Extracted

• • Target

    NovaLauncher_44dc2817f4e85757cc52784cd3521c67.msi

  • Size

    7.1MB

  • MD5

    44dc2817f4e85757cc52784cd3521c67

  • SHA1

    41fc684fdb5331b3bc0a6a48f0903c530e3ff054

  • SHA256

    4a0a4a787586fbc370a2721019013e158a88d5c5f78fd140c91b54af42103763

  • SHA512

    66215cc9fb92c7ec5c9fdbe85df9a98bfb72cdfb48e8db51c4ea9bcbd22ff784d57313dea9a6a0a1ee98852d52bec455ad8983e15cab9cd163cbb136ed0f2d18

  • SSDEEP

    196608:OdVx9BJKK09BYzW+ZUl4sK8bF/9NH5iPbPO:OdVx9s9BYzw4sK8bF/aTO

  Score

  10^/10

  lummadefense_evasiondiscoveryevasionexecutionpersistencephishingprivilege_escalationstealer

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Creates new service(s)

    persistenceexecution

  • Drops file in Drivers directory

  • Stops running service(s)

    evasionexecution

  • A potential corporate email address has been identified in the URL: [email protected]

    phishing

  • Indicator Removal: Clear Windows Event Logs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion

  • Blocklisted process makes network request

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Power Settings

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1