lumma | e12feda2ae6dfb6ec7b896d5faad599371a5306ac4a91f27a146b2f781032ef4

General

Target

meow.txt
Size

46B
Sample

240617-pg1s5szfpc
MD5

ae43edc66c83c74123acf471a5bf0c69
SHA1

d52923a57f2f024872ece58730f94e567255cc0f
SHA256

e12feda2ae6dfb6ec7b896d5faad599371a5306ac4a91f27a146b2f781032ef4
SHA512

4793a4647bc006a625db1d2c302017151b9b21d2c472782f44f77ce28fcc19c6458610e7f94106ab1e8a513833df55a718fe6de6d2aed4f93b3af28e763f0bc9

Score

10^/10

Malware Config

Extracted

Family

lumma

C2

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Targets

- Target
  
  meow.txt
- Size
  
  46B
- MD5
  
  ae43edc66c83c74123acf471a5bf0c69
- SHA1
  
  d52923a57f2f024872ece58730f94e567255cc0f
- SHA256
  
  e12feda2ae6dfb6ec7b896d5faad599371a5306ac4a91f27a146b2f781032ef4
- SHA512
  
  4793a4647bc006a625db1d2c302017151b9b21d2c472782f44f77ce28fcc19c6458610e7f94106ab1e8a513833df55a718fe6de6d2aed4f93b3af28e763f0bc9
Score

10^/10

lumma milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- MilleniumRat
  MilleniumRat is a remote access trojan written in C#.
  rat stealer milleniumrat
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Contacts a large (14432) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2