lumma | 1230f1313b7c82b3fda1ef9f3860d668ed66846cc6252ad2a2b92db29a59d6a9

General

Target

Setup.exe
Size

351.1MB
MD5

b6cf2050dc61fcc253eb7d7f9105f4c8
SHA1

f88ec60af42abdd3b67a980ae14eb4e58b3bc0e7
SHA256

42d6496db190c2800501a8205f23b610e5efe24312fcfe1ea8b9f6d66aaea9f1
SHA512

944de25459b38cce873f6076e14e40bf701f138002bc9182bba37ea08073185430432b24d07c369a023ebfc5d22d8f97dc622c8d9bc98c98c43fbd288ed307fa
SSDEEP

196608:Hi4rZPnHKOfiGJDxGOOBvaxvQAoOQpDbVHqHI+uzIQDQdy1VM1fzN6Do3pOVNAUe:Hi4rZPxfiGJDxGOOBvaxnQzMj

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

https://reallymenyb.cyou

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 1552 set thread context of 4708	1552	Setup.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exemore.comOpenWith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exemore.com

pid	Process
1552	Setup.exe
1552	Setup.exe
4708	more.com
4708	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exemore.com

pid	Process
1552	Setup.exe
4708	more.com

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup.exemore.com

description	pid	Process	procid_target
PID 1552 wrote to memory of 4708	1552	Setup.exe	83
PID 1552 wrote to memory of 4708	1552	Setup.exe	83
PID 1552 wrote to memory of 4708	1552	Setup.exe	83
PID 1552 wrote to memory of 4708	1552	Setup.exe	83
PID 4708 wrote to memory of 956	4708	more.com	90
PID 4708 wrote to memory of 956	4708	more.com	90
PID 4708 wrote to memory of 956	4708	more.com	90
PID 4708 wrote to memory of 956	4708	more.com	90
PID 4708 wrote to memory of 956	4708	more.com	90

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\SysWOW64\OpenWith.exe
    C:\Windows\SysWOW64\OpenWith.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19ca8034

Filesize
1.3MB

MD5
94175bd77bc17ca8f7c2196caba3f614

SHA1
f9602cc39643864461fd30e04d01be8c8e82d411

SHA256
526680305be37788cfd31337114c567329ee6f16a139f5496a9a9550442bd7c8

SHA512
4e66917165b19e22fd2aa2f3cafb77e322046f8bf720b143719561936c69916c2a004537dbc2ad14dace514478318d6d31e9372387d383db9bb6369e6366addb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c3341ca

Filesize
1.1MB

MD5
bf719406c394c93605f05d4fce37303a

SHA1
f5a225267c543d5f3b5abada792c7a0fb05a4ad6

SHA256
fddc591701be3dee8e3b06eef60a151020bbff35bdc5c1caf614211396970c62

SHA512
0cc115ad629d4c83ef8010563c06f64e587d2ccecde5cf8d4f7ea93ef9a22ea7661db77c6ecbffa1ee14f0e1ee0809412e5ac3bcd136abc010b4324b46895ad9

Download Submit
memory/956-26-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/956-25-0x0000000000BF0000-0x0000000000C67000-memory.dmp

Filesize
476KB

Download
memory/956-24-0x00007FFF33470000-0x00007FFF33665000-memory.dmp

Filesize
2.0MB

Download
memory/1552-8-0x00007FFF33470000-0x00007FFF33665000-memory.dmp

Filesize
2.0MB

Download
memory/1552-10-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

Filesize
1.5MB

Download
memory/1552-11-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

Filesize
1.5MB

Download
memory/1552-9-0x0000000073AE3000-0x0000000073AE5000-memory.dmp

Filesize
8KB

Download
memory/1552-0-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

Filesize
4KB

Download
memory/1552-7-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

Filesize
1.5MB

Download
memory/1552-1-0x00000000003F0000-0x0000000000FCC000-memory.dmp

Filesize
11.9MB

Download
memory/4708-13-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

Filesize
1.5MB

Download
memory/4708-16-0x00007FFF33470000-0x00007FFF33665000-memory.dmp

Filesize
2.0MB

Download
memory/4708-19-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

Filesize
1.5MB

Download
memory/4708-18-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

Filesize
1.5MB

Download
memory/4708-23-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads