lumma | 2d27d929651f167d690fa610fa8fbcfb33d0d30ebc158ef50a8bc62000270ca7

Analysis

max time kernel
17s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 18:48

Target

Executor/Injector.exe
Size

1.2MB
MD5

9d6470e951494e2195189b03bf47c9c2
SHA1

f99012e40e258b79f7b97b9efe91e7f01d93d5be
SHA256

2c9f5f678d8c8448cab83d4a855100b347ce50ac7d495a156b72edf81389cc9a
SHA512

fbe68915cd1445050a5e2450455425f66ad7cc1622eeb38a0a77f964af8c2c1008746dc12cc13b0339ec6a301a59f8edc6465c030f6b3eead2c038cbf1ed725d
SSDEEP

24576:isMl5IXhqt4J3jo09c2ga8eFUJspf8fVuYX560FCX:ifTt4J3jo0M1sd8fRJVY

Score

10^/10

lumma stealer

Family

lumma

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

Injector.exe

description pid process target process

PID 4896 set thread context of 644 4896 Injector.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3276 4896 WerFault.exe Injector.exe

description	pid	process	target process
PID 4896 set thread context of 644	4896	Injector.exe	RegAsm.exe

pid	pid_target	process	target process
3276	4896	WerFault.exe	Injector.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Injector.exe

description	pid	process	target process
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe
PID 4896 wrote to memory of 644	4896	Injector.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Executor\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Executor\Injector.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 332
  2⤵
  - Program crash
  PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4896 -ip 4896
1⤵
PID:1412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4804

memory/644-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/644-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/644-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/644-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4896-1-0x00000000009C0000-0x0000000000AF9000-memory.dmp

Filesize
1.2MB

Download
memory/4896-5-0x00000000009C0000-0x0000000000AF9000-memory.dmp

Filesize
1.2MB

Download