lumma | b411fa289b897c774560292abcf7c298e29e1b9b8243357b1cc7d25a28622739

Analysis

max time kernel
113s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 04:56

Target

launcher.exe
Size

25.4MB
MD5

913b4744fbcd88cbc9ba44808a835a91
SHA1

d5cb6cbe5d4ad8b20a351080a6bc8e85fa72a64e
SHA256

b411fa289b897c774560292abcf7c298e29e1b9b8243357b1cc7d25a28622739
SHA512

ab0c1ec3840947262d4825bbc1cb1f0f056fceda99d7886ce7f83c432faf91a89e17f81e21132a9f997a895c0dd3cdb3d987b47608020cb1260657d782847863
SSDEEP

12288:5R5ouJIVQhcEWuDG6X/ob2qlTIiw/TmQxFZpC:dnJIG2EFlf09GTmYvC

Score

10^/10

lumma stealer

Family

lumma

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

launcher.exe

description pid process target process

PID 4068 set thread context of 5096 4068 launcher.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4764 4068 WerFault.exe launcher.exe

description	pid	process	target process
PID 4068 set thread context of 5096	4068	launcher.exe	RegAsm.exe

pid	pid_target	process	target process
4764	4068	WerFault.exe	launcher.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

launcher.exe

description	pid	process	target process
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe
PID 4068 wrote to memory of 5096	4068	launcher.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 588
  2⤵
  - Program crash
  PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4068 -ip 4068
1⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1336

memory/4068-0-0x0000000000070000-0x00000000000E4000-memory.dmp

Filesize
464KB

Download
memory/4068-6-0x0000000000070000-0x00000000000E4000-memory.dmp

Filesize
464KB

Download
memory/5096-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5096-3-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5096-4-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5096-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download