lumma | 8b471ecd2842d73ba198c31656e895e046bac9bf97f23b1b4339e919a58fff8e

Analysis

max time kernel
133s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/09/2024, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

5.4MB
MD5

ad2735f096925010a53450cb4178c89e
SHA1

c6d65163c6315a642664f4eaec0fae9528549bfe
SHA256

4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e
SHA512

1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9
SSDEEP

98304:o/zx+riUDpJowboU+XEsumY2XW6jBYeZ1ER:2x+riUDwUj12X1tY5

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Loads dropped DLL 1 IoCs

pid	Process
824	RelishKitchen.a3x

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 1180	5068	Setup.exe	73

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RelishKitchen.a3x

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5068	Setup.exe
5068	Setup.exe
1180	more.com
1180	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5068	Setup.exe
1180	more.com

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1180	5068	Setup.exe	73
PID 5068 wrote to memory of 1180	5068	Setup.exe	73
PID 5068 wrote to memory of 1180	5068	Setup.exe	73
PID 5068 wrote to memory of 1180	5068	Setup.exe	73
PID 1180 wrote to memory of 824	1180	more.com	75
PID 1180 wrote to memory of 824	1180	more.com	75
PID 1180 wrote to memory of 824	1180	more.com	75
PID 1180 wrote to memory of 824	1180	more.com	75
PID 1180 wrote to memory of 824	1180	more.com	75

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\RelishKitchen.a3x
    C:\Users\Admin\AppData\Local\Temp\RelishKitchen.a3x
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RelishKitchen.a3x

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\Temp\be9310a8

Filesize
2.0MB

MD5
3ba76207544771358cc3cfc3b143738d

SHA1
b15b3603fb86bd2f5986f71ca5df66177949d4e0

SHA256
1ede10f36720de1054f1127a12aad5983c136279f8f331e36376e36d131feb96

SHA512
f7a41413474d08816ed52a236e039e87aedd65ff8e628f138af8769bf638864c8aa24791944a16fcadedf8d11ca16d2983a1a613bf6bf76aa27f5bc345513d0b

Download Submit
memory/824-31-0x00000000013D0000-0x0000000001442000-memory.dmp

Filesize
456KB

Download
memory/824-29-0x00007FFFEE990000-0x00007FFFEEB6B000-memory.dmp

Filesize
1.9MB

Download
memory/1180-26-0x0000000074300000-0x000000007447B000-memory.dmp

Filesize
1.5MB

Download
memory/1180-17-0x00007FFFEE990000-0x00007FFFEEB6B000-memory.dmp

Filesize
1.9MB

Download
memory/1180-20-0x000000007430E000-0x0000000074310000-memory.dmp

Filesize
8KB

Download
memory/1180-19-0x0000000074300000-0x000000007447B000-memory.dmp

Filesize
1.5MB

Download
memory/1180-22-0x0000000074300000-0x000000007447B000-memory.dmp

Filesize
1.5MB

Download
memory/1180-27-0x000000007430E000-0x0000000074310000-memory.dmp

Filesize
8KB

Download
memory/5068-0-0x00007FFFE0F30000-0x00007FFFE109A000-memory.dmp

Filesize
1.4MB

Download
memory/5068-14-0x00007FFFE0F30000-0x00007FFFE109A000-memory.dmp

Filesize
1.4MB

Download
memory/5068-13-0x00007FFFE0F30000-0x00007FFFE109A000-memory.dmp

Filesize
1.4MB

Download
memory/5068-12-0x00007FFFE0F49000-0x00007FFFE0F4A000-memory.dmp

Filesize
4KB

Download