lumma | d808c118c79794569869cf92a8bbcb60ed29b2815282f048da66a7ecc4e254bd | Triage

Sharing

Copy URL Twitter E-mail

General

Target

d808c118c79794569869cf92a8bbcb60ed29b2815282f048da66a7ecc4e254bd.ps1
Size

195B
Sample

240825-by4pgasgjl
MD5

6b7cba6b3b995c043af8b5901e56db8d
SHA1

b09cb6c73808259ccef2af9a9510c6f69a73f6fa
SHA256

d808c118c79794569869cf92a8bbcb60ed29b2815282f048da66a7ecc4e254bd
SHA512

2c0dc1824fc8e8ac2d4ba70287be4cdefb1158cb1e0bc49f739102088b07994cf2ffd4599ef169509e2a27bb8353bbffe98cb3cafbe9089df61dc69d9d762059

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/scptst24

Extracted

Language

hta

Source

URLs

hta.dropper

https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/scptst24

Extracted

Family

lumma

C2

https://scenarriotdpq.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

https://condedqpwqm.shop/api

https://millyscroqwp.shop/api

https://stagedchheiqwo.shop/api

https://stamppreewntnq.shop/api

https://caffegclasiqwp.shop/api

https://tenntysjuxmz.shop/api

Targets

- Target
  
  d808c118c79794569869cf92a8bbcb60ed29b2815282f048da66a7ecc4e254bd.ps1
- Size
  
  195B
- MD5
  
  6b7cba6b3b995c043af8b5901e56db8d
- SHA1
  
  b09cb6c73808259ccef2af9a9510c6f69a73f6fa
- SHA256
  
  d808c118c79794569869cf92a8bbcb60ed29b2815282f048da66a7ecc4e254bd
- SHA512
  
  2c0dc1824fc8e8ac2d4ba70287be4cdefb1158cb1e0bc49f739102088b07994cf2ffd4599ef169509e2a27bb8353bbffe98cb3cafbe9089df61dc69d9d762059
Score

10^/10

execution lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: AutoIT
  Using AutoIT for possible automate script.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

AutoHotKey & AutoIT

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

lummadiscoveryexecutionstealer