lumma | 57a34a1caae7f0426b32bc71b73785f820451c97d3c5db368da479183b037629

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe
Size

1.2MB
MD5

5bb7562ad2bb2fb122d6d2c40d6a855e
SHA1

0b4b3dfc42ca7de38e8fe6572389409f38f742fb
SHA256

8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8
SHA512

41137bb2030b67d7a6f12b49c2c9a732f5efac08c833f5332194efea2893f1a85cf7425e0620d349e8b2a1f78c3881353ea907468a46e243311aa4b62c1e3a91
SSDEEP

24576:SOtUIXhOon8zlymWH89vv1vBaTnIqlWg9z6W:Swson8zlymWH8tzeIRgUW

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3588	4440	WerFault.exe	81

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82
PID 4440 wrote to memory of 1512	4440	8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe	82

C:\Users\Admin\AppData\Local\Temp\8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe
"C:\Users\Admin\AppData\Local\Temp\8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 320
  2⤵
  - Program crash
  PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4440 -ip 4440
1⤵
PID:3224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-1-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1512-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1512-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1512-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4440-0-0x00000000005E8000-0x00000000005E9000-memory.dmp

Filesize
4KB

Download