lumma | 36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884

Resubmissions

03/01/2025, 19:53 UTC

250103-ymf6cszrbw 10

03/01/2025, 05:06 UTC

250103-frq71szrdy 10

03/01/2025, 05:00 UTC

250103-fm1kwstjgq 10

03/01/2025, 04:45 UTC

250103-fdjk1ssqar 10

03/01/2025, 04:35 UTC

250103-e7skcasmfr 10

03/01/2025, 03:28 UTC

250103-d1dbeazrfl 10

Analysis

max time kernel
11s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2025, 05:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
Size

310KB
MD5

2ea329cf21fe95c260ea3b956b6fbb75
SHA1

4c8a6dfe97d33ada86c65298ad91ab46eddc8454
SHA256

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884
SHA512

9ba7c26d15f6a116489e69c364f51484fa028dc92cf76a15e7c49095707bc4d499e6da31e9c79e1c5d2b3047dcb0518e10fd01f163b9c6e71282fffb2e8eac90
SSDEEP

6144:N0ytx8RRzYd1mH+CkaPSdpzybQiwRF/yCQaOn39cm4W8+:NpeRRzQ0BkFd40bbqC8Wms+

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://enterwahsh.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3472	4480	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

C:\Users\Admin\AppData\Local\Temp\36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
"C:\Users\Admin\AppData\Local\Temp\36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1248
  2⤵
  - Program crash
  PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4480 -ip 4480
1⤵
PID:1736

Network

DNS

enterwahsh.biz

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

enterwahsh.biz

IN A

Response
DNS

wordyfindy.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

wordyfindy.lat

IN A

Response
DNS

slipperyloo.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

slipperyloo.lat

IN A

Response
DNS

manyrestro.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

manyrestro.lat

IN A

Response
DNS

shapestickyr.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

shapestickyr.lat

IN A

Response
DNS

talkynicer.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

talkynicer.lat

IN A

Response
DNS

curverpluch.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

curverpluch.lat

IN A

Response
DNS

tentabatte.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

tentabatte.lat

IN A

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

bashfulacid.lat

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

bashfulacid.lat

IN A

Response
DNS

steamcommunity.com

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

104.82.234.109
GET

https://steamcommunity.com/profiles/76561199724331900

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

104.82.234.109:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Fri, 03 Jan 2025 05:00:16 GMT
Content-Length: 35588
Connection: keep-alive
Set-Cookie: sessionid=d7e8a9c95b500c7a0c51cece; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
DNS

lev-tolstoi.com

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

8.8.8.8:53

Request

lev-tolstoi.com

IN A

Response

lev-tolstoi.com

IN A

104.21.66.86

lev-tolstoi.com

IN A

172.67.157.254
POST

https://lev-tolstoi.com/api

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

Remote address:

104.21.66.86:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: lev-tolstoi.com

Response

HTTP/1.1 200 OK

Date: Fri, 03 Jan 2025 05:00:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=38t8cae6bumif08fq8qabvc3vp; expires=Mon, 28 Apr 2025 22:46:55 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=txG5F1qVqNCOUeeZLAcurpLU3Ztl%2FJ2nUleG63u2FXwNZj8%2BfoPd47d4wXUmOGkqG1FtOpRyOVH7Y35IOYmhQSEziiTRccVldJxo8wUpn8D6k%2BA%2B05Zwt5LgiJKFPc4jnq8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc06c9c4bc8bea8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60544&min_rtt=59613&rtt_var=14060&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=62197&cwnd=253&unsent_bytes=0&cid=80b0966df3528575&ts=299&x=0"
DNS

180.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.129.81.91.in-addr.arpa

IN PTR

Response
DNS

109.234.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

109.234.82.104.in-addr.arpa

IN PTR

Response

109.234.82.104.in-addr.arpa

IN PTR

a104-82-234-109deploystaticakamaitechnologiescom
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

86.66.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.66.21.104.in-addr.arpa

IN PTR

Response

104.82.234.109:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

1.6kB
43.2kB
22
37

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
104.21.66.86:443

https://lev-tolstoi.com/api

tls, http

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

999 B
4.9kB
9
9

HTTP Request

POST https://lev-tolstoi.com/api

HTTP Response

200
204.79.197.203:443
192.229.221.95:80

8.8.8.8:53

enterwahsh.biz

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

60 B
122 B
1
1

DNS Request

enterwahsh.biz
8.8.8.8:53

wordyfindy.lat

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

60 B
125 B
1
1

DNS Request

wordyfindy.lat
8.8.8.8:53

slipperyloo.lat

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

61 B
126 B
1
1

DNS Request

slipperyloo.lat
8.8.8.8:53

manyrestro.lat

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

60 B
125 B
1
1

DNS Request

manyrestro.lat
8.8.8.8:53

shapestickyr.lat

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

62 B
127 B
1
1

DNS Request

shapestickyr.lat
8.8.8.8:53

talkynicer.lat

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

60 B
125 B
1
1

DNS Request

talkynicer.lat
8.8.8.8:53

curverpluch.lat

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

61 B
126 B
1
1

DNS Request

curverpluch.lat
8.8.8.8:53

tentabatte.lat

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

60 B
125 B
1
1

DNS Request

tentabatte.lat
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

bashfulacid.lat

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

61 B
126 B
1
1

DNS Request

bashfulacid.lat
8.8.8.8:53

steamcommunity.com

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

104.82.234.109
8.8.8.8:53

lev-tolstoi.com

dns

36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

61 B
93 B
1
1

DNS Request

lev-tolstoi.com

DNS Response

104.21.66.86

172.67.157.254
8.8.8.8:53

180.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

180.129.81.91.in-addr.arpa
8.8.8.8:53

109.234.82.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

109.234.82.104.in-addr.arpa
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

86.66.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

86.66.21.104.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4480-0-0x0000000002070000-0x000000000209C000-memory.dmp

Filesize
176KB

Download
memory/4480-1-0x00000000020A0000-0x00000000020EC000-memory.dmp

Filesize
304KB

Download
memory/4480-2-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4480-3-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4480-4-0x0000000002070000-0x000000000209C000-memory.dmp

Filesize
176KB

Download
memory/4480-5-0x00000000020A0000-0x00000000020EC000-memory.dmp

Filesize
304KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.