lumma | 3f2e281bc1e4ff8f98cf343e13eb71fc5cf6ed7fe5241980ac00d90439f13c84

Analysis

max time kernel
244s
max time network
302s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-06-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f2e281bc1e4ff8f98cf343e13eb71fc5cf6ed7fe5241980ac00d90439f13c84.exe
Size

6.4MB
MD5

57a6a83482ce2897e8cdec17accbd662
SHA1

4416d6ec1f6a25245a4fc5e0352f3deb11e0b789
SHA256

3f2e281bc1e4ff8f98cf343e13eb71fc5cf6ed7fe5241980ac00d90439f13c84
SHA512

4960d3ec893153bd5138e64dfa8dd1f205dccb4104c839024b87b2e18b256532830280826ce61b6063929fa8b72abcc5fa95c582596abf6874d6ccbea1b509ab
SSDEEP

196608:6qwfqwOzG9HNMiKXSuXOBGdg7L+0gO18pio:hEtsiuXOL1dJo

Score

10^/10

lumma stealer vmprotect

Malware Config

Extracted

Family

lumma

https://greentastellesqwm.shop/api

https://distincttangyflippan.shop/api

https://macabrecondfucews.shop/api

https://stickyyummyskiwffe.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

https://innerverdanytiresw.shop/api

https://standingcomperewhitwo.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 2 IoCs

pid	Process
3604	world.exe
360	korawe.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000800000001ac46-18.dat	vmprotect
behavioral2/memory/360-22-0x0000000001050000-0x000000000195D000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
360	korawe.exe
360	korawe.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4940	748	3f2e281bc1e4ff8f98cf343e13eb71fc5cf6ed7fe5241980ac00d90439f13c84.exe	73
PID 748 wrote to memory of 4940	748	3f2e281bc1e4ff8f98cf343e13eb71fc5cf6ed7fe5241980ac00d90439f13c84.exe	73
PID 4940 wrote to memory of 3604	4940	cmd.exe	76
PID 4940 wrote to memory of 3604	4940	cmd.exe	76
PID 3604 wrote to memory of 360	3604	world.exe	77
PID 3604 wrote to memory of 360	3604	world.exe	77
PID 3604 wrote to memory of 360	3604	world.exe	77

C:\Users\Admin\AppData\Local\Temp\3f2e281bc1e4ff8f98cf343e13eb71fc5cf6ed7fe5241980ac00d90439f13c84.exe
"C:\Users\Admin\AppData\Local\Temp\3f2e281bc1e4ff8f98cf343e13eb71fc5cf6ed7fe5241980ac00d90439f13c84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\world.exe
    world.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\korawe.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\korawe.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
36B

MD5
974050db6bb7b820e3467fea7aa8f3b7

SHA1
4006ff3d281a64e7a172d239ba365e3eae9f0bbf

SHA256
59572cc0f185d253d9ce814fe5911a32dd0864e25e5c32749e4e23d9363db75e

SHA512
2653116cfa4ef95aa96660130cbb914e6adf9d5d2f9be6353d8f362fb0529f6d0130106542063c5eb5e44466d28df461573fa0632d774dd343b09d4abfb7b0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\world.exe

Filesize
5.9MB

MD5
c66eb6da8fceb3a18f78c876c7f40254

SHA1
d7b98af69a7b6bcb6b19efda5d723e4dc8deb616

SHA256
df536e56f4a4e29acbf540ee439f9a28b59cdc2d4d231574b447556d71b18d9f

SHA512
7e03d75ac4c1bdb570ba4e4bc4d4bbb99c3acf53ef0fc367807cb3103afbf5db038cc12de78256faa4c97636461e652c114c50ca0f6b421002ff1846a85ff01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\korawe.exe

Filesize
5.5MB

MD5
61a5740863c83d43ab6653a3b25b43e3

SHA1
b8a556f369094bbb4c9bead32bd13fc40ace089d

SHA256
21d14c33230d49e7b5b11b0959e3f053b1fb90ecb23e3cc8c06c8b44a47ceae3

SHA512
6c4c7b752d677f21647dd43133b5a10b6c2dcbf04adb26f7dc82b6eb669d1a4d099e6be7f85d1b2cb6aab136837b72e486d7059c083690ff633e52f41a18f87c

Download Submit
memory/360-20-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/360-22-0x0000000001050000-0x000000000195D000-memory.dmp

Filesize
9.1MB

Download