lumma | 78b12a9c031afe246c42a4ba332f5189db32cd388853b607927f7ab2b99e4eb3

General

Target

Setup.exe
Size

1.6MB
MD5

ec539c4a9c60b3690fbd891e19333362
SHA1

7cd141b72d9c6701c27f939b790624ebe04668fd
SHA256

1d60149ce640f4e07bceeb8940950441025277f1eba4f501f8afe558030b34fe
SHA512

b6a3496e7b6f7aed5dcc7e0bb3fe903d2c231ff5470bbedd37e8bea83b1951dc835f32ac6508dea8b561bfd6354e7741227a42eb49fc0575ce64e12b494c00c1
SSDEEP

24576:Iz2WcNmHWLyc6+QrRIVkQirZieVPpd27K8mBWSjTUvJ2Npi8TofJ8jH3cT:RNmHyyc63YwQcTjT02NPTofJWXcT

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://bassicnuadnwi.shop/api

https://locatedblsoqp.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2684	2664	Setup.exe	85

Loads dropped DLL 1 IoCs

pid	Process
2652	LarkManger.a3x

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2284	2652	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LarkManger.a3x

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2664	Setup.exe
2664	Setup.exe
2684	more.com
2684	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2664	Setup.exe
2684	more.com

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2684	2664	Setup.exe	85
PID 2664 wrote to memory of 2684	2664	Setup.exe	85
PID 2664 wrote to memory of 2684	2664	Setup.exe	85
PID 2664 wrote to memory of 2684	2664	Setup.exe	85
PID 2684 wrote to memory of 2652	2684	more.com	96
PID 2684 wrote to memory of 2652	2684	more.com	96
PID 2684 wrote to memory of 2652	2684	more.com	96
PID 2684 wrote to memory of 2652	2684	more.com	96

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\LarkManger.a3x
    C:\Users\Admin\AppData\Local\Temp\LarkManger.a3x
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1340
      4⤵
      Program crash
      PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2652 -ip 2652
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LarkManger.a3x

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\Temp\d950d9d4

Filesize
2.0MB

MD5
3bf375fe658c0c7eb171f5fb42964f2f

SHA1
40917bf03e04b0eb456d8bddbc4d98ff88005b15

SHA256
0dd4ce6b1d03db9f7589759236fac6d930a3bb7347e79073ea22717c2f853f66

SHA512
c209d0e8757c4e1982fd7a918b456d63de718fa4070a7eaa3085ad10ee88175a7cf4a59e95f0a92c18abcd64d333ace33c1789dfeb9b3db279456db1c10d5c19

Download Submit
memory/2652-26-0x00000000001D0000-0x0000000000238000-memory.dmp

Filesize
416KB

Download
memory/2652-25-0x0000000075E90000-0x0000000076443000-memory.dmp

Filesize
5.7MB

Download
memory/2652-23-0x00000000001D0000-0x0000000000238000-memory.dmp

Filesize
416KB

Download
memory/2652-22-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/2664-10-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/2664-11-0x0000000061E00000-0x0000000061ECA000-memory.dmp

Filesize
808KB

Download
memory/2664-0-0x0000000075E90000-0x0000000076443000-memory.dmp

Filesize
5.7MB

Download
memory/2664-8-0x0000000075E90000-0x0000000076443000-memory.dmp

Filesize
5.7MB

Download
memory/2664-6-0x0000000075EA3000-0x0000000075EA5000-memory.dmp

Filesize
8KB

Download
memory/2664-7-0x0000000075E90000-0x0000000076443000-memory.dmp

Filesize
5.7MB

Download
memory/2664-1-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/2684-14-0x00007FFDA3CB0000-0x00007FFDA3EA5000-memory.dmp

Filesize
2.0MB

Download
memory/2684-16-0x0000000075E90000-0x0000000076443000-memory.dmp

Filesize
5.7MB

Download
memory/2684-18-0x0000000075E90000-0x0000000076443000-memory.dmp

Filesize
5.7MB

Download
memory/2684-20-0x0000000075E90000-0x0000000076443000-memory.dmp

Filesize
5.7MB

Download
memory/2684-12-0x0000000075E90000-0x0000000076443000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing