lumma | 06b95476a373199ef0f7eb7b263222a1aa21f71eafb5b67d85410f2f5981f0a5 | Triage

Sharing

General

Target

l.rar
Size

10.4MB
Sample

241118-pm5z2swenb
MD5

6a58b0df8fe00c50f6590a7a0c9555d8
SHA1

e9b89c2e2bae2fabc5788abb83eb940da9ea1462
SHA256

06b95476a373199ef0f7eb7b263222a1aa21f71eafb5b67d85410f2f5981f0a5
SHA512

6b4177b812e4d94cb4c75246801f9c540d9c637061934d819ab920864825eb7f5132de84a0c749b6b0dc70a7a9701965cb8ab3dc915404d368c2172a4ebef0fb
SSDEEP

196608:LYjPOvBvv/0sqAR0cZD25mnvTgyL1dDHmRI+n9u7ZD25mnvTgk:CP2p30sycV25mnbgIDGm+uV25mnbgk

Score

10^/10

lumma discovery persistence stealer

Malware Config

Extracted

Family

lumma

C2

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Targets

- Target
  
  1/Setup.exe.vir
- Size
  
  14.4MB
- MD5
  
  db63171e8f58f0e78f588471154b3c27
- SHA1
  
  de940ecab24a000a64f27ca6b0fe93c7d5e9f866
- SHA256
  
  5451f776144a83c4fbf47d9dc455f4ba2751dc20a36b4022fadb9f5fdfad32ec
- SHA512
  
  1dc070e460628eab8b4efb40e1dd3cba77d8c05930fb970adb426812561e112c13b21cdbd00dc5b5b78657e160ac3a18b0ae6329f203f174a6fb4610133e024d
- SSDEEP
  
  196608:Ywa/A5/A3Pg2LkIJmgLpY/iLNooeoc+k88MkEQx4enDtJ+fmPOSAWiH5m+6h7MnC:qP1JtpQd8S+fiz+bC
Score

6^/10

discovery persistence
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  2/Setup.exe.vir
- Size
  
  14.4MB
- MD5
  
  d4340b687b46726c175ff0d6d49d8017
- SHA1
  
  44a7d5267164d3597e797176d3b111df48c98446
- SHA256
  
  1353dcc34941316e60be2905322c7c77bee698862eb6a81b4db19b4fc3b6c332
- SHA512
  
  22921bd5fbe771f56cef5507dd6c2ecd6cc1d9d5f3ffed45e895daa5cbe597bbf9bb2bd7eb23a1b4015de9c34d24d6e65e5661b412bd963076a9f436f6606b3d
- SSDEEP
  
  196608:4wa/A5/A3Pg2LkIJmgLpY/iLNooeoc+k88MkEQx4enDtJ+fmPOSAWiH5m+6h7MnC:KP1JtpQd8S+fiz+bC
Score

10^/10

discovery persistence lumma stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

discoverypersistence

behavioral3

discoverypersistence

behavioral4

lummadiscoverypersistencestealer