lumma | 3580962e7151aea9507413341558f760c60987546887c85edb3745e4ed844d0a

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

2.3MB
MD5

5d52ef45b6e5bf144307a84c2af1581b
SHA1

414a899ec327d4a9daa53983544245b209f25142
SHA256

26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512

458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
SSDEEP

49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://warmstrawcounwyhj.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 3012 set thread context of 1892 3012 Setup.exe ftp.exe
Loads dropped DLL 1 IoCs

Processes:

BvInputDiag.exe

pid process

2632 BvInputDiag.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Setup.exeftp.exe

pid process

3012 Setup.exe
3012 Setup.exe
1892 ftp.exe
1892 ftp.exe
1892 ftp.exe
1892 ftp.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exeftp.exe

pid process

3012 Setup.exe
1892 ftp.exe

description	pid	process	target process
PID 3012 set thread context of 1892	3012	Setup.exe	ftp.exe

pid	process
2632	BvInputDiag.exe

pid	process
3012	Setup.exe
3012	Setup.exe
1892	ftp.exe
1892	ftp.exe
1892	ftp.exe
1892	ftp.exe

pid	process
3012	Setup.exe
1892	ftp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Setup.exeftp.exe

description	pid	process	target process
PID 3012 wrote to memory of 1892	3012	Setup.exe	ftp.exe
PID 3012 wrote to memory of 1892	3012	Setup.exe	ftp.exe
PID 3012 wrote to memory of 1892	3012	Setup.exe	ftp.exe
PID 3012 wrote to memory of 1892	3012	Setup.exe	ftp.exe
PID 1892 wrote to memory of 2632	1892	ftp.exe	BvInputDiag.exe
PID 1892 wrote to memory of 2632	1892	ftp.exe	BvInputDiag.exe
PID 1892 wrote to memory of 2632	1892	ftp.exe	BvInputDiag.exe
PID 1892 wrote to memory of 2632	1892	ftp.exe	BvInputDiag.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\ftp.exe
  C:\Windows\SysWOW64\ftp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
    C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
    3⤵
    - Loads dropped DLL
    PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7bbeacf7

Filesize
1.1MB

MD5
6b03c8d92143a609d781a14d72f4df81

SHA1
1b56881bf4cdb91c1a6526d5713e2552b8b0efaa

SHA256
c0ec081e4ab670f9a06dd3d4be6614f555dbd98400f097f826bdfdb8e5337757

SHA512
673fae99e27dc7783b475e05115665721b0968abba0b3483763f18960baef255cdbf32115c27d0ddef4e8fd16fb513ac76228fb889149556445a557a4d88e409

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

Filesize
136KB

MD5
3d754cfa4a5b2a3f19720550acf6d3cf

SHA1
e5c78edbd54e14a42258a6c223d2cf128530e1b6

SHA256
8e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8

SHA512
18db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b

Download Submit
memory/1892-26-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download
memory/1892-22-0x00007FFDDF5F0000-0x00007FFDDF7E5000-memory.dmp

Filesize
2.0MB

Download
memory/1892-14-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download
memory/1892-24-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download
memory/2632-33-0x0000000000B20000-0x0000000000B6E000-memory.dmp

Filesize
312KB

Download
memory/2632-32-0x0000000000860000-0x0000000000880000-memory.dmp

Filesize
128KB

Download
memory/2632-31-0x0000000000B20000-0x0000000000B6E000-memory.dmp

Filesize
312KB

Download
memory/2632-30-0x00007FFDDF5F0000-0x00007FFDDF7E5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-19-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/3012-11-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download
memory/3012-21-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/3012-20-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/3012-18-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/3012-0-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download
memory/3012-1-0x00007FFDDF5F0000-0x00007FFDDF7E5000-memory.dmp

Filesize
2.0MB

Download
memory/3012-13-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3012-16-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/3012-17-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3012-10-0x00000000743A0000-0x000000007451B000-memory.dmp

Filesize
1.5MB

Download