lumma | 890a0156321fb9ecb25e25f4d1734fcd3d3ce0221f298cb57407d5fd2086fc81

Analysis

max time kernel
316s
max time network
1576s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-04-2024 20:27

Target

Pass~free~ApplicationSetupFile ~ (17.1).exe
Size

26.5MB
MD5

781b0469d55f586890d34a668ed1a014
SHA1

6f5e6f6e6c418b04090ffeb5a35ce2437d4f07df
SHA256

890a0156321fb9ecb25e25f4d1734fcd3d3ce0221f298cb57407d5fd2086fc81
SHA512

61c6f2ea41c274c9907b80e61989a08950bbbecac2c834443d86a89b19c4e46fd5c09ed2dceff9ba34b76b81178199b7cb3170431d35f6f82d90cc9e66bad18a
SSDEEP

12288:84J4ZH65jJWj6GVKgVT85DiuPue0eL86XRar:F4ZGW2Gk6mJPHzBW

Score

10^/10

lumma stealer

Family

lumma

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3588	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	74
PID 2924 wrote to memory of 3588	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	74
PID 2924 wrote to memory of 3588	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	74
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75
PID 2924 wrote to memory of 4752	2924	Pass~free~ApplicationSetupFile ~ (17.1).exe	75

C:\Users\Admin\AppData\Local\Temp\Pass~free~ApplicationSetupFile ~ (17.1).exe
"C:\Users\Admin\AppData\Local\Temp\Pass~free~ApplicationSetupFile ~ (17.1).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4752

memory/2924-0-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/2924-2-0x0000000000E00000-0x0000000000E82000-memory.dmp

Filesize
520KB

Download
memory/4752-1-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4752-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4752-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4752-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download