Extracted

• • Target

    2f01809f78d096e770544c434b5bb63b3a0461559f7dd98a25a04bf66c8784f4.exe

  • Size

    5.1MB

  • MD5

    8a610c8380b7bc7c95472ea19ce2d4f3

  • SHA1

    183c6c553dbf468c3867dd094d6cc95a70a404dc

  • SHA256

    2f01809f78d096e770544c434b5bb63b3a0461559f7dd98a25a04bf66c8784f4

  • SHA512

    398ad6062e4917aeded5f303ae87861159002dc2d4c37595064d6929ebc718bc460884a9328f53171a1fafad80350d772142dafc5f6f7b5b7bdc4e4bd12b281d

  • SSDEEP

    98304:9XmejfcgConsANDqwo636BKK1KSlSsBq80hxTMqJhtl:9fc2pDqhT1KSnqlf7btl

  Score

  10^/10

  lummadiscoverystealerevasionpersistenceprivilege_escalationspywaretrojan

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Blocklisted process makes network request

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2