lumma | 5451f776144a83c4fbf47d9dc455f4ba2751dc20a36b4022fadb9f5fdfad32ec

General

Target

Setup.exe
Size

14.4MB
MD5

db63171e8f58f0e78f588471154b3c27
SHA1

de940ecab24a000a64f27ca6b0fe93c7d5e9f866
SHA256

5451f776144a83c4fbf47d9dc455f4ba2751dc20a36b4022fadb9f5fdfad32ec
SHA512

1dc070e460628eab8b4efb40e1dd3cba77d8c05930fb970adb426812561e112c13b21cdbd00dc5b5b78657e160ac3a18b0ae6329f203f174a6fb4610133e024d
SSDEEP

196608:Ywa/A5/A3Pg2LkIJmgLpY/iLNooeoc+k88MkEQx4enDtJ+fmPOSAWiH5m+6h7MnC:qP1JtpQd8S+fiz+bC

Score

10^/10

lumma discovery persistence stealer

Malware Config

Extracted

Family

lumma

C2

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContaCam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Setup.exe"	Setup.exe

Blocklisted process makes network request 11 IoCs

flow	pid	Process
15	4392	msiexec.exe
17	4392	msiexec.exe
20	4392	msiexec.exe
24	4392	msiexec.exe
28	4392	msiexec.exe
30	4392	msiexec.exe
35	4392	msiexec.exe
38	4392	msiexec.exe
42	4392	msiexec.exe
47	4392	msiexec.exe
49	4392	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3092 set thread context of 4864	3092	Setup.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3092	Setup.exe
3092	Setup.exe
4864	more.com
4864	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3092	Setup.exe
4864	more.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3092	Setup.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3092	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3092	Setup.exe
3092	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4864	3092	Setup.exe	86
PID 3092 wrote to memory of 4864	3092	Setup.exe	86
PID 3092 wrote to memory of 4864	3092	Setup.exe	86
PID 3092 wrote to memory of 4864	3092	Setup.exe	86
PID 4864 wrote to memory of 4392	4864	more.com	93
PID 4864 wrote to memory of 4392	4864	more.com	93
PID 4864 wrote to memory of 4392	4864	more.com	93
PID 4864 wrote to memory of 4392	4864	more.com	93
PID 4864 wrote to memory of 4392	4864	more.com	93

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.ini

Filesize
1KB

MD5
f86f878b607a04416fdd964bdff2db40

SHA1
c6cfc1fd00640e7713e8c6137e22e8764f64b5f2

SHA256
9437f4144ece91feb09b16501f59d15b350e1a5e8046ffbb46a06d720d3676fc

SHA512
f62e40d3bc4d9ebe018ec158a458696f7dc7c2be38469e98a6635ea59b914c62d48bea94eca1f060dd625131852e89df65a24bcf57235f94dc179ba8f6ee2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.ini

Filesize
58B

MD5
f25df6b9843d84fbf75297bc055ae13d

SHA1
9ae6e0656337cae2204646f23721fe98d2b6ea87

SHA256
f3d2384a7ae24486f1cf1cc5b36d9cbbaa6009d1a14edb9edd8afc2a83e9135f

SHA512
895201ade52ab2571edbbbbab5b38bc45ad7689b36471db61930911a7b34bea3ffec346d109652c4ca4ec7bad533a2bd2da883f45ddb6ba31367f7b05ff84590

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea684c82

Filesize
1.2MB

MD5
1c3866deb8e7789657f98840d623a169

SHA1
7411f3699a17972110bdf1b7ada91306d5beacc8

SHA256
af47c75ed2571f28dba14f4bac724b0be1cf80a1b045e89169cc22948dbf8629

SHA512
942e25cd3256269df1f75c2fba8d9e48c90962c2c6907f76a46f8e011ddfb5b579be71b32503e3f606032fc79f3287fdeb4897f76d3202562a2659834947adb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed95b186

Filesize
1.0MB

MD5
0f9c88e0aea54db5b8a08042d07ffd17

SHA1
609fd83954173aaeb7eda7dd7724d379fa329a5a

SHA256
cfaee7d32dcd0179e4cf589d6cd6d7f8e4bd0d83e25e5c94fb912e2a236b7965

SHA512
86c5fe44263f925185ebc2b8ad8a075f42c00beeb15fef8a5fd75d2cf6ddad7854852ab34511f963d3dfe405a82f1431d96d40f896547bd87a733d8e3957cac7

Download Submit
memory/3092-220-0x00000000762F0000-0x00000000768A3000-memory.dmp

Filesize
5.7MB

Download
memory/3092-216-0x0000000076303000-0x0000000076305000-memory.dmp

Filesize
8KB

Download
memory/3092-217-0x00000000762F0000-0x00000000768A3000-memory.dmp

Filesize
5.7MB

Download
memory/3092-214-0x00000000762F0000-0x00000000768A3000-memory.dmp

Filesize
5.7MB

Download
memory/3092-208-0x0000000000B00000-0x0000000001CD2000-memory.dmp

Filesize
17.8MB

Download
memory/3092-215-0x00007FFF66610000-0x00007FFF66805000-memory.dmp

Filesize
2.0MB

Download
memory/4392-230-0x0000000000510000-0x000000000056B000-memory.dmp

Filesize
364KB

Download
memory/4392-233-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/4392-232-0x0000000000510000-0x000000000056B000-memory.dmp

Filesize
364KB

Download
memory/4392-231-0x00007FFF66610000-0x00007FFF66805000-memory.dmp

Filesize
2.0MB

Download
memory/4864-223-0x00007FFF66610000-0x00007FFF66805000-memory.dmp

Filesize
2.0MB

Download
memory/4864-229-0x00000000762F0000-0x00000000768A3000-memory.dmp

Filesize
5.7MB

Download
memory/4864-225-0x00000000762F0000-0x00000000768A3000-memory.dmp

Filesize
5.7MB

Download
memory/4864-224-0x00000000762F0000-0x00000000768A3000-memory.dmp

Filesize
5.7MB

Download
memory/4864-222-0x00000000762F0000-0x00000000768A3000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads