General

  • Target

    974e28edf145235ced706aaf27e1499ce9e6c7f7c4f49629049f8d32fcc894e4

  • Size

    1.2MB

  • Sample

    240801-b6p62szcnb

  • MD5

    9ffec2ba5a692387f7977bebcaa9f09a

  • SHA1

    e38b9a1bd1cbf76abefff45219a316bc2c3e991f

  • SHA256

    974e28edf145235ced706aaf27e1499ce9e6c7f7c4f49629049f8d32fcc894e4

  • SHA512

    bb122636d5d31e449b44974b69ad9e53d768caccf5804f4249a4687a58243819e84428c6b9309353c2508e2d355d55dc5d06e41837b38cc02c0435306fb73581

  • SSDEEP

    24576:uxLsMs8WdcMx8SWo23V34jBYSSKa6xlA3AXRlumbau1fp52txPvdkXFuXRxT7NPz:ysldGSWo2WVSnqAsRlumeu1hY3HdkXg9

Malware Config

Extracted

Family

lumma

C2

https://technologggisp.shop/api

https://unseaffarignsk.shop/api

https://shepherdlyopzc.shop/api

https://upknittsoappz.shop/api

https://liernessfornicsa.shop/api

https://outpointsozp.shop/api

https://callosallsaospz.shop/api

https://lariatedzugspd.shop/api

https://indexterityszcoxp.shop/api

Extracted

Family

lumma

C2

https://technologggisp.shop/api

https://unseaffarignsk.shop/api

https://shepherdlyopzc.shop/api

https://upknittsoappz.shop/api

https://liernessfornicsa.shop/api

https://outpointsozp.shop/api

https://callosallsaospz.shop/api

https://lariatedzugspd.shop/api

https://indexterityszcoxp.shop/api

Targets

    • Target

      974e28edf145235ced706aaf27e1499ce9e6c7f7c4f49629049f8d32fcc894e4

    • Size

      1.2MB

    • MD5

      9ffec2ba5a692387f7977bebcaa9f09a

    • SHA1

      e38b9a1bd1cbf76abefff45219a316bc2c3e991f

    • SHA256

      974e28edf145235ced706aaf27e1499ce9e6c7f7c4f49629049f8d32fcc894e4

    • SHA512

      bb122636d5d31e449b44974b69ad9e53d768caccf5804f4249a4687a58243819e84428c6b9309353c2508e2d355d55dc5d06e41837b38cc02c0435306fb73581

    • SSDEEP

      24576:uxLsMs8WdcMx8SWo23V34jBYSSKa6xlA3AXRlumbau1fp52txPvdkXFuXRxT7NPz:ysldGSWo2WVSnqAsRlumeu1hY3HdkXg9

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks