lumma | a396584d840f2f5b563ff0c933c4d5df1f45716c9ac0daa5f7deeedb5df459ea

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 18:21

Target

App_Install(x86).exe
Size

648KB
MD5

346b5b93484c9c69f927c4740f704ebb
SHA1

d3bd0c8ef5a213c139bf65ded10ca25050cf3bf6
SHA256

a396584d840f2f5b563ff0c933c4d5df1f45716c9ac0daa5f7deeedb5df459ea
SHA512

499fb67630f010fbce62705351b0f38dcfa04639f1c02e3dea28e79bd03c1ba5169361904f791c3bea40b04a291cafc377006db27204751ba9b8bea217e66557
SSDEEP

12288:61IID/zdArU9gXv69C/J9LAaspmFEXZoMWt31xiwMfnlecPn9r8oYrmc19Q+be68:CldyU9gy9mzxMW

Score

10^/10

lumma stealer

Family

lumma

https://kaminiasbbefow.shop/api

https://reinforcedirectorywd.shop/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Loads dropped DLL 1 IoCs

pid	Process
4940	App_Install(x86).exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 2320	4940	App_Install(x86).exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2684	2320	WerFault.exe	85
5028	2320	WerFault.exe	85

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85
PID 4940 wrote to memory of 2320	4940	App_Install(x86).exe	85

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2320 -ip 2320
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2320 -ip 2320
1⤵
PID:4688

C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
465KB

MD5
d92e423a788f25a984119138e4cfbeba

SHA1
acd0d29b219a4b99d5306018a396af21804e7042

SHA256
9ddece62a6c57fd228f4c2c22f65faf1abc7dec9b5802c494f484a812f80f657

SHA512
324db1e8fec065f86a8e8288c4ef0b4641d6c639626e8e52074bff837ff3d6f79252a80ad953d2c590526c83607ed570513c55ecba3688fc13eaff0cc5cbcca7

Download Submit
memory/2320-9-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2320-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2320-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2320-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4940-0-0x000000007526E000-0x000000007526F000-memory.dmp

Filesize
4KB

Download
memory/4940-1-0x0000000000C00000-0x0000000000CA8000-memory.dmp

Filesize
672KB

Download
memory/4940-2-0x00000000030B0000-0x00000000030B6000-memory.dmp

Filesize
24KB

Download
memory/4940-13-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/4940-16-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download