lumma | 4df1cacfcc528146da82cdf81c4516375828aa86f5b41c693852de7779c8661d

General

Target

✺⇉Δ†ε$†✺$ε†μρ✺Unℓ◎ck Kε¥✺{9192}✺⇉-A/Setup.exe
Size

31KB
MD5

67dedab5bc0159f7cc61cb4b46daa6f1
SHA1

5d57ef4bd9b6ac672c413c5e8495263672f090e3
SHA256

0e6f5eaa2cd91747213f6aec05e3de6fb46ea2b7cf4d5f3ac267128abc784d00
SHA512

4c7ed5d6e0a76ac6eec79e50ae9cd4b5fe3eacda574606e47d85bba1739902d688aa6f5ec03e7863ec9d36bdadf6229f64bce8fe33bacf38e84e50332a30caf0
SSDEEP

768:MEH9SEBh8GdMrawYnZO44H2ekz/5Z+MMcS:M8RdMXYnZO4Y2ekT5Zgc

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://intentiongi.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2780	nc.exe

Loads dropped DLL 1 IoCs

pid	Process
884	AutoIt3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 1260	1344	Setup.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1344	Setup.exe
1344	Setup.exe
1260	more.com
1260	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1344	Setup.exe
1260	more.com

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2780	1344	Setup.exe	82
PID 1344 wrote to memory of 2780	1344	Setup.exe	82
PID 1344 wrote to memory of 1260	1344	Setup.exe	84
PID 1344 wrote to memory of 1260	1344	Setup.exe	84
PID 1344 wrote to memory of 1260	1344	Setup.exe	84
PID 1344 wrote to memory of 1260	1344	Setup.exe	84
PID 1260 wrote to memory of 884	1260	more.com	101
PID 1260 wrote to memory of 884	1260	more.com	101
PID 1260 wrote to memory of 884	1260	more.com	101
PID 1260 wrote to memory of 884	1260	more.com	101
PID 1260 wrote to memory of 884	1260	more.com	101

C:\Users\Admin\AppData\Local\Temp\✺⇉Δ†ε$†✺$ε†μρ✺Unℓ◎ck Kε¥✺{9192}✺⇉-A\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\✺⇉Δ†ε$†✺$ε†μρ✺Unℓ◎ck Kε¥✺{9192}✺⇉-A\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Roaming\danc\PJJBIBGPAFFULS\nc.exe
  C:\Users\Admin\AppData\Roaming\danc\PJJBIBGPAFFULS\nc.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7276d7

Filesize
2.3MB

MD5
6f129470ee8f93c2b0ff3665fbe1ee20

SHA1
f69f7027fb6835b9141f1765a0bc3fa974cf0202

SHA256
1822d6f0050a01cd19ac8dc8150b08c9a99a83037d83b93528a8bcba706bf111

SHA512
574197024509a1eb1a40bcebf50557e28f579fdc1e1eaf5afe7ab15460c90657e54a7be8bb2cc2790c4a11035e7533e761896205e4327807dae940fc3c5c2c82

Download Submit
C:\Users\Admin\AppData\Roaming\danc\PJJBIBGPAFFULS\nc.exe

Filesize
285KB

MD5
7fb44c5bca4226d8aab7398e836807a2

SHA1
47128e4f8afabfde5037ed0fcaba8752c528ff52

SHA256
a64ead73c06470bc5c84cfc231b0723d70d29fec7d385a268be2c590dc5eb1ef

SHA512
f0bd093f054c99bcc50df4005d0190bd7e3dcefea7008ae4c9b67a29e832e02ae9ff39fa75bc1352c127aeb13afdea9bfdcc238ac826ef17f288d6fbd2ec8cab

Download Submit
memory/884-47-0x0000000000500000-0x0000000000577000-memory.dmp

Filesize
476KB

Download
memory/884-46-0x0000000000500000-0x0000000000577000-memory.dmp

Filesize
476KB

Download
memory/884-45-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/884-44-0x0000000000500000-0x0000000000577000-memory.dmp

Filesize
476KB

Download
memory/884-43-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

Filesize
2.0MB

Download
memory/1260-38-0x0000000074BA0000-0x0000000074D1B000-memory.dmp

Filesize
1.5MB

Download
memory/1260-32-0x0000000074BA0000-0x0000000074D1B000-memory.dmp

Filesize
1.5MB

Download
memory/1260-34-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

Filesize
2.0MB

Download
memory/1260-37-0x0000000074BA0000-0x0000000074D1B000-memory.dmp

Filesize
1.5MB

Download
memory/1260-41-0x0000000074BA0000-0x0000000074D1B000-memory.dmp

Filesize
1.5MB

Download
memory/1344-10-0x0000000074BB3000-0x0000000074BB4000-memory.dmp

Filesize
4KB

Download
memory/1344-29-0x0000000074BB3000-0x0000000074BB5000-memory.dmp

Filesize
8KB

Download
memory/1344-28-0x0000000074BA0000-0x0000000074D1B000-memory.dmp

Filesize
1.5MB

Download
memory/1344-0-0x0000000074BA0000-0x0000000074D1B000-memory.dmp

Filesize
1.5MB

Download
memory/1344-1-0x00007FF8DAD90000-0x00007FF8DAF85000-memory.dmp

Filesize
2.0MB

Download
memory/1344-9-0x0000000074BA0000-0x0000000074D1B000-memory.dmp

Filesize
1.5MB

Download
memory/1344-13-0x0000000074BA0000-0x0000000074D1B000-memory.dmp

Filesize
1.5MB

Download
memory/2780-27-0x000001C5E2720000-0x000001C5E2990000-memory.dmp

Filesize
2.4MB

Download
memory/2780-16-0x000001C5E2720000-0x000001C5E2990000-memory.dmp

Filesize
2.4MB

Download
memory/2780-26-0x000001C5E2700000-0x000001C5E2701000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing