lumma | c72cf415a94408081bba0852edd261aa2fde4928f7f1369dd80584ca029adf71

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 15:20

Target

Raysen hack v5.16.exe
Size

1.2MB
MD5

af5a4e397ac90ccf21d63bf97cc29e24
SHA1

371dc0c32151797d95b33050d782b12fcec9957f
SHA256

c72cf415a94408081bba0852edd261aa2fde4928f7f1369dd80584ca029adf71
SHA512

22ae17a1bd1a6bbcca497e662a92be95a06a3161760856e28e1fba9b09959bf4109e0ba50ecb1353d16e5bac7fb300927f7c84c137e747136afbf5feae4d8b0f
SSDEEP

24576:XXlVZ9EuUFpJQ5MbK3yPXa7RRUljiUe/MLmhzj/:XVwFpJQ5Mby0zwMy

Score

10^/10

lumma stealer

Family

lumma

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

Raysen hack v5.16.exe

description pid process target process

PID 4396 set thread context of 864 4396 Raysen hack v5.16.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

752 4396 WerFault.exe Raysen hack v5.16.exe

description	pid	process	target process
PID 4396 set thread context of 864	4396	Raysen hack v5.16.exe	RegAsm.exe

pid	pid_target	process	target process
752	4396	WerFault.exe	Raysen hack v5.16.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Raysen hack v5.16.exe

description	pid	process	target process
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe
PID 4396 wrote to memory of 864	4396	Raysen hack v5.16.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Raysen hack v5.16.exe
"C:\Users\Admin\AppData\Local\Temp\Raysen hack v5.16.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 332
  2⤵
  - Program crash
  PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4396 -ip 4396
1⤵
PID:432

memory/864-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/864-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/864-4-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/864-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4396-1-0x0000000000AC0000-0x0000000000BF5000-memory.dmp

Filesize
1.2MB

Download
memory/4396-5-0x0000000000AC0000-0x0000000000BF5000-memory.dmp

Filesize
1.2MB

Download