lumma | c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008

General

Target

c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008.exe
Size

326KB
Sample

240926-cv5m2asaqr
MD5

93d82638ef554a5117ce5b0d23449d01
SHA1

72f96fae5b89aec666887d34655552e8f9cca90b
SHA256

c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008
SHA512

271b1a758070354bb1ae8530c21fa7a25937f739b1d2844dc0c23a8984e3a8e5b0478e7bc6053e36dbcaa460eca814e751d770553b224c0081e46981d8ad2a79
SSDEEP

6144:G64ysmRhhpPdrxp7jylbwq6sua07m680VqjS65EkSDcVtw4ufST7/JcG6EO:GdmnVxp0XNua07m30Vqjz5EHAVO4u672

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

11

Botnet

3a15237aa92dcd8ccca447211fb5fc2a

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

C2

https://drawzhotdog.shop/api

https://gutterydhowi.shop/api

https://ghostreedmnu.shop/api

https://offensivedzvju.shop/api

https://vozmeatillu.shop/api

https://fragnantbui.shop/api

https://stogeneratmns.shop/api

https://reinforcenh.shop/api

https://performenj.shop/api

Targets

- Target
  
  c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008.exe
- Size
  
  326KB
- MD5
  
  93d82638ef554a5117ce5b0d23449d01
- SHA1
  
  72f96fae5b89aec666887d34655552e8f9cca90b
- SHA256
  
  c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008
- SHA512
  
  271b1a758070354bb1ae8530c21fa7a25937f739b1d2844dc0c23a8984e3a8e5b0478e7bc6053e36dbcaa460eca814e751d770553b224c0081e46981d8ad2a79
- SSDEEP
  
  6144:G64ysmRhhpPdrxp7jylbwq6sua07m680VqjS65EkSDcVtw4ufST7/JcG6EO:GdmnVxp0XNua07m30Vqjz5EHAVO4u672
Score

10^/10

stealc default discovery stealer lumma vidar 3a15237aa92dcd8ccca447211fb5fc2a credential_access persistence spyware
- Detect Vidar Stealer
  stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2