lumma | aa1084513e11d4835540d3372a0de70b3c00ca129f85e6b7058ecb034b36048d

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

608KB
MD5

11be050f771a4b60d731464f6db5479d
SHA1

e273ebbb5d8aeea9e1e2c5df76da22e40f4231fd
SHA256

8d529fe1e7238d741ffe62357dfbf632beb869b7954900d96133cdc290f06790
SHA512

9678b5563cf5e7f33b16439768207665c9ef0599dc978ab9cd5b37afe1ddf580c462f7f23ee908b504568e42d11d05d41d3a249161dd08616aaf5e051e8f8455
SSDEEP

12288:KCSAVVhuBjUgpVRbX+zPudU8rOGmrsdlipcjgYPrKYlQcN1m6wif7sY4+QumXGPd:KCSA1uqgzRz+zPIU8r10P

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://distincttangyflippan.shop/api

https://macabrecondfucews.shop/api

https://greentastellesqwm.shop/api

https://stickyyummyskiwffe.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

https://innerverdanytiresw.shop/api

https://standingcomperewhitwo.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Loads dropped DLL 1 IoCs

pid	Process
4636	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4636 set thread context of 2840	4636	Setup.exe	85

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2840	4636	Setup.exe	85
PID 4636 wrote to memory of 2840	4636	Setup.exe	85
PID 4636 wrote to memory of 2840	4636	Setup.exe	85
PID 4636 wrote to memory of 2840	4636	Setup.exe	85
PID 4636 wrote to memory of 2840	4636	Setup.exe	85
PID 4636 wrote to memory of 2840	4636	Setup.exe	85
PID 4636 wrote to memory of 2840	4636	Setup.exe	85
PID 4636 wrote to memory of 2840	4636	Setup.exe	85
PID 4636 wrote to memory of 2840	4636	Setup.exe	85

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
437KB

MD5
44af1103d6ce490f9f7e7d02d72b8b9e

SHA1
76ba8f9399b8d083f965876fd7e169c33ad641bc

SHA256
d156780bbc2ad35d22d00f57b00aa73dd898baea34d1f254ded14778f44bb7ad

SHA512
c819a78d357c8ef40fd03b49f1c8608a130581c7ec28bd403ae75ce41d78aa71e312156b0cda8a94df48197bb1aed681501e2767a86ef10bbea968ba0ad989c2

Download Submit
memory/2840-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2840-12-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2840-15-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4636-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4636-1-0x0000000000050000-0x00000000000F2000-memory.dmp

Filesize
648KB

Download
memory/4636-2-0x00000000009C0000-0x00000000009C6000-memory.dmp

Filesize
24KB

Download
memory/4636-13-0x0000000077B91000-0x0000000077CB1000-memory.dmp

Filesize
1.1MB

Download
memory/4636-14-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4636-16-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download