lumma | ff2fce8e75f0f7261ddef3a3785943cc97623edb1e632ed935c8619f2adc7325 | Triage

Submit
Reports

Overview

overview

Static

static

3

Bootstrapper.exe

windows10-2004-x64

Sharing

General

Target

Bootstrapper.exe
Size

104KB
Sample

240903-wf7zdstdpg
MD5

4602690571ce74ace4458896a31ce202
SHA1

5478b08a3a6c8c6762a4628d5a66a32a573c7771
SHA256

ff2fce8e75f0f7261ddef3a3785943cc97623edb1e632ed935c8619f2adc7325
SHA512

0c4fbfea7274eb799cfe6a3a8aec81f011182f3077da6778b1e3ea1c71917639198fde8e2662411894ea788686c3f53c7e2b68c00e2e7d1d2b3f112ceac189b7
SSDEEP

3072:YuElCyYwC+M2FE6CyYwC+M2FE+80IZOAr:YZlhY7X2K6hY7X2K+h

Score

10^/10

lumma discovery execution stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Bootstrapper.exe

Resource

win10v2004-20240802-en

lumma discovery execution stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

lumma

C2

https://tenseddrywsqio.shop/api

Targets

- Target
  
  Bootstrapper.exe
- Size
  
  104KB
- MD5
  
  4602690571ce74ace4458896a31ce202
- SHA1
  
  5478b08a3a6c8c6762a4628d5a66a32a573c7771
- SHA256
  
  ff2fce8e75f0f7261ddef3a3785943cc97623edb1e632ed935c8619f2adc7325
- SHA512
  
  0c4fbfea7274eb799cfe6a3a8aec81f011182f3077da6778b1e3ea1c71917639198fde8e2662411894ea788686c3f53c7e2b68c00e2e7d1d2b3f112ceac189b7
- SSDEEP
  
  3072:YuElCyYwC+M2FE6CyYwC+M2FE+80IZOAr:YZlhY7X2K6hY7X2K+h
Score

10^/10

lumma discovery execution stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lummadiscoveryexecutionstealer

© 2018-2025

Terms | Privacy