lumma | c435de2808f39abe757760d81c10fdc60a3872088e2954951084c718bcef517b

Analysis

max time kernel
109s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03/01/2025, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release.zip
Size

24.6MB
MD5

a26453383ae24b24575e0795a338ef0b
SHA1

27e37285f54647dd670e7d7b0d3fd501f97cfe18
SHA256

c435de2808f39abe757760d81c10fdc60a3872088e2954951084c718bcef517b
SHA512

8d59eb375b48ff4d335c63e5bfaed26f38cb3fec297433ee5472132872a3d8fec90099c22bab3633bf5116b577b6b13bbfdcf401d7649fa67eda32d2f88c91b8
SSDEEP

786432:/az6YIuPordUKmTsUizXSVGQfcbPSIz4gyh5:/aGYdPor4TuC4QfkPSIz415

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://begguinnerz.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
3452	NewUpd [v1.1.0].exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewUpd [v1.1.0].exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4768	7zFM.exe
Token: 35	4768	7zFM.exe
Token: SeSecurityPrivilege	4768	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4768	7zFM.exe
4768	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4712

C:\Users\Admin\Desktop\Release\NewUpd [v1.1.0].exe
"C:\Users\Admin\Desktop\Release\NewUpd [v1.1.0].exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3452

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2624

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
1⤵
PID:72

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9adcb502-9930-4e18-8462-5dab65b6645c.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
a833653a021f29ee2ec1a845e0c2308f

SHA1
05071159d3c2516d67b765cef012a0a2d3337759

SHA256
8e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7

SHA512
0902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\Desktop\Release\NewUpd [v1.1.0].exe

Filesize
1.9MB

MD5
11009591ca02b389f69e8c8e34f3f0c3

SHA1
de3e14d918d6aa164112c7339f85f67e60291616

SHA256
6f0df40928071c599955dfa09d5f4596a823ad68b887c228a8e810287d856b66

SHA512
1ea9ce27abdd7d8ee4aa139ede7e856b3e7404cb30259e2fdd09b2125bbc0aade93e25568ce426e82bcf45167982cdff51432ed20d8db7e8b8e9d1c03ae513aa

Download Submit
memory/3452-549-0x00000000030A0000-0x0000000003158000-memory.dmp

Filesize
736KB

Download
memory/3452-550-0x00000000030A0000-0x0000000003158000-memory.dmp

Filesize
736KB

Download
memory/3452-551-0x0000000000BF0000-0x0000000000DD6000-memory.dmp

Filesize
1.9MB

Download
memory/3452-555-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

Filesize
348KB

Download
memory/3452-556-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

Filesize
348KB

Download
memory/3452-554-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

Filesize
348KB

Download
memory/3452-557-0x00000000030A0000-0x0000000003158000-memory.dmp

Filesize
736KB

Download
memory/3452-553-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

Filesize
348KB

Download
memory/3452-552-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

Filesize
348KB

Download
memory/3452-559-0x0000000000BF0000-0x0000000000DD6000-memory.dmp

Filesize
1.9MB

Download
memory/3452-548-0x0000000000DE0000-0x0000000000E99000-memory.dmp

Filesize
740KB

Download