lumma | b746e19479039c8bd13f00abcc2211980b82f3cfc3f2f3c87a2c7f493859b86f

Resubmissions

14-07-2024 04:21

240714-ey6evaweqp 10

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Cheat/installer.exe
Size

537KB
MD5

ebdd0abfd39913aaf11664d6a783202c
SHA1

47dbc17c8c9d98fe6a508df2eb237140f330dec7
SHA256

92d57e1a822b9a90683dbce8686201de189daa25188f1e33248277d8a59b31b2
SHA512

ce529c6fdef4bbf63933bbe41c0177bc58926334c55d66e47ba0aacd31fb4ca025dba4e746c980622b6bc21501acf7e6de63ad6f30de9c82e30b59cf3f5e921e
SSDEEP

6144:tQGkh+2NkT8MwUFNF+g5wAAp+Hb5tATcz6C/kAceTlb1kLdRozzNOgM54cck5AYs:mNkT8Mw4qb+Hbjg+/5n260LX5AQeR

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://extorteauhhwigw.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3932 set thread context of 3528	3932	installer.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	3528	WerFault.exe	87

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 648	3932	installer.exe	86
PID 3932 wrote to memory of 648	3932	installer.exe	86
PID 3932 wrote to memory of 648	3932	installer.exe	86
PID 3932 wrote to memory of 3528	3932	installer.exe	87
PID 3932 wrote to memory of 3528	3932	installer.exe	87
PID 3932 wrote to memory of 3528	3932	installer.exe	87
PID 3932 wrote to memory of 3528	3932	installer.exe	87
PID 3932 wrote to memory of 3528	3932	installer.exe	87
PID 3932 wrote to memory of 3528	3932	installer.exe	87
PID 3932 wrote to memory of 3528	3932	installer.exe	87
PID 3932 wrote to memory of 3528	3932	installer.exe	87
PID 3932 wrote to memory of 3528	3932	installer.exe	87

C:\Users\Admin\AppData\Local\Temp\Roblox Cheat\installer.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Cheat\installer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1120
    3⤵
    - Program crash
    PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3528 -ip 3528
1⤵
PID:2840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3528-1-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3528-3-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3528-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3528-5-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3932-0-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download