lumma | 117203a8745ac784850a1263f7502d0b41fda16e2341a6cc98d290ec7b215186

Sharing

Copy URL

Twitter E-mail

General

Target

Programs.rar
Size

5.8MB
Sample

240921-tq9vma1eqc
MD5

4b54adc721f225b37c1ade75ed8458cd
SHA1

8bd012c1fa1b0d5f92dca36a1796d2fd4fec3aad
SHA256

117203a8745ac784850a1263f7502d0b41fda16e2341a6cc98d290ec7b215186
SHA512

939ab9630ab0121c6602ad24b6942b05f630eece1b8d0d971752d4dacba3528336f4a6f934219ea6267333fcc32d509167578f04a156c3c9e06069a26f729c7a
SSDEEP

98304:72SCuY3xrf/sag+BzwfqeOX7niUBfPkgST9fmWNbRr70VthZU3xRGO:7vpSJk6wfhOX7iUBfVk9fmUxB8O

Score

10^/10

Malware Config

Extracted

Family

lumma

https://samledwwekspzxp.shop/api

Extracted

Family

stealc

Botnet

mainteam

http://95.182.96.50

Attributes

url_path
/2aced82320799c96.php

Targets

- Target
  
  1.exe.v
- Size
  
  2.9MB
- MD5
  
  78954d05725add7c68b17fec6fe6fbcb
- SHA1
  
  65b1a35ee1a624a741291c60b0745ec64cde9de5
- SHA256
  
  11f52db1c7b322fe16087e10c0d2d5fbb3586054250dc39a887434bdf49befbb
- SHA512
  
  4b68f2019e83d4c6deeb57dd404575296331139a305234b3d4fb1d1e67650419b7aa5333d2d697d0209b5bd33e7d0907f2dd5dc1850c7b845718d2866538b1bb
- SSDEEP
  
  49152:p2qPtc1e5OS7bPGoUl+x/grN4azvchYk2fnaiyRl6Kun:8qPCnrN4azvSYX7yRlyn
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
behavioral1 behavioral2
- Target
  
  2.exe.v
- Size
  
  13.2MB
- MD5
  
  8858afdac61eeb17682db20888963df4
- SHA1
  
  501d62787335daf5f7ee678c03ad7815a8a69b2c
- SHA256
  
  b0649ae8468c315c2d8bbc2a879cc7162360660402487105761632c7342dd861
- SHA512
  
  96ee49acff2423b6c1af9eb3e4142740b7a1b10c5a5800206d44af75f4ac7e666fc1693b5e84f9913ceb567dfcd97db995a6f737a6674fe14308028c76d9e2e3
- SSDEEP
  
  196608:y/nc6X0YjOtzpNRR1WzyP06rmWjymKIn99NMc2mX3W:y/nc6X0YjOtzpNP1WbWea3McNXm
Score

10^/10

stealc mainteam credential_access discovery spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Downloads MZ/PE file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3 behavioral4
- Target
  
  3.exe.v
- Size
  
  1.2MB
- MD5
  
  6f58eada2611d4e69798d3824ab1ed28
- SHA1
  
  76f0495c12cb7884fc406b1ef7de946230a1f499
- SHA256
  
  0a7fded88420aedebccb96a4cacd197d5b29b60746e8c3a423cb0f78f3674f5c
- SHA512
  
  a32df7e7cb123ab1f9d4649e8c6b5b039346de1879398c5a68e6ca5d7d8c5a408e8b2ac72d68c46ca7ad9660ca08a9503ba31f7817b954f056a26fe5fb1b4f5d
- SSDEEP
  
  24576:Qrfl+F1DI+oc6owGiOV8DABNUS+m+++oJee++oAYLbmtjjjjDjjpmbiDcA:6t+F1DI+96iiOaDkNUS+m+++oJee++oC
Score

8^/10

defense_evasion discovery execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Deletes itself
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6
- Target
  
  4.exe.v
- Size
  
  728KB
- MD5
  
  58d65f5fca31cd83c18163b56b27f246
- SHA1
  
  ebb839bff73785c78d54128b235f72ce1c5c0cee
- SHA256
  
  7b827fb44a58dd2362be39abafa00a74e2f105c0fc5a5aa4ef3f3bdac5d13408
- SHA512
  
  5502a4d0e57fe051edf0098a32fce0ebe94108c841d327e773764fcf62c95dec96af772c0f8fbc56e2b7220d3189931c09905f24838eb3dc3f539dcfd3ffac5f
- SSDEEP
  
  12288:elMgytQTnq9BpxPZW3nQzSAj8B3mLoU6/5rTxYvvebixV6suY:enKxRWxAoBWLoU6/px8X
Score

3^/10

discovery
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Lumma Stealer, LummaC

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Deletes itself

Indicator Removal: File Deletion

Looks up external IP address via web service

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8