lumma | 18c5deaf2c328bb86d5296afc5ec288b86cf11483fcb3266e1e7dace7fa986bf | Triage

Submit
Reports

Overview

overview

Static

static

3

Loader.exe

windows7-x64

9

Loader.exe

windows10-2004-x64

Sharing

General

Target

Archive.rar
Size

45.6MB
Sample

240427-g4w5gach59
MD5

fc381421d3bdadbb2e883493681ca69f
SHA1

b6f2a92fb94d7a974b0b2178541cd17357a7153f
SHA256

18c5deaf2c328bb86d5296afc5ec288b86cf11483fcb3266e1e7dace7fa986bf
SHA512

a8c54df45004671560a2061bd2a9a34ee46eb3e61d1a5882644932f12b1af0dabfe8e1c7364b56a95aad35f9d99ef72798abdcfaa3b7ca5c114bf6e9a58ad998
SSDEEP

786432:ILtGxPlOjloavK0KRCOw/beNnvEqcdZxzOaWA1nAWD9NnLweoQK69v6UekS9Tk7C:IQxPlOjyV082/iNsqcv/ZnA8NnENQK60

Score

10^/10

lumma evasion persistence stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Loader.exe

Resource

win7-20240220-en

evasion persistence themida trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Loader.exe

Resource

win10v2004-20240426-en

lumma evasion persistence stealer themida trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

lumma

C2

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

- Target
  
  Loader.exe.vir
- Size
  
  667.6MB
- MD5
  
  7cc20058012097efa4abde90287e38f4
- SHA1
  
  82f54527ff8cd2695dc391f39978dee0192b3080
- SHA256
  
  18aca5c964d48dc9d8cdcd4a4a7a4be5fba19f72c5aa94d2090e84dbad4ea38b
- SHA512
  
  c208d3e6fc5a0fb3b10cc8ebd69976bda8e3b2cb49debd425b1b19e49afd78795772c1c085dbd8f2e5836340bcf9ee2ef941d99e114bec7726062178a6dcd856
- SSDEEP
  
  196608:kpHkUgQgnjoklXR4R4rwEH5OTSFG+OIvcW/rBXBFIoioPPPEdAL6M6:kpHkUAckl6qPHcSBXBFOAUdk6P
Score

10^/10

evasion persistence themida trojan lumma stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Creates new service(s)
  persistence
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

evasionpersistencethemidatrojan

behavioral2

lummaevasionpersistencestealerthemidatrojan

© 2018-2024

Terms | Privacy