lumma | 8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe
Size

5.1MB
MD5

4cd5c3bfaf38e24354b68ad804f97bf6
SHA1

9d6361b5e82849af7654780d195a8df37113da2c
SHA256

8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477
SHA512

2fc9fa4114582ad6845a0c56a3abbf89174d72b2f8bc993e34a6e6680d96d08cf0246741176f7713628e853fa159a3e0b14842b71c08d8d7348557d5a1591756
SSDEEP

98304:jJPjEOHUsZaON7Skjwsxa4e1P8Fk22daKUWpgcf:WOHUT+5jVa4CwkqWpg+

Score

10^/10

lumma purelogstealer stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 5 IoCs

resource	yara_rule
behavioral1/memory/2628-14-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral1/memory/2628-16-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral1/memory/2628-17-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral1/memory/2628-12-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral1/memory/2628-19-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/2452-4-0x00000000048A0000-0x000000000492C000-memory.dmp	family_purelog_stealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28
PID 2452 wrote to memory of 2628	2452	8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe	28

C:\Users\Admin\AppData\Local\Temp\8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe
"C:\Users\Admin\AppData\Local\Temp\8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:2628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-18-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-1-0x00000000008B0000-0x0000000000DCA000-memory.dmp

Filesize
5.1MB

Download
memory/2452-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-3-0x0000000005160000-0x0000000005382000-memory.dmp

Filesize
2.1MB

Download
memory/2452-4-0x00000000048A0000-0x000000000492C000-memory.dmp

Filesize
560KB

Download
memory/2452-5-0x0000000005380000-0x00000000053F4000-memory.dmp

Filesize
464KB

Download
memory/2452-6-0x0000000006B70000-0x0000000006BE4000-memory.dmp

Filesize
464KB

Download
memory/2452-7-0x0000000002680000-0x00000000026CC000-memory.dmp

Filesize
304KB

Download
memory/2452-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/2628-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2628-17-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2628-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-12-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2628-11-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2628-10-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2628-9-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2628-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2628-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2628-19-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download