Overview

overview

10

Static

static

7

frhasdtr.exe

windows7-x64

10

frhasdtr.exe

windows10-2004-x64

10

lumma.exe

windows7-x64

10

lumma.exe

windows10-2004-x64

10

picturefonts.exe

windows7-x64

7

picturefonts.exe

windows10-2004-x64

7

rundll.exe

windows7-x64

1

rundll.exe

windows10-2004-x64

10

setup.exe

windows7-x64

7

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lumma.exe

  • Size

    6.3MB

  • MD5

    68821531a37ba7822fd5d67019733b6b

  • SHA1

    b53de7324804e2775d46f2ec9a56627d706eb647

  • SHA256

    39551af6337d3dca0ed2212e19e7b6648c8d4fca343c61a27e415602f321ceba

  • SHA512

    5e249f08aa91641c00f43fff22b6d5d8c714a5b3e8ffe4dbaa8b223c5c65588cd0e821e3b98297cd638096c5b1c768099b5c8b9c368cefc951248adf1cf1616c

  • SSDEEP

    196608:6qwtqwlk+lDCjExVbXZlL8UBk8Ocp0J89voSPn0:ik+aExVbJhbfYq0

Score
10/10
lummadiscoverystealervmprotect

Malware Config

Extracted

Family

lumma

C2

https://commisionipwn.shop/api

https://stitchmiscpaew.shop/api

https://ignoracndwko.shop/api

https://grassemenwji.shop/api

https://charistmatwio.shop/api

https://basedsymsotp.shop/api

https://complainnykso.shop/api

https://preachstrwnwjw.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lumma.exe
    "C:\Users\Admin\AppData\Local\Temp\lumma.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        clamer.exe -pfrhasdtr
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\frhasdtr.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\frhasdtr.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
    Filesize

    38B

    MD5

    628aae5750fc0020d95684ea374583b9

    SHA1

    ae262990bc7394d7cf077d9b0f15c1c0dc298c41

    SHA256

    15df98664ca3de71fc6e1a9909fb26daffb3f5efd8c09369156afd0b06329cba

    SHA512

    b3c2ddc2d7f083c8be05e9248f0ecc23d803ca7058c8333cc23028f018894e2b9bf92cdddf7d4c8407b81793ccbfce27e58a8ae5216e2ea97c1d69e3ec8323bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
    Filesize

    5.9MB

    MD5

    4f18d47ea8490cfcf59c3eaf9c5dbf68

    SHA1

    84738b3ba9c1a188f67abef3da841d90b206dfb9

    SHA256

    f52de5c2436b99920092bfb639045ec409104a770b8b40e2bd6ba577e01c04e8

    SHA512

    8d85915ed3b9a442e152dcab0216609770d090b5f579e756ec3c9917fc7fe1d52bedb190ad21043d70cbefcb45ceeba4d595f97ac664a6ea670ba56b1b772d9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\frhasdtr.exe
    Filesize

    5.5MB

    MD5

    f6c0f0e730b0dccf2dfbd2bca9afd415

    SHA1

    8c930bc6004a3dafb7eb8d86b16ab5a59fa5e94a

    SHA256

    1d43e78596a3bdede8c56902959b4f2b08ca7f75200d22f44812b5f216631d5b

    SHA512

    d2864e6465583289d1ba771ad7c34d66c62d79e00c1549ce058df958aed12cf973242482616d0f7a2f79f44eae30271c8a0d3e0a7c2d4baa27ecf06938069c1d

    Download Submit

  • memory/4560-19-0x0000000001490000-0x0000000001491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4560-20-0x0000000000500000-0x0000000000DF6000-memory.dmp

    Filesize

    9.0MB

    Download