lumma | 3fd5d1dbae3317e84733fdd058e03a1e8831b0cb092964dfb113474fb4387efc

General

Target

Setup.exe
Size

651.4MB
MD5

8604e4bdf9de6a0ae82aa30e6bb5841e
SHA1

8535e889bc6a0757274081e52fdab90ea2090ae6
SHA256

27196952aca14c796138426eb8f52b0ddafc9f46d0e4c10f750cfee95bf5132c
SHA512

8a0d003df564bedd3b748955b2b2efd6079d03b73ea56ff6e3bb77fd8f54c500e683107fdc64d4df71dfcba90b275066b3d627422bef0a217dbbcfffc5b00ebe
SSDEEP

196608:ZAa/L5xk1ABsdnCdTy9w6wzWvnP4O7NADtV6v+4cU9UryCjh9WmilQDpMVo0hnXy:j/L50mq9w6hvX7

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://reinfomarbke.site/api

https://monopuncdz.site/api

https://unityshootsz.site/api

https://moeventmynz.site/api

https://plaintifuf.site/api

https://honerstyzu.site/api

https://bringlanejk.site/api

https://uppermixturyz.site/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 2008	1484	Setup.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1484	Setup.exe
1484	Setup.exe
2008	choice.exe
2008	choice.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1484	Setup.exe
2008	choice.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1484	Setup.exe
1484	Setup.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2008	1484	Setup.exe	31
PID 1484 wrote to memory of 2008	1484	Setup.exe	31
PID 1484 wrote to memory of 2008	1484	Setup.exe	31
PID 1484 wrote to memory of 2008	1484	Setup.exe	31
PID 1484 wrote to memory of 2008	1484	Setup.exe	31
PID 2008 wrote to memory of 2852	2008	choice.exe	33
PID 2008 wrote to memory of 2852	2008	choice.exe	33
PID 2008 wrote to memory of 2852	2008	choice.exe	33
PID 2008 wrote to memory of 2852	2008	choice.exe	33
PID 2008 wrote to memory of 2852	2008	choice.exe	33

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\choice.exe
  C:\Windows\SysWOW64\choice.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\SearchIndexer.exe
    C:\Windows\SysWOW64\SearchIndexer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cda1c7ff

Filesize
1.0MB

MD5
c3df93ace33743680e80ae11c9a3b003

SHA1
cf54f6ccd41c963e7f6cb851f7290724b1442fff

SHA256
5b602014cdddaa2600d953b12dfb86b2d9dce1f15aab11b9efded56b8ce602fe

SHA512
d4a5294be64f564527f73a73acb4194992a97d6af8186fa292f64b3a0911d7f665e7c16f5e7414f55fd7e3f1639e5140816a7139ab923e14732c15e91179f3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0035a44

Filesize
1020KB

MD5
764a8262705be7bdd396df544fbf1ef7

SHA1
1bfa0109b025c3002df46719893fb4e04bfab251

SHA256
035efec524afbf21ee31693ac75e76688f0cb2266bf9f1cb6ee3047fe3b5205c

SHA512
616b281395518be7b4a3a90f5cab3e1b93297df50fa6fda4227c2cc0b6ce64e7c641532b642f49b7aed9aa6732c95edd882e59030feb6504b1457890fc51f40f

Download Submit
memory/1484-8-0x00000000744B3000-0x00000000744B5000-memory.dmp

Filesize
8KB

Download
memory/1484-6-0x00000000744A0000-0x00000000746E0000-memory.dmp

Filesize
2.2MB

Download
memory/1484-0-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1484-9-0x00000000744A0000-0x00000000746E0000-memory.dmp

Filesize
2.2MB

Download
memory/1484-10-0x00000000744A0000-0x00000000746E0000-memory.dmp

Filesize
2.2MB

Download
memory/1484-7-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download
memory/2008-14-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download
memory/2008-12-0x00000000744A0000-0x00000000746E0000-memory.dmp

Filesize
2.2MB

Download
memory/2008-15-0x00000000744A0000-0x00000000746E0000-memory.dmp

Filesize
2.2MB

Download
memory/2008-17-0x00000000744A0000-0x00000000746E0000-memory.dmp

Filesize
2.2MB

Download
memory/2008-16-0x00000000744A0000-0x00000000746E0000-memory.dmp

Filesize
2.2MB

Download
memory/2008-19-0x00000000744A0000-0x00000000746E0000-memory.dmp

Filesize
2.2MB

Download
memory/2852-20-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download
memory/2852-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2852-22-0x000000000020D000-0x0000000000215000-memory.dmp

Filesize
32KB

Download
memory/2852-23-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing