lumma | bce765dc1c317a4a09000a228a3ce7ba93d802fbb5c7934618f847f5c467aae0

Analysis

max time kernel
51s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 16:02

Target

Setup.exe
Size

460KB
MD5

ce9903e5b7a9e6c90024b0a464b41563
SHA1

f6d2a961a83eeff8d37fc8b43530451997a23966
SHA256

bce765dc1c317a4a09000a228a3ce7ba93d802fbb5c7934618f847f5c467aae0
SHA512

3c7aae290acd1701a7035519db4dabc4a26ac36138cfa16947d3ee24cfc30df45fcad1cbd251802c9791a071fafeafe2ed3631f26f1806ca3295ab66a71d49e5
SSDEEP

12288:bxFiAgK2dK2csCm22WFg4wWivbSmZm6p2:LMK2tCOmgJWiWUj2

Score

10^/10

lumma stealer

Family

lumma

https://alcojoldwograpciw.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 4888 set thread context of 1216 4888 Setup.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3712 4888 WerFault.exe Setup.exe

description	pid	process	target process
PID 4888 set thread context of 1216	4888	Setup.exe	RegAsm.exe

pid	pid_target	process	target process
3712	4888	WerFault.exe	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Setup.exe

description	pid	process	target process
PID 4888 wrote to memory of 1868	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1868	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1868	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe
PID 4888 wrote to memory of 1216	4888	Setup.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 640
  2⤵
  - Program crash
  PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4888 -ip 4888
1⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4664

memory/1216-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1216-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1216-4-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1216-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4888-0-0x0000000000F80000-0x0000000000FF4000-memory.dmp

Filesize
464KB

Download
memory/4888-5-0x0000000000F80000-0x0000000000FF4000-memory.dmp

Filesize
464KB

Download