lumma | ca2b787bb72f0bd9d79013aa93800bfd84c73aad74662c48e69425e4adfb549b

General

Target

hv.exe
Size

8.7MB
MD5

480f8cf600f5509595b8418c6534caf2
SHA1

dc13258ebb83bdf956523d751f67e29d6e4cf77e
SHA256

6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2
SHA512

f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf
SSDEEP

196608:Ywdj1UbkCchr3rlFE8GCWhKUzGZ3gRTFHnBz58//o:Yw91Ubkxhr3rlFHWhKUzGZ3gRTFhzi/o

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

C2

https://secretiveonnicuw.shop/api

https://liabiliytshareodlkv.shop/api

https://notoriousdcellkw.shop/api

https://conferencefreckewl.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://ohfantasyproclaiwlo.shop/api

https://parallelmercywksoffw.shop/api

https://barebrilliancedkoso.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

hv.exe

description pid process target process

PID 4648 set thread context of 1008 4648 hv.exe netsh.exe
Executes dropped EXE 1 IoCs

Processes:

hv.exe

pid process

4648 hv.exe
Loads dropped DLL 2 IoCs

Processes:

hv.exe0x21.pif

pid process

4648 hv.exe
4936 0x21.pif
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

hv.exehv.exenetsh.exe

pid process

1848 hv.exe
4648 hv.exe
4648 hv.exe
1008 netsh.exe
1008 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

hv.exenetsh.exe

pid process

4648 hv.exe
1008 netsh.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hv.exehv.exe

pid process

1848 hv.exe
4648 hv.exe

description	pid	process	target process
PID 4648 set thread context of 1008	4648	hv.exe	netsh.exe

pid	process
4648	hv.exe

pid	process
4648	hv.exe
4936	0x21.pif

pid	process
1848	hv.exe
4648	hv.exe
4648	hv.exe
1008	netsh.exe
1008	netsh.exe

pid	process
4648	hv.exe
1008	netsh.exe

pid	process
1848	hv.exe
4648	hv.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

hv.exehv.exenetsh.exe

description	pid	process	target process
PID 1848 wrote to memory of 4648	1848	hv.exe	hv.exe
PID 1848 wrote to memory of 4648	1848	hv.exe	hv.exe
PID 1848 wrote to memory of 4648	1848	hv.exe	hv.exe
PID 4648 wrote to memory of 1008	4648	hv.exe	netsh.exe
PID 4648 wrote to memory of 1008	4648	hv.exe	netsh.exe
PID 4648 wrote to memory of 1008	4648	hv.exe	netsh.exe
PID 4648 wrote to memory of 1008	4648	hv.exe	netsh.exe
PID 1008 wrote to memory of 4936	1008	netsh.exe	0x21.pif
PID 1008 wrote to memory of 4936	1008	netsh.exe	0x21.pif
PID 1008 wrote to memory of 4936	1008	netsh.exe	0x21.pif
PID 1008 wrote to memory of 4936	1008	netsh.exe	0x21.pif

C:\Users\Admin\AppData\Local\Temp\hv.exe
"C:\Users\Admin\AppData\Local\Temp\hv.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe
C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe
2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\0x21.pif
C:\Users\Admin\AppData\Local\Temp\0x21.pif
4⤵
- Loads dropped DLL
PID:4936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0x21.pif
Filesize
76KB

MD5
f43c6b629baaaaee1e7fe095a8821631

SHA1
f0e4b84bb1fa6ba985e281f3afc9642afca168b5

SHA256
4196f6776110e75a9670fb5843f373e90e88c0826ead45a30e9578221ff44ae3

SHA512
2b475850705fa37dd0c1b093d31ccce48ffdbcc614215ffb304070b4f31e16ca651d4569af39b36482c848751f1e31b7fd647bd23245718a0a1e877a6417878a

Download Submit
C:\Users\Admin\AppData\Local\Temp\91cb97c8
Filesize
1.1MB

MD5
8f8faabb79f1a87a338b4990feaa2ec5

SHA1
1a651f454aeaeb46be6a565741cba92a2ebb8abf

SHA256
438ddb313629c712c09bcfd6d88b8d82e8789e7badbc1dbbb7eaa4e37f7cfbb8

SHA512
f30311915b7f263601f06d29cf8f5a66ebde5f2f572787619d549b218f412baa92f017a7f04083a582cef695e90194332e181e945d519963715e98e86f85fbd5

