lumma | 9fcaaf99e6ee1f9aa296de5b3bd927a85d2d806a5fd335610f43842084ad7bce | Triage

Sharing

General

Target

9fcaaf99e6ee1f9aa296de5b3bd927a85d2d806a5fd335610f43842084ad7bce
Size

1.8MB
Sample

250104-dkpdqsxqgs
MD5

bdc71574241e60a51ac793c66ba34c3d
SHA1

c6ae9dbde6201fc4c11c3200222f88a8dc808cbb
SHA256

9fcaaf99e6ee1f9aa296de5b3bd927a85d2d806a5fd335610f43842084ad7bce
SHA512

2ddaee141e719df99fcbdd456840c2c1022340a00ddf71bbc73171c287b9267e8c0aa6321d0f9dcc1c4d254cbb20ab47a5feb2ef8411c72b177dca21a4122569
SSDEEP

49152:1clfp7k+DTrVD6gBOjQ9qVjFMlM2s/kDZizU0yJeAHB3r:M7kkrVD6Zwq92sEZiI

Score

10^/10

lumma discovery evasion stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Extracted

Family

lumma

C2

https://fancywaxxers.shop/api

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Targets

- Target
  
  9fcaaf99e6ee1f9aa296de5b3bd927a85d2d806a5fd335610f43842084ad7bce
- Size
  
  1.8MB
- MD5
  
  bdc71574241e60a51ac793c66ba34c3d
- SHA1
  
  c6ae9dbde6201fc4c11c3200222f88a8dc808cbb
- SHA256
  
  9fcaaf99e6ee1f9aa296de5b3bd927a85d2d806a5fd335610f43842084ad7bce
- SHA512
  
  2ddaee141e719df99fcbdd456840c2c1022340a00ddf71bbc73171c287b9267e8c0aa6321d0f9dcc1c4d254cbb20ab47a5feb2ef8411c72b177dca21a4122569
- SSDEEP
  
  49152:1clfp7k+DTrVD6gBOjQ9qVjFMlM2s/kDZizU0yJeAHB3r:M7kkrVD6Zwq92sEZiI
Score

10^/10

lumma discovery evasion stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lummadiscoveryevasionstealer

behavioral2

lummadiscoveryevasionstealer