lumma | b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
Size

3.0MB
MD5

e25bdfa11c0733357c93685e6a227542
SHA1

bb9563d4aa82fc6ae7019940e4dce4395ad25e9c
SHA256

b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525
SHA512

368fb2850a777c0e1ae01775adf34e5a7bdc5eb92293922f83f429738f08b702e2436f71f79622c9c0fda23fbaaf5ef6d029aad2ba34fc66ed517a2eab2a8e29
SSDEEP

49152:8fU4UjMUHeSzwfwNZsmsccPSISMJjOifmYt/oslz3XMKbhcJIVvIaHS6yH1:8fUbVeS4wb4cD3MJjEYxomTbbFpRHE1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://stir-zing.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 3 IoCs

pid	Process
2556	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
2728	RttHlp.exe
1192	RttHlp.exe

Loads dropped DLL 10 IoCs

pid	Process
2308	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
2556	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
2556	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
2556	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
2728	RttHlp.exe
2728	RttHlp.exe
2728	RttHlp.exe
2728	RttHlp.exe
1192	RttHlp.exe
1192	RttHlp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1192 set thread context of 1808	1192	RttHlp.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2728	RttHlp.exe
1192	RttHlp.exe
1192	RttHlp.exe
1808	cmd.exe
1808	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1192	RttHlp.exe
1808	cmd.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2556	2308	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	30
PID 2308 wrote to memory of 2556	2308	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	30
PID 2308 wrote to memory of 2556	2308	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	30
PID 2308 wrote to memory of 2556	2308	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	30
PID 2308 wrote to memory of 2556	2308	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	30
PID 2308 wrote to memory of 2556	2308	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	30
PID 2308 wrote to memory of 2556	2308	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	30
PID 2556 wrote to memory of 2728	2556	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	32
PID 2556 wrote to memory of 2728	2556	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	32
PID 2556 wrote to memory of 2728	2556	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	32
PID 2556 wrote to memory of 2728	2556	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	32
PID 2728 wrote to memory of 1192	2728	RttHlp.exe	33
PID 2728 wrote to memory of 1192	2728	RttHlp.exe	33
PID 2728 wrote to memory of 1192	2728	RttHlp.exe	33
PID 2728 wrote to memory of 1192	2728	RttHlp.exe	33
PID 1192 wrote to memory of 1808	1192	RttHlp.exe	34
PID 1192 wrote to memory of 1808	1192	RttHlp.exe	34
PID 1192 wrote to memory of 1808	1192	RttHlp.exe	34
PID 1192 wrote to memory of 1808	1192	RttHlp.exe	34
PID 1192 wrote to memory of 1808	1192	RttHlp.exe	34
PID 1808 wrote to memory of 1332	1808	cmd.exe	36
PID 1808 wrote to memory of 1332	1808	cmd.exe	36
PID 1808 wrote to memory of 1332	1808	cmd.exe	36
PID 1808 wrote to memory of 1332	1808	cmd.exe	36
PID 1808 wrote to memory of 1332	1808	cmd.exe	36
PID 1808 wrote to memory of 1332	1808	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
"C:\Users\Admin\AppData\Local\Temp\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\Temp\{8162D1AA-4AB0-498A-8E46-D023600B02D9}\.cr\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
  "C:\Windows\Temp\{8162D1AA-4AB0-498A-8E46-D023600B02D9}\.cr\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\RttHlp.exe
    "C:\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\RttHlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Roaming\LTM_Archive_beta_5\RttHlp.exe
      C:\Users\Admin\AppData\Roaming\LTM_Archive_beta_5\RttHlp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ad694da

Filesize
992KB

MD5
68e6f382cb1b9bf6e5a409f07b6d1e9e

SHA1
194aff53034d33b9297c3a90a05e7aff22cb892f

SHA256
3ca9668af2e15f7550fc2579e41fa087dfb59992a49d8b840e1ebe4555b4dcbf

SHA512
27df1c359142fc4d59927deabc88c9670704521706e08ba306770e51cbc55fab65b9ced84af1cef1fb4d9ffe64eee4bfc0843f1393b980b757f4d38776e1d8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab25EA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar260C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\Register.dll

Filesize
1.0MB

MD5
40b9628354ef4e6ef3c87934575545f4

SHA1
8fb5da182dea64c842953bf72fc573a74adaa155

SHA256
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

SHA512
02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

Download Submit
C:\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\pqqv

Filesize
59KB

MD5
5f391f57e6030266175a9c8cdb2658d1

SHA1
b2f784052b11391f89b2530482c53fa8b31cde86

SHA256
2432903fbba4b8a233a9f8f77ca55289f44a2bb3d74fd7bb23fde27a38ab69fd

SHA512
bc3f7eb760a98fd4fd25bd5d6c0c1e4da42560a4efbf05b1f86379d622baed88d2864003dd2417813060f97714a8b809f878138c58822a304810447726ccfa9f

Download Submit
C:\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\prxvo

Filesize
751KB

MD5
93750bf7b03ebf0bc462a308458656d3

SHA1
d5ddb99730ee960a16820c2869c482d4c1094079

SHA256
59418a7d2152581883d1921038bd997cdb7efc858dcef8ea01dcdca170b0ae61

SHA512
5f8dcabf3472722c3c87f7c9239947b07e290bb5859ef298f38281dbb97e6aea06c9ee62eb9c38c2ed9398d32f26cc518c6816882eac65586e03f4a14dc6f334

Download Submit
C:\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
\Windows\Temp\{8162D1AA-4AB0-498A-8E46-D023600B02D9}\.cr\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe

Filesize
2.9MB

MD5
da04d5ecf2c51129b644f8b3bf1b5787

SHA1
6bcc3055762df15502fc38d45138476e253faefb

SHA256
a2d6e2c349178cf4e71af7622833ab3c9e5f834d0c3520db0cdb1f4baa2c72f2

SHA512
4f7ff816c3c6813edcc83da4102152ede0a17a18158023f5fe592d551fd47cc9802d2540f3f009ab263ded6109f3e0d8149d38836de4762cf8c2df55f0d94e85

Download Submit
\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\Pierce.dll

Filesize
146KB

MD5
057d27475fe7999045ba63d5e34c3e8a

SHA1
d214f1a419070d77c91bb423a36b5c693d7d3712

SHA256
9b3ec3fe96bea0041c2183c0a83d56b251ba53aa67bfd9c42e6e495bcabb898a

SHA512
b07006f9b84510f25bd52595816796282bbd3738c9e1283b177a3f1adfe8cee18a8cafda6afcac9267127aef273a5aeb8b0b5d1bfe8ee23cecbaea7c21b0ab20

Download Submit
\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\RttHlp.exe

Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
\Windows\Temp\{A31CDC4C-3FAF-4D41-901C-2AD958AF70B3}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
bb952ab294a9da0b2661d868b2149e53

SHA1
533731634cfb7b2c43424cc505d3f7adc2e34281

SHA256
28551a4768d6ecb9a86ca947fea902d257543c41e8c8a7be76adb9f41a4dfa69

SHA512
5dd888feae808b451406e82017888db29539d30c1e1616ee22dc5510be65bc27d1fa7863ca0546817fc28b1cae41386c0d054bf56a8c1d3ef31b2986821f88a4

Download Submit
memory/1192-61-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1192-62-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1192-56-0x0000000074B30000-0x0000000074CA4000-memory.dmp

Filesize
1.5MB

Download
memory/1192-57-0x0000000077580000-0x0000000077729000-memory.dmp

Filesize
1.7MB

Download
memory/1192-58-0x0000000074B30000-0x0000000074CA4000-memory.dmp

Filesize
1.5MB

Download
memory/1332-112-0x0000000077580000-0x0000000077729000-memory.dmp

Filesize
1.7MB

Download
memory/1332-113-0x00000000000F0000-0x0000000000143000-memory.dmp

Filesize
332KB

Download
memory/1332-117-0x00000000000F0000-0x0000000000143000-memory.dmp

Filesize
332KB

Download
memory/1332-118-0x00000000000F0000-0x0000000000143000-memory.dmp

Filesize
332KB

Download
memory/1808-64-0x0000000077580000-0x0000000077729000-memory.dmp

Filesize
1.7MB

Download
memory/1808-110-0x0000000074B30000-0x0000000074CA4000-memory.dmp

Filesize
1.5MB

Download
memory/2728-47-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2728-48-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2728-46-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2728-31-0x0000000077580000-0x0000000077729000-memory.dmp

Filesize
1.7MB

Download
memory/2728-30-0x00000000746E0000-0x0000000074854000-memory.dmp

Filesize
1.5MB

Download