Download Submit
C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe
Filesize
8.7MB

MD5
480f8cf600f5509595b8418c6534caf2

SHA1
dc13258ebb83bdf956523d751f67e29d6e4cf77e

SHA256
6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2

SHA512
f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf

Download Submit
C:\Users\Admin\AppData\Roaming\BqDaemon\iepdf32.dll
Filesize
4.3MB

MD5
f3f6876d132eb277842e31ddc42aa7fa

SHA1
9c167a2854ed106b74dff55a30bdefc55b140e9a

SHA256
4ba2ddde8a4549d08bfe4441643aa626e84d7653b8ddc6ed61823e78aeb3cdf1

SHA512
38b86c745945b0f97461542f89b2570210ddc3fcfeabfe2243a3b861dd80be6641e4b4181956d73926b7926d7c460db8a908ccb912c5209003ee24427aa135f9

Download Submit
C:\Users\Admin\AppData\Roaming\BqDaemon\rhombohedron.ai
Filesize
59KB

MD5
674dfd74a1bef081bf0da83f893138e5

SHA1
2a254cc02fea4c55bbc3133b99a9e2fd03082ae7

SHA256
67ff95298e395543ea0c9eeec6bfff81688df379bec578aa31c52d214b385180

SHA512
0b2bfbe287a037d46d881a00638a3c272197cf3537bc74169c07c7721cda2bf94927268bfd6cb965ad56e1ac98e3466d809cbc67f2e4d971dd0d7da9568a4cce

Download Submit
C:\Users\Admin\AppData\Roaming\BqDaemon\shovelnose.deb
Filesize
827KB

MD5
90b47672d8134f8cc464d83a5cde8d34

SHA1
69567e6a2dd5569b8cd2876a275f5d9a2ad8743f

SHA256
cc38b5cb522fdf8d2fe5e85c50d72e1b8ac39d36deb157d4bffdda7970c5ba8b

SHA512
7dbeb8d4a5674c088fa904a9fdcddf9cb84d41b2d2c887ba38cfcdd1ac30cf4cd8ae28bc33fc3ee51139e78645f7fb580dfaf57e939c4e144b79d507a1d1d90b

Download Submit
memory/1008-35-0x0000000075840000-0x00000000758A3000-memory.dmp

Filesize
396KB

Download
memory/1008-25-0x0000000075840000-0x00000000758A3000-memory.dmp

Filesize
396KB

Download
memory/1008-23-0x00007FFEF87D0000-0x00007FFEF89C5000-memory.dmp

Filesize
2.0MB

Download
memory/1848-9-0x0000000000C80000-0x0000000001556000-memory.dmp

Filesize
8.8MB

Download
memory/1848-0-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1848-2-0x00007FFEF87D0000-0x00007FFEF89C5000-memory.dmp

Filesize
2.0MB

Download
memory/1848-1-0x0000000075840000-0x00000000758A3000-memory.dmp

Filesize
396KB

Download
memory/4648-10-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4648-21-0x0000000000020000-0x00000000008F6000-memory.dmp

Filesize
8.8MB

Download
memory/4648-19-0x0000000075840000-0x00000000758A3000-memory.dmp

Filesize
396KB

Download
memory/4648-17-0x0000000075852000-0x0000000075854000-memory.dmp

Filesize
8KB

Download
memory/4648-18-0x0000000075840000-0x00000000758A3000-memory.dmp

Filesize
396KB

Download
memory/4648-16-0x00007FFEF87D0000-0x00007FFEF89C5000-memory.dmp

Filesize
2.0MB

Download
memory/4648-15-0x0000000075840000-0x00000000758A3000-memory.dmp

Filesize
396KB

Download
memory/4936-29-0x00007FFEF87D0000-0x00007FFEF89C5000-memory.dmp

Filesize
2.0MB

Download
memory/4936-30-0x0000000000980000-0x00000000009D8000-memory.dmp

Filesize
352KB

Download
memory/4936-33-0x0000000000980000-0x00000000009D8000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing