lumma | 4df1cacfcc528146da82cdf81c4516375828aa86f5b41c693852de7779c8661d

General

Target

✺⇉Δ†ε$†✺$ε†μρ✺Unℓ◎ck Kε¥✺{9192}✺⇉-A/Setup.exe
Size

31KB
MD5

67dedab5bc0159f7cc61cb4b46daa6f1
SHA1

5d57ef4bd9b6ac672c413c5e8495263672f090e3
SHA256

0e6f5eaa2cd91747213f6aec05e3de6fb46ea2b7cf4d5f3ac267128abc784d00
SHA512

4c7ed5d6e0a76ac6eec79e50ae9cd4b5fe3eacda574606e47d85bba1739902d688aa6f5ec03e7863ec9d36bdadf6229f64bce8fe33bacf38e84e50332a30caf0
SSDEEP

768:MEH9SEBh8GdMrawYnZO44H2ekz/5Z+MMcS:M8RdMXYnZO4Y2ekT5Zgc

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://intentiongi.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
2136	nc.exe
1236	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
2444	Setup.exe
1236	Process not Found
2760	more.com
2640	AutoIt3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2760	2444	Setup.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2444	Setup.exe
2444	Setup.exe
2760	more.com
2760	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2444	Setup.exe
2760	more.com

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2136	2444	Setup.exe	31
PID 2444 wrote to memory of 2136	2444	Setup.exe	31
PID 2444 wrote to memory of 2136	2444	Setup.exe	31
PID 2444 wrote to memory of 2136	2444	Setup.exe	31
PID 2444 wrote to memory of 2760	2444	Setup.exe	32
PID 2444 wrote to memory of 2760	2444	Setup.exe	32
PID 2444 wrote to memory of 2760	2444	Setup.exe	32
PID 2444 wrote to memory of 2760	2444	Setup.exe	32
PID 2444 wrote to memory of 2760	2444	Setup.exe	32
PID 2760 wrote to memory of 2640	2760	more.com	34
PID 2760 wrote to memory of 2640	2760	more.com	34
PID 2760 wrote to memory of 2640	2760	more.com	34
PID 2760 wrote to memory of 2640	2760	more.com	34
PID 2760 wrote to memory of 2640	2760	more.com	34
PID 2760 wrote to memory of 2640	2760	more.com	34

C:\Users\Admin\AppData\Local\Temp\✺⇉Δ†ε$†✺$ε†μρ✺Unℓ◎ck Kε¥✺{9192}✺⇉-A\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\✺⇉Δ†ε$†✺$ε†μρ✺Unℓ◎ck Kε¥✺{9192}✺⇉-A\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Roaming\danc\VKNBHZTFWAYNAFU\nc.exe
  C:\Users\Admin\AppData\Roaming\danc\VKNBHZTFWAYNAFU\nc.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\af099cee

Filesize
2.3MB

MD5
2b14c105d08f63750e939d70fc68e3af

SHA1
010907566b1f23ba8566f1973a8a2a5fa919f7a6

SHA256
95c18f788b80ed53eed4bec76f539438284344523bdc1d01598353685ad2f0cb

SHA512
9936e0fa7342422b75fbee961002cbd950d0ca6811d335fa69ef1f9ce41d5f128b63e0878dadbcbd37ee5e0362406a33b4d7eeafd88fab62b94208ae84e3c0c3

Download Submit
C:\Users\Admin\AppData\Roaming\danc\VKNBHZTFWAYNAFU\nc.exe

Filesize
285KB

MD5
7fb44c5bca4226d8aab7398e836807a2

SHA1
47128e4f8afabfde5037ed0fcaba8752c528ff52

SHA256
a64ead73c06470bc5c84cfc231b0723d70d29fec7d385a268be2c590dc5eb1ef

SHA512
f0bd093f054c99bcc50df4005d0190bd7e3dcefea7008ae4c9b67a29e832e02ae9ff39fa75bc1352c127aeb13afdea9bfdcc238ac826ef17f288d6fbd2ec8cab

Download Submit
\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
memory/2444-13-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/2444-12-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/2444-0-0x00000000003F0000-0x0000000000504000-memory.dmp

Filesize
1.1MB

Download
memory/2444-10-0x00000000749A3000-0x00000000749A4000-memory.dmp

Filesize
4KB

Download
memory/2444-14-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/2444-20-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/2444-21-0x00000000749A3000-0x00000000749A4000-memory.dmp

Filesize
4KB

Download
memory/2444-2-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/2444-3-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2640-43-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/2640-42-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/2640-41-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2640-37-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2640-38-0x0000000000130000-0x00000000001A7000-memory.dmp

Filesize
476KB

Download
memory/2760-26-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2760-35-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/2760-30-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/2760-29-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download
memory/2760-24-0x0000000074990000-0x0000000074B04000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing