lumma | dc6c9da6ffa24e2c6248ca493c145296cf75eff12968b8bee171e114cbdaa006

Analysis

max time kernel
77s
max time network
83s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-04-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLAUNHER.exe
Size

287.0MB
MD5

5056dba944a26a0018a9046f15e77aa0
SHA1

94f84b8f9a7d59ef2eafaf17dd455bb9a70dee2c
SHA256

67d49350461a3100ff4a4e50c5c098774b07f28c47d935feaa9b17daa0fb8898
SHA512

fa85d62fcb0b70e148f158399f3b5bcecd953741e911aa94a504bcc12c40511ccb05ec3cf1131b19fc6c6348793dae8e06c87b607e40e9d3e75eef028f77f69b
SSDEEP

24576:mb/aJqeBkts3eK/j05vT+j+orkxFMBlTPH:ckqeetsu4096jJ7HTH

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://assumptionflattyou.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 1 IoCs

Processes:

Aside.pif

pid process

4340 Aside.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

660 tasklist.exe
4908 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4368 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Aside.pif

pid process

4340 Aside.pif
4340 Aside.pif
4340 Aside.pif
4340 Aside.pif
4340 Aside.pif
4340 Aside.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4908 tasklist.exe
Token: SeDebugPrivilege 660 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Aside.pif

pid process

4340 Aside.pif
4340 Aside.pif
4340 Aside.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Aside.pif

pid process

4340 Aside.pif
4340 Aside.pif
4340 Aside.pif

pid	process
4340	Aside.pif

pid	process
660	tasklist.exe
4908	tasklist.exe

pid	process
4368	PING.EXE

pid	process
4340	Aside.pif
4340	Aside.pif
4340	Aside.pif
4340	Aside.pif
4340	Aside.pif
4340	Aside.pif

description	pid	process
Token: SeDebugPrivilege	4908	tasklist.exe
Token: SeDebugPrivilege	660	tasklist.exe

pid	process
4340	Aside.pif
4340	Aside.pif
4340	Aside.pif

pid	process
4340	Aside.pif
4340	Aside.pif
4340	Aside.pif

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

BLAUNHER.execmd.exe

description	pid	process	target process
PID 2216 wrote to memory of 2660	2216	BLAUNHER.exe	cmd.exe
PID 2216 wrote to memory of 2660	2216	BLAUNHER.exe	cmd.exe
PID 2216 wrote to memory of 2660	2216	BLAUNHER.exe	cmd.exe
PID 2660 wrote to memory of 4908	2660	cmd.exe	tasklist.exe
PID 2660 wrote to memory of 4908	2660	cmd.exe	tasklist.exe
PID 2660 wrote to memory of 4908	2660	cmd.exe	tasklist.exe
PID 2660 wrote to memory of 3040	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 3040	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 3040	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 660	2660	cmd.exe	tasklist.exe
PID 2660 wrote to memory of 660	2660	cmd.exe	tasklist.exe
PID 2660 wrote to memory of 660	2660	cmd.exe	tasklist.exe
PID 2660 wrote to memory of 2340	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 2340	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 2340	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 4168	2660	cmd.exe	cmd.exe
PID 2660 wrote to memory of 4168	2660	cmd.exe	cmd.exe
PID 2660 wrote to memory of 4168	2660	cmd.exe	cmd.exe
PID 2660 wrote to memory of 5100	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 5100	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 5100	2660	cmd.exe	findstr.exe
PID 2660 wrote to memory of 4500	2660	cmd.exe	cmd.exe
PID 2660 wrote to memory of 4500	2660	cmd.exe	cmd.exe
PID 2660 wrote to memory of 4500	2660	cmd.exe	cmd.exe
PID 2660 wrote to memory of 4340	2660	cmd.exe	Aside.pif
PID 2660 wrote to memory of 4340	2660	cmd.exe	Aside.pif
PID 2660 wrote to memory of 4340	2660	cmd.exe	Aside.pif
PID 2660 wrote to memory of 4368	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 4368	2660	cmd.exe	PING.EXE
PID 2660 wrote to memory of 4368	2660	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\BLAUNHER.exe
"C:\Users\Admin\AppData\Local\Temp\BLAUNHER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Patrol Patrol.bat && Patrol.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:3040

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c md 1131
3⤵
PID:4168

C:\Windows\SysWOW64\findstr.exe
findstr /V "HoustonLinedBushWorm" Seo
3⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Fifth + Fe + Nc 1131\J
3⤵
PID:4500

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Aside.pif
1131\Aside.pif 1131\J
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4340

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\Aside.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1131\J
Filesize
698KB

MD5
b828c2fbec05d1ad6415562dcd7c4e58

SHA1
5bae8e202a1da8cdadce100d50ee743a854616ea

SHA256
546473d89a78dc9ff36af3488efcd20ebba4a23623f92a092e6fad9074b3da41

SHA512
a5c5f7c7341303b48b485dac2dd1459d74d500f2690226408852b7d8f5d8d3b6dedfa191971fd8d84076340cad3c90b6c8ec84fec64bdca43247304aba493be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Acquisition
Filesize
187KB

MD5
3c2aff0d8970098b0f9106b3c708361a

SHA1
6676e71e93647b06c62aecc3519f0596dfe891eb

SHA256
0b7748d633cea3e1a80567b752c0bcbc0eb41fe0039fb3daa23f3dfa8e7e408d

SHA512
01ffe43ebd38841e7d937477b61f038222998b06697c16b17073dc57d69e12617a27a0fd24e5f01fde190e54dca98c6d3d31e981aaf3b25f387681cfcd85a287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Days
Filesize
216KB

MD5
d153c770c1574f8230973421fbd176ed

SHA1
1c766f3f253fc109af64572ca6b697bd9760209f

SHA256
4296ba79246446a09741c86281db7cecfa9686622c8d8a2ac7101bc45a2b29b0

SHA512
b0b6d775c2bd6c2806571d6684792d87264ea6cdc405dda6a0d97994a8e63622c35de3a584a827307a57c026a9732e342d839caa0aa0088d3d742d1d4778d8a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fe
Filesize
238KB

MD5
89fea930349da97b513e498159e467ea

SHA1
87487e9d44944499bb9c9b2ba4d4cc38d79cccfc

SHA256
3b5c29584b4730025631089be19b0fe3b4ed3928e2953ed89026e3923e5e45ab

SHA512
0b6febd46b2286b50a1753b40eb136ff24436ebaae4df74e58f3a521af994ef7981dcb62b8dd413deab0f8623e8461e0cb25402ff0be0d623d11dfe14a6d7284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fifth
Filesize
216KB

MD5
cc38e7a9c5af4d041445dc188f2ddcc2

SHA1
6a19911d9ec97d794250aa5bca645ae0f6c485ca

SHA256
3a44cd10b295c47b82c0b7289bd4f89da9fde1f6c3bb0827ce627d671acbc679

SHA512
a8e2f7b51ae0c78cde4cb142798055278aa5a4f05e112f99675dafc6d30aac63403edd08146844df6a205e250cbae2a925ee80bebabc2d3aecc384816d3cf00a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Morris
Filesize
182KB

MD5
c5f7d0957adb90f276375814655c83bf

SHA1
a460e897fa73109cf95ff13095611524a7bfec39

SHA256
6da62d62cb30368783fb777d4f8cf616ee931516d4aaec505925e1ce9b4d091b

SHA512
77c05f6c54185554877100a4806f187af14b81ee2a999ac4ce16e07228fc1c3e4f43d213f68f105a47f869623870b097c8153c023eebbdfa3d6163b17ead878d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nc
Filesize
244KB

MD5
2dde038beaf05cc590c2bee586a4c4d2

SHA1
a4bfeb1ac09f117e71cdd4e58fd3674bfecec21c

SHA256
461026d9ec215e6f7f1342a6b4305e092db86df8b95cb00a2043c78ff307a08f

SHA512
b07c6ff965f9b6a5b63f2caf3c4089d2de708373850ed47e70cf6ed26881db43e8b3a83c77b5308fbd5d8723e840b890c1ea15a06ce2985bb2981fc0476b786b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Patrol
Filesize
16KB

MD5
7c5ece84aa3f6a93d23cf9dec0e3767a

SHA1
c8e4835f449c37c645d2b0a740a5c01e56ba2b3c

SHA256
1bd07b26f558bcff6f4d8b84a49480382b30a678199337ea5658b65f2d7075bd

SHA512
8b4946d39e1da47221f79201adf35ebaa6434aa2f9a7ec34261142256cb2db708d2f1ebc49aa7cc5ab3ad712eaaec0505411862b5fa77111ef99585bfb6551f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seo
Filesize
190B

MD5
8952ba9a875b45ba37ed8fd2a59d7e03

SHA1
9f5ff596ac53add4f5626247d3ead03db709b8e4

SHA256
c486ab6403c6309ece4a033ac389a2964afde812c16b7fb03aee35ca4c710727

SHA512
5edaa6d943f7db0250960e75be61ce19dadae3f71f50384b621d3e61d696d7727b4d7563cd8c1f0d09245745e57587eef3e891a3f759946fad6b541b2d7f762a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Soonest
Filesize
12KB

MD5
cc222fd12f1170f7b769203c63dc74a6

SHA1
91b73179c56d6842c7042e8ff3c27655cf2ed1c0

SHA256
351b3a5638e46053f7a23adc9291e7a92e8627b4ae9368a7fc6290cc0afebec5

SHA512
e9bf6e0af12dcc4ba9c22ff7ff537c4e64e8db45192bb6f379e9ddbca2cdf0bdbff56d50dd56dbec9bcff8408945fd90e9b7e1ad7f6c7704846493e6824327ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Specialist
Filesize
114KB

MD5
a0714233453a18b9056f465ba452aa00

SHA1
0dcc2b11f119857b469459de781b489125dd1b3e

SHA256
50db98ceb557723677bb3ff688247935ca78d4632833aa9e0e33a155b4b81aec

SHA512
1d52d4b9833c7d89c7fa39c071d99b45d7754cdece94786bbbc0b947e264aceb148b75a202e94b67757fdafbce22a02087549d1bc2009bb6b09d8520b74bcaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Worked
Filesize
161KB

MD5
f0675b150d78c39a750088cc102fe65e

SHA1
23902482f4f73eeb040f1c78b85e2680a1d4299d

SHA256
2e40d0a3b057fec24e9665f97c0fd0b1e41e17f22be4aaf8bc0bba7e3e76c7ec

SHA512
330c9d4abc1d661640fe26c036d5bd5b379287ddde72d10c20512e4871b1b123fa8606f281d95102cf341672e5595d664d9a6dfb325a3fe3f1f2797a38f7a1d8

Download Submit
memory/4340-30-0x0000000004C00000-0x0000000004C4F000-memory.dmp

Filesize
316KB

Download
memory/4340-29-0x0000000077B71000-0x0000000077C84000-memory.dmp

Filesize
1.1MB

Download
memory/4340-31-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/4340-32-0x0000000004C00000-0x0000000004C4F000-memory.dmp

Filesize
316KB

Download
memory/4340-33-0x0000000004C00000-0x0000000004C4F000-memory.dmp

Filesize
316KB

Download
memory/4340-34-0x0000000004C00000-0x0000000004C4F000-memory.dmp

Filesize
316KB

Download
memory/4340-35-0x0000000004C00000-0x0000000004C4F000-memory.dmp

Filesize
316KB

Download
memory/4340-37-0x0000000004C00000-0x0000000004C4F000-memory.dmp

Filesize
316KB

Download
memory/4340-38-0x0000000004C00000-0x0000000004C4F000-memory.dmp

Filesize
316KB

Download