lumma | 39eff4e2681f1608e8b38160a1667315cc6f48bede67bc317b5f5b87f5392177

Analysis

max time kernel
20s
max time network
24s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luna.exe
Size

744KB
MD5

0bfe4694a087ec99980de38f282816c2
SHA1

8a322fce77387f1bf472779573e4c33b8f4d1802
SHA256

39eff4e2681f1608e8b38160a1667315cc6f48bede67bc317b5f5b87f5392177
SHA512

d2ce46abd155abd295cf96c420e06a9c4414f4f44c67e9bff4d25e056c146d35012c472348c09651fbf09b3747e757681b5759ab3f5f2fefdc808af8e7fc159a
SSDEEP

12288:zrCWd/PuP/6IQILepsga9QfZeQrLcOluyiA0E3qSCWXJAcVn/4VEFqPLCQ8A2Ytn:LxWX6ZIL7QfQQUOl133qSCy//cd

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Loads dropped DLL 1 IoCs

pid	Process
1132	Luna.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 1196	1132	Luna.exe	78

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4564	1132	WerFault.exe	76

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78
PID 1132 wrote to memory of 1196	1132	Luna.exe	78

C:\Users\Admin\AppData\Local\Temp\Luna.exe
"C:\Users\Admin\AppData\Local\Temp\Luna.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1080
  2⤵
  - Program crash
  PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1132 -ip 1132
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
433KB

MD5
8a3b829ab189b17d05014b9a572a4434

SHA1
c00eab2460a8752e51b04c94e2936323ee209514

SHA256
ac79b99e800006a123022d2df1ac71dbfc75274ed9e249c5088efd7fa6eaf97e

SHA512
30deea9d11a979ed53f430eab1932d0f37d72e96307d1eacf8eb532d6041b8bf96084f410686d12579d077d6850c6ed5eb19a979ae95265bf71143c2582a2c61

Download Submit
memory/1132-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/1132-1-0x0000000000080000-0x0000000000144000-memory.dmp

Filesize
784KB

Download
memory/1132-2-0x0000000004B30000-0x0000000004B36000-memory.dmp

Filesize
24KB

Download
memory/1132-3-0x00000000745E0000-0x0000000074D91000-memory.dmp

Filesize
7.7MB

Download
memory/1132-18-0x00000000745E0000-0x0000000074D91000-memory.dmp

Filesize
7.7MB

Download
memory/1132-19-0x00000000745E0000-0x0000000074D91000-memory.dmp

Filesize
7.7MB

Download
memory/1132-20-0x00000000745E0000-0x0000000074D91000-memory.dmp

Filesize
7.7MB

Download
memory/1196-10-0x00000000004F0000-0x0000000000553000-memory.dmp

Filesize
396KB

Download
memory/1196-15-0x00000000004F0000-0x0000000000553000-memory.dmp

Filesize
396KB

Download
memory/1196-17-0x00000000004F0000-0x0000000000553000-memory.dmp

Filesize
396KB

Download