lumma | 36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884

Resubmissions

03/01/2025, 19:53 UTC

250103-ymf6cszrbw 10

03/01/2025, 05:06 UTC

250103-frq71szrdy 10

03/01/2025, 05:00 UTC

250103-fm1kwstjgq 10

03/01/2025, 04:45 UTC

250103-fdjk1ssqar 10

03/01/2025, 04:35 UTC

250103-e7skcasmfr 10

03/01/2025, 03:28 UTC

250103-d1dbeazrfl 10

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03/01/2025, 04:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
Size

310KB
MD5

2ea329cf21fe95c260ea3b956b6fbb75
SHA1

4c8a6dfe97d33ada86c65298ad91ab46eddc8454
SHA256

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884
SHA512

9ba7c26d15f6a116489e69c364f51484fa028dc92cf76a15e7c49095707bc4d499e6da31e9c79e1c5d2b3047dcb0518e10fd01f163b9c6e71282fffb2e8eac90
SSDEEP

6144:N0ytx8RRzYd1mH+CkaPSdpzybQiwRF/yCQaOn39cm4W8+:NpeRRzQ0BkFd40bbqC8Wms+

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://enterwahsh.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3312	3700	WerFault.exe	76

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

C:\Users\Admin\AppData\Local\Temp\36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
"C:\Users\Admin\AppData\Local\Temp\36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 676
  2⤵
  - Program crash
  PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3700 -ip 3700
1⤵
PID:4084

Network

DNS

enterwahsh.biz

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

enterwahsh.biz

IN A

Response
DNS

wordyfindy.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

wordyfindy.lat

IN A

Response
DNS

slipperyloo.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

slipperyloo.lat

IN A

Response
DNS

manyrestro.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

manyrestro.lat

IN A

Response
DNS

shapestickyr.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

shapestickyr.lat

IN A

Response
DNS

talkynicer.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

talkynicer.lat

IN A

Response
DNS

curverpluch.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

curverpluch.lat

IN A

Response
DNS

tentabatte.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

tentabatte.lat

IN A

Response
DNS

bashfulacid.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

bashfulacid.lat

IN A

Response
DNS

steamcommunity.com

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

104.82.234.109
DNS

8.8.8.8.in-addr.arpa

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

lev-tolstoi.com

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

lev-tolstoi.com

IN A

Response

lev-tolstoi.com

IN A

104.21.66.86

lev-tolstoi.com

IN A

172.67.157.254
DNS

109.234.82.104.in-addr.arpa

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

109.234.82.104.in-addr.arpa

IN PTR

Response

109.234.82.104.in-addr.arpa

IN PTR

a104-82-234-109deploystaticakamaitechnologiescom
DNS

86.66.21.104.in-addr.arpa

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

86.66.21.104.in-addr.arpa

IN PTR

Response
DNS

nexusrules.officeapps.live.com

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.229.48
DNS

48.229.111.52.in-addr.arpa

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

104.82.234.109:443

steamcommunity.com

tls

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

1.6kB
43.6kB
23
37
104.21.66.86:443

lev-tolstoi.com

tls

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

1.1kB
5.2kB
10
9

8.8.8.8:53

enterwahsh.biz

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

1.0kB
2.0kB
16
16

DNS Request

enterwahsh.biz

DNS Request

wordyfindy.lat

DNS Request

slipperyloo.lat

DNS Request

manyrestro.lat

DNS Request

shapestickyr.lat

DNS Request

talkynicer.lat

DNS Request

curverpluch.lat

DNS Request

tentabatte.lat

DNS Request

bashfulacid.lat

DNS Request

steamcommunity.com

DNS Response

104.82.234.109

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

lev-tolstoi.com

DNS Response

104.21.66.86

172.67.157.254

DNS Request

109.234.82.104.in-addr.arpa

DNS Request

86.66.21.104.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.229.48

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3700-0-0x00000000022B0000-0x00000000022DC000-memory.dmp

Filesize
176KB

Download
memory/3700-1-0x00000000022E0000-0x000000000232C000-memory.dmp

Filesize
304KB

Download
memory/3700-2-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3700-3-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3700-4-0x00000000022B0000-0x00000000022DC000-memory.dmp

Filesize
176KB

Download
memory/3700-5-0x00000000022E0000-0x000000000232C000-memory.dmp

Filesize
304KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.