lumma | a84f7d97129f649ea4f1a6b0b7e85df110fc0eaa1853f15cf47d62a7cd28ae93

Analysis

max time kernel
37s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2025, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UnbanTool-main.zip
Size

1.7MB
MD5

71f40ef12a2c8fe0f1987ce7feb3354b
SHA1

ccb824fd19443433e624621b2a29dd329b2ce1e8
SHA256

a84f7d97129f649ea4f1a6b0b7e85df110fc0eaa1853f15cf47d62a7cd28ae93
SHA512

049779adc30c82b86440613d4e4663f8459104cd774f4f906169260d6185a47fea11ddb7397cecfd6d3681aca4f23a96d24ed21d838ee3dd0ea95811401e5d32
SSDEEP

49152:47Y5Ba9knsTL1qS+c3W/UxtngwYtaOleIThMD4i:46Im81Xvm/UxRExlevl

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 7 IoCs

pid	Process
2284	UnbanTool.exe
556	UnbanTool.exe
2524	UnbanTool.exe
2488	UnbanTool.exe
4264	UnbanTool.exe
4188	UnbanTool.exe
1200	UnbanTool.exe

Loads dropped DLL 7 IoCs

pid	Process
2284	UnbanTool.exe
556	UnbanTool.exe
2524	UnbanTool.exe
2488	UnbanTool.exe
4264	UnbanTool.exe
4188	UnbanTool.exe
1200	UnbanTool.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 1152	2284	UnbanTool.exe	95
PID 556 set thread context of 3220	556	UnbanTool.exe	98
PID 2524 set thread context of 2140	2524	UnbanTool.exe	101
PID 2488 set thread context of 4240	2488	UnbanTool.exe	105
PID 4264 set thread context of 3744	4264	UnbanTool.exe	108
PID 4188 set thread context of 4420	4188	UnbanTool.exe	112
PID 1200 set thread context of 4752	1200	UnbanTool.exe	115

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnbanTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnbanTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnbanTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnbanTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnbanTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnbanTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnbanTool.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1848	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1848	7zFM.exe
Token: 35	1848	7zFM.exe
Token: SeSecurityPrivilege	1848	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1848	7zFM.exe
1848	7zFM.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 2284 wrote to memory of 1152	2284	UnbanTool.exe	95
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 556 wrote to memory of 3220	556	UnbanTool.exe	98
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2524 wrote to memory of 2140	2524	UnbanTool.exe	101
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 2488 wrote to memory of 4240	2488	UnbanTool.exe	105
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4264 wrote to memory of 3744	4264	UnbanTool.exe	108
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 4188 wrote to memory of 4420	4188	UnbanTool.exe	112
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115
PID 1200 wrote to memory of 4752	1200	UnbanTool.exe	115

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\UnbanTool-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2304

C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe
"C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152

C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe
"C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220

C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe
"C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2140

C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe
"C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4240

C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe
"C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3744

C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe
"C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4420

C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe
"C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UnbanTool.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
642KB

MD5
9bc424be13dca227268ab018dca9ef0c

SHA1
f6f42e926f511d57ef298613634f3a186ec25ddc

SHA256
59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

SHA512
70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

Download Submit
C:\Users\Admin\Desktop\UnbanTool-main\UnbanTool.exe

Filesize
550KB

MD5
ee6be1648866b63fd7f860fa0114f368

SHA1
42cab62fff29eb98851b33986b637514fc904f4b

SHA256
e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

SHA512
d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

Download Submit
memory/1152-39-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1152-42-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1152-44-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2140-63-0x0000000000430000-0x0000000000495000-memory.dmp

Filesize
404KB

Download
memory/2140-66-0x0000000000430000-0x0000000000495000-memory.dmp

Filesize
404KB

Download
memory/2284-43-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2284-38-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2284-31-0x0000000000F10000-0x0000000000FA0000-memory.dmp

Filesize
576KB

Download
memory/2284-30-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3744-84-0x0000000000700000-0x0000000000765000-memory.dmp

Filesize
404KB

Download
memory/3744-87-0x0000000000700000-0x0000000000765000-memory.dmp

Filesize
404KB

Download
memory/4752-105-0x0000000000560000-0x00000000005C5000-memory.dmp

Filesize
404KB

Download
memory/4752-108-0x0000000000560000-0x00000000005C5000-memory.dmp

Filesize
404KB

Download