lumma | 5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6

General

Target

5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe
Size

6.1MB
MD5

aadcb48e55bc9b46330af12e1f07149e
SHA1

899603c0be689463161d54ca169e8469f47c4458
SHA256

5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6
SHA512

db1fe544f1fdd3653500301a632534bee7d45f6faa85dfe35a4d64b9ae75637d510653571661d92bf295d3e43334dc18cbfda076076715771bbcee8336368fb6
SSDEEP

49152:ANviFe5H7gbXKP19kKNGlXhV6DwOGRJBD9KGiJZIln/fIA2Mg+0SBI3XNvqVUq4/:ANviR6UPLnn/WBymPQFeQzkjwQF7

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

C2

https://scandalbasketballoe.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Loads dropped DLL 1 IoCs

Processes:

5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe

pid process

4768 5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe

pid	process
4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe

description	pid	process	target process
PID 4768 set thread context of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe

description	pid	process	target process
PID 4768 wrote to memory of 704	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 704	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 704	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe
PID 4768 wrote to memory of 4752	4768	5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe	MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe
"C:\Users\Admin\AppData\Local\Temp\5029311ee6003a5350130f76ae2218f7366adc28d09c08d6464f58e7f6398fe6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/4752-29-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4752-26-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4752-25-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4752-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4768-16-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/4768-19-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4768-7-0x0000000005840000-0x0000000005C1A000-memory.dmp

Filesize
3.9MB

Download
memory/4768-8-0x0000000005460000-0x00000000057B0000-memory.dmp

Filesize
3.3MB

Download
memory/4768-9-0x0000000005D20000-0x0000000005F52000-memory.dmp

Filesize
2.2MB

Download
memory/4768-10-0x0000000007080000-0x0000000007212000-memory.dmp

Filesize
1.6MB

Download
memory/4768-5-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4768-1-0x00000000002A0000-0x00000000008B2000-memory.dmp

Filesize
6.1MB

Download
memory/4768-17-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4768-6-0x0000000005440000-0x0000000005460000-memory.dmp

Filesize
128KB

Download
memory/4768-18-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4768-21-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4768-20-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4768-22-0x00000000077E0000-0x00000000078E0000-memory.dmp

Filesize
1024KB

Download
memory/4768-4-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/4768-3-0x0000000005100000-0x000000000519C000-memory.dmp

Filesize
624KB

Download
memory/4768-2-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/4768-0-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/4768-28-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing