lumma | ab9a4daee46ae19fe1c2e4b874246275ec129216f3b6bda73e21f5bcebb0300b

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 01:36

Target

tmp.exe
Size

1.2MB
MD5

8cb7db15a004f0aff7a13fe6cc9763b2
SHA1

464b2e63948ae75eb7506844d42440994b07c3b3
SHA256

ab9a4daee46ae19fe1c2e4b874246275ec129216f3b6bda73e21f5bcebb0300b
SHA512

bfe3b40d0c92993484fbd994c8738daec4adf1408608368381fd3cc294247b9f0b44a3bd9e99438121814666fde9114e2c2547da28f97773e848407f3b89ca5e
SSDEEP

24576:bu255/64fZGpA+9176wxT6OxvDI8D92/pzk1lf:v5vZGpA+917/JDp52/pAzf

Score

10^/10

lumma stealer

Family

lumma

https://alcojoldwograpciw.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 3876 set thread context of 1924 3876 tmp.exe RegAsm.exe

description	pid	process	target process
PID 3876 set thread context of 1924	3876	tmp.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe
PID 3876 wrote to memory of 1924	3876	tmp.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1924

memory/1924-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1924-4-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1924-5-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1924-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3876-1-0x0000000000BA0000-0x0000000000CCD000-memory.dmp

Filesize
1.2MB

Download
memory/3876-2-0x0000000000BA0000-0x0000000000CCD000-memory.dmp

Filesize
1.2MB

Download