7ef20ca585324e0739
SHA1

f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256

040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA512

54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3
SSDEEP

1536:9M/AhIxHHWMpdPa5wiE21M8kJIGFvb1Cwn/ZDs5yf:9M4SwMpdCq/IM8uIGfV/ZDso

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://harassretunrstiwo.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 4032 set thread context of 1164 4032 Setup.exe netsh.exe
Loads dropped DLL 1 IoCs

Processes:

tracewpp.exe

pid process

2656 tracewpp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exenetsh.exe

pid process

4032 Setup.exe
4032 Setup.exe
1164 netsh.exe
1164 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exenetsh.exe

pid process

4032 Setup.exe
1164 netsh.exe

description	pid	process	target process
PID 4032 set thread context of 1164	4032	Setup.exe	netsh.exe

pid	process
2656	tracewpp.exe

pid	process
4032	Setup.exe
4032	Setup.exe
1164	netsh.exe
1164	netsh.exe

pid	process
4032	Setup.exe
1164	netsh.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup.exenetsh.exe

description	pid	process	target process
PID 4032 wrote to memory of 1164	4032	Setup.exe	netsh.exe
PID 4032 wrote to memory of 1164	4032	Setup.exe	netsh.exe
PID 4032 wrote to memory of 1164	4032	Setup.exe	netsh.exe
PID 4032 wrote to memory of 1164	4032	Setup.exe	netsh.exe
PID 1164 wrote to memory of 2656	1164	netsh.exe	tracewpp.exe
PID 1164 wrote to memory of 2656	1164	netsh.exe	tracewpp.exe
PID 1164 wrote to memory of 2656	1164	netsh.exe	tracewpp.exe
PID 1164 wrote to memory of 2656	1164	netsh.exe	tracewpp.exe
PID 1164 wrote to memory of 2656	1164	netsh.exe	tracewpp.exe

C:\Users\Admin\AppData\Local\Temp\@#!Open_MainFile_5443_Pa$ṣW0rD%$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\@#!Open_MainFile_5443_Pa$ṣW0rD%$\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
3⤵
- Loads dropped DLL
PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d9a57b55
Filesize
1.2MB

MD5
3b92b192efe2375e14b49f0af9d43660

SHA1
d911d628454769049a43a0a59ce70b4e7de6c641

SHA256
0039dc6371abda5a5fbe187c9cb09f8234c6fe9ee4924905bdad5e93a6963346

SHA512
1c34c99150877f40e28f5505b09bc45bca736db4955300275eee99edc239a6ac9e189bd6c83cab72c5da0abc92b470d3e119d37bc0dc83451b5501a7c5c90d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
Filesize
207KB

MD5
0930890f83efad2a3091d1e3f0b82707

SHA1
e0dcdefdde9dddd482e0b72504b35e96b795b27e

SHA256
e8be7f038dd98179a1a27d5b176d23a60ad44426442699a3b9b714f9778c5cf2

SHA512
608e2a169a9eb3c1b8e4459704e87123e5d04de57937175811a3f67559f0ead77b09e48562c1df732552a6aca7a8089528f43cda83bcdad1644a089b11a0e9f6

Download Submit
memory/1164-13-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/1164-9-0x00007FFB692B0000-0x00007FFB694A5000-memory.dmp

Filesize
2.0MB

Download
memory/1164-11-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/1164-15-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/2656-17-0x00007FFB692B0000-0x00007FFB694A5000-memory.dmp

Filesize
2.0MB

Download
memory/2656-18-0x0000000000E00000-0x0000000000E50000-memory.dmp

Filesize
320KB

Download
memory/2656-20-0x0000000000E00000-0x0000000000E50000-memory.dmp

Filesize
320KB

Download
memory/2656-21-0x00000000005B0000-0x0000000000634000-memory.dmp

Filesize
528KB

Download
memory/2656-22-0x0000000000E00000-0x0000000000E50000-memory.dmp

Filesize
320KB

Download
memory/4032-6-0x00007FFB4AFC0000-0x00007FFB4B132000-memory.dmp

Filesize
1.4MB

Download
memory/4032-0-0x00007FFB4AFC0000-0x00007FFB4B132000-memory.dmp

Filesize
1.4MB

Download
memory/4032-5-0x00007FFB4AFC0000-0x00007FFB4B132000-memory.dmp

Filesize
1.4MB

Download