lumma | 51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5 | Triage

Sharing

General

Target

51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5
Size

2.4MB
Sample

241127-2dv5pstlbs
MD5

70a396a9f154f9a70534b6608e92cb12
SHA1

1a4c735936c372df4f99a3ff3a024646d16a9f75
SHA256

51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5
SHA512

72322ef6c4ee7c278dccd755a487463e09e34551a2fd3f1fe7ba1bc216e275e7e17f36dbcf4f48b48875f416affc41bf9d2617fbd7fde759f265e7bdd55cc203
SSDEEP

49152:aPxE9erTy74WgvJDu5gtqbRLCl9uLkd3HY/P3THX9kyK:mO9erFY5PLfGY/v2y

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Family

lumma

C2

https://crib-endanger.sbs

https://faintbl0w.sbs

https://300snails.sbs

https://bored-light.sbs

https://3xc1aimbl0w.sbs

https://pull-trucker.sbs

https://fleez-inc.sbs

https://thicktoys.sbs

https://frogmen-smell.sbs

Extracted

Family

lumma

C2

https://frogmen-smell.sbs/api

Targets

- Target
  
  51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5
- Size
  
  2.4MB
- MD5
  
  70a396a9f154f9a70534b6608e92cb12
- SHA1
  
  1a4c735936c372df4f99a3ff3a024646d16a9f75
- SHA256
  
  51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5
- SHA512
  
  72322ef6c4ee7c278dccd755a487463e09e34551a2fd3f1fe7ba1bc216e275e7e17f36dbcf4f48b48875f416affc41bf9d2617fbd7fde759f265e7bdd55cc203
- SSDEEP
  
  49152:aPxE9erTy74WgvJDu5gtqbRLCl9uLkd3HY/P3THX9kyK:mO9erFY5PLfGY/v2y
Score

10^/10

discovery execution lumma stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

lummadiscoveryexecutionstealer