lumma | e6b00ee585b008f110829df68c01a62d3bfac1ffe7d65298c8a4e4109b8a7319 | Triage

Sharing

General

Target

e6b00ee585b008f110829df68c01a62d3bfac1ffe7d65298c8a4e4109b8a7319
Size

1.5MB
Sample

240724-zl3teawdrl
MD5

902f8f6c48da2b1e2e666dd2d4fbdf51
SHA1

36b6b48e868e65575533dc15326422754b67bb1e
SHA256

e6b00ee585b008f110829df68c01a62d3bfac1ffe7d65298c8a4e4109b8a7319
SHA512

84a002403e787c7eba040c571ac28905cbccc323f477e2bface82d9c3b550f2006646b74e9a177c04d08bc1270c36e5790c665954f5284d5d6f10c78a961a716
SSDEEP

24576:7TU1TIY2XqnwoR0TFwGl11eDjeR1WzfN3PN0g2tppmGOlfSXI4an5QSGuzsCY:7ABJfnmj11qeRy3V0vBGK4rn5ZhY

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

C2

https://warrantelespsz.shop/api

https://unseaffarignsk.shop/api

https://shepherdlyopzc.shop/api

https://upknittsoappz.shop/api

https://liernessfornicsa.shop/api

https://outpointsozp.shop/api

https://callosallsaospz.shop/api

https://lariatedzugspd.shop/api

https://indexterityszcoxp.shop/api

Targets

- Target
  
  msoffice365update.msi
- Size
  
  2.5MB
- MD5
  
  f95336c88ee7f8b6275fac1a458dad53
- SHA1
  
  79fea0be5521f44c6b3fd621fb4c95167ec7542f
- SHA256
  
  e9cd2429628e3955dd1f7c714fbaa3e3b85bfaac0bc31582cf9c5232cb8fc352
- SHA512
  
  aa75cdccc14381f7088bc6090029f4b36e484a4f3e3b0a60e90ded013aa258f47631f40670e200fce687c2271f89a7ef8c91926d5698291740b192927249b896
- SSDEEP
  
  49152:nQgIfhlTYEO+w2/64hnPRMB0WkuqES58NtvU:3IZlEN+wK6qRMB0WkufF
Score

10^/10

discovery persistence privilege_escalation lumma stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceprivilege_escalation

behavioral2

lummadiscoverypersistenceprivilege_escalationstealer