lumma | e7ff7f2671903c02a58ca5e9fdce4e4a6abef2945c92f0e07c3cdd974e2d3a0f

Analysis

max time kernel
136s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

684.0MB
MD5

6074b20c55c562f942ca7b591d3306f1
SHA1

536a053664bb7cbf88b6908c6acb0889c61d706d
SHA256

6f0a3619dae4e23f78b527e658ab2c2ee05b4f7a0393d3064ec704b213d2483d
SHA512

dfad2d28398b94113759fe10a28fe47cb1f52ec70e97bb9c3248bde4bdb6db8df4c80a362066b4fec6d648d064cd4520dd081fe1a4cd70fa93a458e3c4cd4ee5
SSDEEP

196608:NzI83e24i8fZVsIHSGjsWQcwATPlc3WJy+43Y/I7ibkF+Q5ptGu:74iwsgNjsWQV

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://joblkessprosgeow.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4308 set thread context of 4460	4308	Setup.exe	94
PID 4460 set thread context of 2240	4460	netsh.exe	98

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4308	Setup.exe
4308	Setup.exe
4460	netsh.exe
4460	netsh.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4308	Setup.exe
4460	netsh.exe
4460	netsh.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4460	4308	Setup.exe	94
PID 4308 wrote to memory of 4460	4308	Setup.exe	94
PID 4308 wrote to memory of 4460	4308	Setup.exe	94
PID 4308 wrote to memory of 4460	4308	Setup.exe	94
PID 4460 wrote to memory of 2240	4460	netsh.exe	98
PID 4460 wrote to memory of 2240	4460	netsh.exe	98
PID 4460 wrote to memory of 2240	4460	netsh.exe	98
PID 4460 wrote to memory of 2240	4460	netsh.exe	98

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\SysWOW64\regsvr32.exe
    3⤵
    PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fb39e45d

Filesize
1.1MB

MD5
3e74adcad456fbca64774f9dddabe3f4

SHA1
d6648cd4bc37cd5655274f6ce6c8115113bf2b8e

SHA256
60e5fcc5cf0b7fbd0c10c9a76d8a09a98d4e01e150cbcd3c2f4f55f467eee42a

SHA512
6914cce6798c06520ce8a7658c0717f29b543d43741dff417564bb07b8ad420eae513629d38e326da5e916f6b980bbf178817bef1a572a27702ac09fac211cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd7f8d09

Filesize
1022KB

MD5
568a2f1eefa9bd904cc6c89b94f00b63

SHA1
df3d6a9dc94813f852aaf0a4bf4652414ed536f9

SHA256
512279aa6f86815d63f6d3a2be39c52cba81f048061a9c7f6bf29ee664d1832f

SHA512
ca46358488e0e09abb1059d46fbdef2a74d97516062752308872bb6556ea256c946151886485a58457042d3641c83d18ad582a61e8bb57995088af932ac08f26

Download Submit
memory/2240-16-0x0000000073040000-0x0000000074294000-memory.dmp

Filesize
18.3MB

Download
memory/2240-20-0x0000000000A30000-0x0000000000A8A000-memory.dmp

Filesize
360KB

Download
memory/2240-19-0x0000000073041000-0x0000000073048000-memory.dmp

Filesize
28KB

Download
memory/2240-18-0x0000000000A30000-0x0000000000A8A000-memory.dmp

Filesize
360KB

Download
memory/2240-17-0x00007FFF21990000-0x00007FFF21B85000-memory.dmp

Filesize
2.0MB

Download
memory/4308-8-0x00007FFF04190000-0x00007FFF04302000-memory.dmp

Filesize
1.4MB

Download
memory/4308-9-0x00007FFF04190000-0x00007FFF04302000-memory.dmp

Filesize
1.4MB

Download
memory/4308-0-0x0000000140000000-0x00000001403F7000-memory.dmp

Filesize
4.0MB

Download
memory/4308-7-0x00007FFF041A8000-0x00007FFF041A9000-memory.dmp

Filesize
4KB

Download
memory/4308-6-0x00007FFF04190000-0x00007FFF04302000-memory.dmp

Filesize
1.4MB

Download
memory/4460-14-0x0000000074381000-0x000000007438F000-memory.dmp

Filesize
56KB

Download
memory/4460-13-0x000000007438E000-0x0000000074390000-memory.dmp

Filesize
8KB

Download
memory/4460-15-0x0000000074381000-0x000000007438F000-memory.dmp

Filesize
56KB

Download
memory/4460-12-0x00007FFF21990000-0x00007FFF21B85000-memory.dmp

Filesize
2.0MB

Download
memory/4460-22-0x000000007438E000-0x0000000074390000-memory.dmp

Filesize
8KB

Download