lumma | d3b7e5cbe2980cd2fb6f7f30eaade26a956ec4a02e71ed37c80b263166b40ef2

Analysis

max time kernel
125s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
Size

1.2MB
MD5

0edc62a65d1081dc5d7b85b678ab57a5
SHA1

1e1448bcce4f519920f50e12cbe27b79418036b3
SHA256

3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63
SHA512

4ab96c86203104d741c166f1980b04a5e74c1e294b676c4dccaee9eca5308ea729099d7dbfea605b5037181c57c4f870fe0b3ff5008b4f8b2b60ed0f95cc1db2
SSDEEP

24576:0g16H28pon7yhsS6RUOviFG7IrCJ366q1FP3fkTV:0O0on7yhsS6RUFUDRVskTV

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5040 set thread context of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3268	5040	WerFault.exe	87

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89
PID 5040 wrote to memory of 212	5040	3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe	89

C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
"C:\Users\Admin\AppData\Local\Temp\3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 324
  2⤵
  - Program crash
  PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/212-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/212-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/212-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5040-0-0x0000000000A66000-0x0000000000A68000-memory.dmp

Filesize
8KB

Download