lumma | c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe
Size

8.6MB
MD5

0e9459f87d4d72ca3f3fb54af7432de9
SHA1

8941d42eb6f891aca9652cb3cbcdefc547a0ee1c
SHA256

c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44
SHA512

4b646775910d27e0c8b410a0e7e8b5b05f63839a6c26ee25952a27740688db4029916a6fb88e70accfab239f5eab532ae169f7146cdb093f826162b46689c728
SSDEEP

49152:4kmANd/Zz39voeJAg/Bst+YhOQz4W3FlFPyHF80WBh5OIm/tJe34jcH5EGgMLhZk:Uoh3FJBWz4W1lFbBnPE6wUa7nPF

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://stationacutwo.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4256 set thread context of 1976	4256	c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe	85

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 1976	4256	c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe	85
PID 4256 wrote to memory of 1976	4256	c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe	85
PID 4256 wrote to memory of 1976	4256	c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe	85
PID 4256 wrote to memory of 1976	4256	c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe	85
PID 4256 wrote to memory of 1976	4256	c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe	85

C:\Users\Admin\AppData\Local\Temp\c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe
"C:\Users\Admin\AppData\Local\Temp\c4452b42ae44c837bb125fa539edfd57241aff7f40c63365ff4cde0d9a823f44.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-5-0x0000000001270000-0x00000000012BF000-memory.dmp

Filesize
316KB

Download
memory/1976-8-0x0000000001270000-0x00000000012BF000-memory.dmp

Filesize
316KB

Download
memory/1976-9-0x0000000001270000-0x00000000012BF000-memory.dmp

Filesize
316KB

Download
memory/1976-10-0x0000000001270000-0x00000000012BF000-memory.dmp

Filesize
316KB

Download
memory/4256-2-0x00007FF7E7B60000-0x00007FF7E8497000-memory.dmp

Filesize
9.2MB

Download
memory/4256-6-0x00007FF7E7B60000-0x00007FF7E8497000-memory.dmp

Filesize
9.2MB

Download