lumma | 539f0617a85a7a0773cf9e36d803c1a8ddf5c69dc003c80c1f3afac147b47554

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

646KB
MD5

2ec18b257662dd107ae84263ecd2e5c1
SHA1

ce2efa8394c35b8da16428b10ece4a856c53dd1f
SHA256

539f0617a85a7a0773cf9e36d803c1a8ddf5c69dc003c80c1f3afac147b47554
SHA512

6cf6f83dbaca7f218f6add89de942bc6a8d83fef9ccbbb3f3ef3c03bba4233a25b18f1bc392da27b37b88bb649fecc7c05ed28a9dcf849de957103f03fa63342
SSDEEP

12288:xI6tpbrZqB16QBXv9trocVyiBFAMyhZVUEz4Pjt/ax7OA2:xIMH6JjocVy+yhZVUEz4PAx7O

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

https://ingreem-eilish.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Loads dropped DLL 1 IoCs

pid	Process
3552	Loader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3552 set thread context of 1140	3552	Loader.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84
PID 3552 wrote to memory of 1140	3552	Loader.exe	84

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
635KB

MD5
037bf337c4de4bc965e3200beb1a5be8

SHA1
317dc2ffca68cf71652cffe75d9d2a341a09cda8

SHA256
29c961ee9f77637c881d9193c6499a84b1320372f3edc9b8337ab03fb8b8f589

SHA512
10767a9b988843d5ed27c6509ce8801a2a604c5298cd602b4d26e1ab0957e837e1531f60dc37b3ec1de7ee0a1378e2250d3d737e58926f4d4b0e7cd1fb8275d9

Download Submit
memory/1140-8-0x00000000747E0000-0x000000007483F000-memory.dmp

Filesize
380KB

Download
memory/1140-16-0x00000000747E0000-0x000000007483F000-memory.dmp

Filesize
380KB

Download
memory/1140-12-0x00000000747E0000-0x000000007483F000-memory.dmp

Filesize
380KB

Download
memory/3552-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/3552-1-0x0000000000F20000-0x0000000000FC8000-memory.dmp

Filesize
672KB

Download
memory/3552-17-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/3552-18-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download