lumma | 8e74f5644140e614077e5317d5ffb5ca0f828ed4870e1d6c1faf442c851e1909

General

Target

8e74f5644140e614077e5317d5ffb5ca0f828ed4870e1d6c1faf442c851e1909
Size

207KB
Sample

240826-fqc9rswgna
MD5

0df1eb83d7ed49150b934fe7f68585af
SHA1

526b9bf54fdf9a21e0f5715f48e5ff1a3daa9ec2
SHA256

8e74f5644140e614077e5317d5ffb5ca0f828ed4870e1d6c1faf442c851e1909
SHA512

4ce9a70c5fa7d114898fddb4946a1a494f7a3a12edd880f26f1e870ee59235094d3a4a2016c39677876c5108e7761ee361e8f17c77638e51e1f377a2b11f08fe
SSDEEP

3072:SyrwJwIkb3qJvkYYvMH2q7Vf0mHaogXhVGPdHLtUn/RLmeJqh9ZGvCWDLQegLzK0:SMw7kGck/7nWMBLtMmeAPfWQdEO

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

10.8

Botnet

e08d1d89739710c3d8e7a76423a5faa7

C2

https://t.me/jamelwt

https://steamcommunity.com/profiles/76561199761128941

https://t.me/iyigunl

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Extracted

Family

lumma

C2

https://caffegclasiqwp.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

https://condedqpwqm.shop/api

https://millyscroqwp.shop/api

https://stagedchheiqwo.shop/api

https://stamppreewntnq.shop/api

https://tenntysjuxmz.shop/api

Targets

- Target
  
  8e74f5644140e614077e5317d5ffb5ca0f828ed4870e1d6c1faf442c851e1909
- Size
  
  207KB
- MD5
  
  0df1eb83d7ed49150b934fe7f68585af
- SHA1
  
  526b9bf54fdf9a21e0f5715f48e5ff1a3daa9ec2
- SHA256
  
  8e74f5644140e614077e5317d5ffb5ca0f828ed4870e1d6c1faf442c851e1909
- SHA512
  
  4ce9a70c5fa7d114898fddb4946a1a494f7a3a12edd880f26f1e870ee59235094d3a4a2016c39677876c5108e7761ee361e8f17c77638e51e1f377a2b11f08fe
- SSDEEP
  
  3072:SyrwJwIkb3qJvkYYvMH2q7Vf0mHaogXhVGPdHLtUn/RLmeJqh9ZGvCWDLQegLzK0:SMw7kGck/7nWMBLtMmeAPfWQdEO
Score

10^/10

lumma stealc vidar default e08d1d89739710c3d8e7a76423a5faa7 credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2