lumma | 8b3d1dd675e2e030d63ef5ecd9fa05da46a577d9f3723e7b358e20a4f6892495

General

Target

8b3d1dd675e2e030d63ef5ecd9fa05da46a577d9f3723e7b358e20a4f6892495
Size

181KB
Sample

240820-rrk7js1blm
MD5

8604da617d2310a788d55a8a17158926
SHA1

57be5e931ca21c501294dacd4744666adca8dc0a
SHA256

8b3d1dd675e2e030d63ef5ecd9fa05da46a577d9f3723e7b358e20a4f6892495
SHA512

0d1738c8ac0afe0de609744c14ee0deaf7217afa2292df166791508bb4146b1e377b8bec729f74cc077fd78f7fb8bc651552bb74d7614cf1db7cbefd1dad438c
SSDEEP

3072:Pz2c0Rztm8NGdBXtfAzc1Gr/cMvOwUPfbldFw0t+Z0vhAVfDgZkCeJCsNIilreNO:PkseGXXtIg1GrtvOwUPfbldFw0t+Z0vT

Score

10^/10

Malware Config

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199751190313

https://t.me/pech0nk

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Extracted

Family

vidar

Version

10.8

Botnet

9fecf283c2873768afb8beafb33a85e0

C2

https://steamcommunity.com/profiles/76561199761128941

https://t.me/iyigunl

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Extracted

Family

lumma

C2

https://interactiedovspm.shop/api

https://potentioallykeos.shop/api

https://charecteristicdxp.shop/api

https://cagedwifedsozm.shop/api

https://deicedosmzj.shop/api

https://southedhiscuso.shop/api

https://consciousourwi.shop/api

https://tenntysjuxmz.shop/api

Targets

- Target
  
  8b3d1dd675e2e030d63ef5ecd9fa05da46a577d9f3723e7b358e20a4f6892495
- Size
  
  181KB
- MD5
  
  8604da617d2310a788d55a8a17158926
- SHA1
  
  57be5e931ca21c501294dacd4744666adca8dc0a
- SHA256
  
  8b3d1dd675e2e030d63ef5ecd9fa05da46a577d9f3723e7b358e20a4f6892495
- SHA512
  
  0d1738c8ac0afe0de609744c14ee0deaf7217afa2292df166791508bb4146b1e377b8bec729f74cc077fd78f7fb8bc651552bb74d7614cf1db7cbefd1dad438c
- SSDEEP
  
  3072:Pz2c0Rztm8NGdBXtfAzc1Gr/cMvOwUPfbldFw0t+Z0vhAVfDgZkCeJCsNIilreNO:PkseGXXtIg1GrtvOwUPfbldFw0t+Z0vT
Score

10^/10

lumma vidar 9fecf283c2873768afb8beafb33a85e0 credential_access discovery spyware stealer defense_evasion
- Detect Vidar Stealer
  stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2