lumma | 7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

General

Target

XWorm-5.6-main.zip
Size

25.1MB
MD5

95c1c4a3673071e05814af8b2a138be4
SHA1

4c08b79195e0ff13b63cfb0e815a09dc426ac340
SHA256

7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27
SHA512

339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd
SSDEEP

786432:Ty5jMDNnx2+4NYobtH8VVtKqi9+i514XZ/pjYlp0:MMDNnxV4iobxibiIi5MpjYv0

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 7 IoCs

pid	Process
4612	XwormLoader.exe
652	XwormLoader.exe
3768	XwormLoader.exe
2368	Xworm V5.6.exe
4740	XwormLoader.exe
3984	XwormLoader.exe
1228	XwormLoader.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2940	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2940	7zFM.exe
Token: 35	2940	7zFM.exe
Token: SeSecurityPrivilege	2940	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2940	7zFM.exe
2940	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2068

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4612

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:652

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3768

C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:2368

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3984

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zEC7B68FB7\XWorm-5.6-main\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Desktop\XWorm-5.6-main\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe

Filesize
490KB

MD5
9c9245810bad661af3d6efec543d34fd

SHA1
93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

SHA256
f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

SHA512
90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

Download Submit
memory/652-261-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/652-257-0x0000000000900000-0x000000000094B000-memory.dmp

Filesize
300KB

Download
memory/652-263-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/652-266-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/652-265-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/652-264-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/652-267-0x0000000000900000-0x000000000094B000-memory.dmp

Filesize
300KB

Download
memory/652-262-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/1228-297-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/1228-302-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/2368-280-0x0000025924600000-0x00000259247F4000-memory.dmp

Filesize
2.0MB

Download
memory/2368-278-0x00000259073E0000-0x00000259082C8000-memory.dmp

Filesize
14.9MB

Download
memory/3768-274-0x00000000011B0000-0x00000000011FB000-memory.dmp

Filesize
300KB

Download
memory/3768-269-0x00000000011B0000-0x00000000011FB000-memory.dmp

Filesize
300KB

Download
memory/3984-290-0x0000000000BA0000-0x0000000000BEB000-memory.dmp

Filesize
300KB

Download
memory/3984-295-0x0000000000BA0000-0x0000000000BEB000-memory.dmp

Filesize
300KB

Download
memory/4612-253-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4612-252-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4612-246-0x0000000000DD0000-0x0000000000E1B000-memory.dmp

Filesize
300KB

Download
memory/4612-254-0x0000000000DD0000-0x0000000000E1B000-memory.dmp

Filesize
300KB

Download
memory/4612-251-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4740-283-0x0000000000880000-0x00000000008CB000-memory.dmp

Filesize
300KB

Download
memory/4740-288-0x0000000000880000-0x00000000008CB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing