lumma | 4a553b2e2ff7003b55a8923047d2f76cacd258317810b0107004aa7101e0fca2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 13:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Galaxy Swapper v2.0.3.exe
Size

532KB
MD5

c812ecf0e689b3e85a15d43943f6e077
SHA1

7b39ca11c6144c256f605441477ae49058405ef8
SHA256

4a553b2e2ff7003b55a8923047d2f76cacd258317810b0107004aa7101e0fca2
SHA512

bd2348e1d82fe0fbe2674bbff32e4cad7cf574c7adfd56a94edad9cb61aff8c38bbc72232af4aea5bbc4205a286031a73cdcd386f152dca2d75dd1ad161829ba
SSDEEP

12288:PG0AUBSdefuBqAMF0qBy5Q5SD31MrgEFa1+l1n2EO:PG0AFdeffHPy+SDwLy+lYt

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://injurypiggyoewirog.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 4976	4940	Galaxy Swapper v2.0.3.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4040	4940	WerFault.exe	82

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83
PID 4940 wrote to memory of 4976	4940	Galaxy Swapper v2.0.3.exe	83

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper v2.0.3.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper v2.0.3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 312
  2⤵
  - Program crash
  PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4940 -ip 4940
1⤵
PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4940-0-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/4976-1-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4976-3-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4976-4-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4976-5-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download