lumma | 3b51f5cb57c8c66d343fc1998d2df315ea84a76fafdd51b9f316cef2886f5d40

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

12.5MB
MD5

0b7e6ef92b0cfa06d61ba19b250c3c7f
SHA1

1bfe28646c8b4e20e94926ea1987d64228095bfe
SHA256

15f779bef759b5566c409ab78d4fe244dc224c669cf3f67b0b93f89520261ae7
SHA512

2711d92c167ebbb060b2025062018ec67e4f39ed7783722b84ed145e32b7c1673341f993405070dea55ead256d38d6d97512d6087cb5685358f33fab4c906d2f
SSDEEP

49152:FLfQjGFDZLiY0JXPGgqbw++DwCJXfbS8nfoD3GZvv5dQux6hICgG7vAY6xEasrEW:DLuXO1+iGZvtzpspES6EIA4anfL

Score

10^/10

lumma spyware stealer

Malware Config

Extracted

Family

lumma

https://bannngwko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3520 set thread context of 1020	3520	setup.exe	85

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1020	BitLockerToGo.exe
1020	BitLockerToGo.exe
1020	BitLockerToGo.exe
1020	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 1020	3520	setup.exe	85
PID 3520 wrote to memory of 1020	3520	setup.exe	85
PID 3520 wrote to memory of 1020	3520	setup.exe	85
PID 3520 wrote to memory of 1020	3520	setup.exe	85
PID 3520 wrote to memory of 1020	3520	setup.exe	85

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-4-0x0000000000CF0000-0x0000000000D47000-memory.dmp

Filesize
348KB

Download
memory/1020-7-0x0000000000CF0000-0x0000000000D47000-memory.dmp

Filesize
348KB

Download
memory/1020-8-0x0000000000CF0000-0x0000000000D47000-memory.dmp

Filesize
348KB

Download
memory/1020-9-0x0000000000CF0000-0x0000000000D47000-memory.dmp

Filesize
348KB

Download
memory/3520-5-0x00007FF6CEE50000-0x00007FF6CFB6E000-memory.dmp

Filesize
13.1MB

Download