lumma | 85579e584505caf0cbadd2fe350c72bf5cb569aaf7153e60dd83229259e0da9b

Analysis

max time kernel
431s
max time network
1150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader2.exe
Size

422KB
MD5

c9ff17fc0b4b79260e0021bf40d1a903
SHA1

89dacc7316cf60148d1e65eae1335bc806c4a49d
SHA256

85579e584505caf0cbadd2fe350c72bf5cb569aaf7153e60dd83229259e0da9b
SHA512

fa184735f39cac65589a6ecd2a308a32de07f40ccab2fbb9d3863af54ad88d46886226bd44d1f3d479a3227a67bb29eb34eed31b289a75d40f056dcf18763ca5
SSDEEP

12288:lutZv0dHkvFYeaCr2h/HuyzwD2eym66+Kkpq9cItrPuY+rU8WtC:luIEt4dB

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://tamedgeesy.sbs

https://relalingj.sbs

https://rottieud.sbs

https://brownieyuz.sbs

https://explainvees.sbs

https://ducksringjk.sbs

https://thinkyyokej.sbs

https://repostebhu.sbs

https://berrylinyj.cyou

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Loads dropped DLL 1 IoCs

Processes:

Loader2.exe

pid process

4908 Loader2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Loader2.exe

description pid process target process

PID 4908 set thread context of 752 4908 Loader2.exe aspnet_regiis.exe

pid	process
4908	Loader2.exe

description	pid	process	target process
PID 4908 set thread context of 752	4908	Loader2.exe	aspnet_regiis.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aspnet_regiis.exeLoader2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader2.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Loader2.exe

description	pid	process	target process
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe
PID 4908 wrote to memory of 752	4908	Loader2.exe	aspnet_regiis.exe

C:\Users\Admin\AppData\Local\Temp\Loader2.exe
"C:\Users\Admin\AppData\Local\Temp\Loader2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
412KB

MD5
ed22e46dc7cefea46b34c40b38bea143

SHA1
f85ccd509c2943f3d1d3cee024b7d849f9d6b2b9

SHA256
e38f20783f066f728029b03e61ce2e722c86fce0af9a402ca267c88286d8af27

SHA512
7c20d6ab0ba4795bfe75d3addbbaebe004f090bc59737fe240771e31ea584c886aa717baad7f6a7062635637869b0a9a7c2423212b53c6831cbed260762a617a

Download Submit
memory/752-9-0x0000000000D30000-0x0000000000D98000-memory.dmp

Filesize
416KB

Download
memory/752-17-0x0000000000D30000-0x0000000000D98000-memory.dmp

Filesize
416KB

Download
memory/752-15-0x0000000000D30000-0x0000000000D98000-memory.dmp

Filesize
416KB

Download
memory/4908-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

Filesize
4KB

Download
memory/4908-1-0x0000000000910000-0x0000000000982000-memory.dmp

Filesize
456KB

Download
memory/4908-2-0x0000000002D80000-0x0000000002D86000-memory.dmp

Filesize
24KB

Download
memory/4908-18-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/4908-19-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download