lumma | 1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95

General

Target

1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe
Size

743KB
MD5

7177b0ba961ddd258ee9672d436d6b63
SHA1

cdb7aef7f7a05430d323c00d43fe98af4680fa28
SHA256

1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95
SHA512

df1b07f5d4ff53afc4547fb371af1393bafce2eec0cc96ab0ceeaeb4500a3e771f4d1b9c7936b86f38241abfdfb53c9cf2fff22d3a0e7006015f50c165c59078
SSDEEP

12288:RoA2sfoKrzzpKnToLX5y8anwFgBGOXtoTmDr1aVupsZTDfCc71FT/mI69puLam6q:n2sg0z2ToE8+Q8tpDr10fCETZ6

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Loads dropped DLL 1 IoCs

pid	Process
4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4420 set thread context of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4740	4420	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84
PID 4420 wrote to memory of 4936	4420	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe	84

C:\Users\Admin\AppData\Local\Temp\1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe
"C:\Users\Admin\AppData\Local\Temp\1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1028
  2⤵
  - Program crash
  PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4420 -ip 4420
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
431KB

MD5
64c287959ff0dbd10db81bded030a3a1

SHA1
acf88011455fc98d0de186520b4ddde5d1cf5f75

SHA256
673e0efee492a6a82afcce12545c4a2d46a1e9e827c33b7a1e9f0a904656a458

SHA512
d7ca03f8032e7c9d5882ead046c33388d5ebba5923abd95c3c535945ba4aa8a1fe6e47d116dd9376c6717a36bff5ac0d0dcfc599526a5fc89d81c3fd3b0517c2

Download Submit
memory/4420-0-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/4420-1-0x0000000000F50000-0x0000000001012000-memory.dmp

Filesize
776KB

Download
memory/4420-2-0x00000000033F0000-0x00000000033F6000-memory.dmp

Filesize
24KB

Download
memory/4420-9-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-18-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-19-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-14-0x00000000011A0000-0x0000000001205000-memory.dmp

Filesize
404KB

Download
memory/4936-17-0x00000000011A0000-0x0000000001205000-memory.dmp

Filesize
404KB

Download
memory/4936-10-0x00000000011A0000-0x0000000001205000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads