lumma | e9b201af3ae720e5f3958be0f1767244b04dbefbc0e47d40eeb79f83dbcc3486

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lumma1207.exe
Size

518KB
MD5

64ae8807b8359c84c00444c2cbab6236
SHA1

db15781e8050dd032b0bd67315283089aef9dd3d
SHA256

1850a11acaede15b70cf7fc93830cd13ed4855f5e6226ef8110427fab9651ddf
SHA512

6e598e9d74d1df6097e0594f0b2f6d06ee07eda98ba91eb9f12500c50bf6d5edc2b4d35165b67b31b627ca10504aee8d7cb1755d7d8b227229c93ee444e2787f
SSDEEP

6144:K/YU8Hd8WCoWM5qcOotxvqzdCODY1eIQfHc5/mcYpTH5vQATH+2+dU739nNjp2M7:7HvComlwToHcfoTZ9Te2Lnb2MDaMScEO

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://contemplateodszsv.shop/api

https://applyzxcksdia.shop/api

https://replacedoxcjzp.shop/api

https://declaredczxi.shop/api

https://catchddkxozvp.shop/api

https://arriveoxpzxo.shop/api

https://bindceasdiwozx.shop/api

https://conformfucdioz.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 1644	1452	lumma1207.exe	86

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86
PID 1452 wrote to memory of 1644	1452	lumma1207.exe	86

C:\Users\Admin\AppData\Local\Temp\lumma1207.exe
"C:\Users\Admin\AppData\Local\Temp\lumma1207.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-0-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1644-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1644-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1644-5-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download