lumma | b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
Size

3.0MB
MD5

e25bdfa11c0733357c93685e6a227542
SHA1

bb9563d4aa82fc6ae7019940e4dce4395ad25e9c
SHA256

b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525
SHA512

368fb2850a777c0e1ae01775adf34e5a7bdc5eb92293922f83f429738f08b702e2436f71f79622c9c0fda23fbaaf5ef6d029aad2ba34fc66ed517a2eab2a8e29
SSDEEP

49152:8fU4UjMUHeSzwfwNZsmsccPSISMJjOifmYt/oslz3XMKbhcJIVvIaHS6yH1:8fUbVeS4wb4cD3MJjEYxomTbbFpRHE1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://stir-zing.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 3 IoCs

pid	Process
4020	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
1668	RttHlp.exe
2348	RttHlp.exe

Loads dropped DLL 7 IoCs

pid	Process
4020	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
1668	RttHlp.exe
1668	RttHlp.exe
1668	RttHlp.exe
2348	RttHlp.exe
2348	RttHlp.exe
2348	RttHlp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2348 set thread context of 1812	2348	RttHlp.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1668	RttHlp.exe
2348	RttHlp.exe
2348	RttHlp.exe
1812	cmd.exe
1812	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2348	RttHlp.exe
1812	cmd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4020	4496	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	83
PID 4496 wrote to memory of 4020	4496	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	83
PID 4496 wrote to memory of 4020	4496	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	83
PID 4020 wrote to memory of 1668	4020	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	99
PID 4020 wrote to memory of 1668	4020	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	99
PID 4020 wrote to memory of 1668	4020	b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe	99
PID 1668 wrote to memory of 2348	1668	RttHlp.exe	101
PID 1668 wrote to memory of 2348	1668	RttHlp.exe	101
PID 1668 wrote to memory of 2348	1668	RttHlp.exe	101
PID 2348 wrote to memory of 1812	2348	RttHlp.exe	102
PID 2348 wrote to memory of 1812	2348	RttHlp.exe	102
PID 2348 wrote to memory of 1812	2348	RttHlp.exe	102
PID 2348 wrote to memory of 1812	2348	RttHlp.exe	102
PID 1812 wrote to memory of 5004	1812	cmd.exe	109
PID 1812 wrote to memory of 5004	1812	cmd.exe	109
PID 1812 wrote to memory of 5004	1812	cmd.exe	109
PID 1812 wrote to memory of 5004	1812	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
"C:\Users\Admin\AppData\Local\Temp\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\Temp\{861C6F83-486E-4E64-92B8-13E42D1906FB}\.cr\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe
  "C:\Windows\Temp\{861C6F83-486E-4E64-92B8-13E42D1906FB}\.cr\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe" -burn.filehandle.attached=556 -burn.filehandle.self=552
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\RttHlp.exe
    "C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\RttHlp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Roaming\LTM_Archive_beta_5\RttHlp.exe
      C:\Users\Admin\AppData\Roaming\LTM_Archive_beta_5\RttHlp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eb017e84

Filesize
992KB

MD5
dd802a6f9739838c5c7e0f1f38b49d91

SHA1
b06047dc21a4e14e68efa58f1ccbc37f5aadd711

SHA256
95787def5b83c94d4979b31429d34ce29337e0cfbebcf729213547762cfab47d

SHA512
9485ad2c3722eb1e1ccf9f22ba4660541a87da44ecce7db756794f8f9748f9a502f35d5041188a6a92a045439712a7925326592cd1a05088d714adce46ffc61c

Download Submit
C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\Pierce.dll

Filesize
146KB

MD5
057d27475fe7999045ba63d5e34c3e8a

SHA1
d214f1a419070d77c91bb423a36b5c693d7d3712

SHA256
9b3ec3fe96bea0041c2183c0a83d56b251ba53aa67bfd9c42e6e495bcabb898a

SHA512
b07006f9b84510f25bd52595816796282bbd3738c9e1283b177a3f1adfe8cee18a8cafda6afcac9267127aef273a5aeb8b0b5d1bfe8ee23cecbaea7c21b0ab20

Download Submit
C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\Register.dll

Filesize
1.0MB

MD5
40b9628354ef4e6ef3c87934575545f4

SHA1
8fb5da182dea64c842953bf72fc573a74adaa155

SHA256
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

SHA512
02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

Download Submit
C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\RttHlp.exe

Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\pqqv

Filesize
59KB

MD5
5f391f57e6030266175a9c8cdb2658d1

SHA1
b2f784052b11391f89b2530482c53fa8b31cde86

SHA256
2432903fbba4b8a233a9f8f77ca55289f44a2bb3d74fd7bb23fde27a38ab69fd

SHA512
bc3f7eb760a98fd4fd25bd5d6c0c1e4da42560a4efbf05b1f86379d622baed88d2864003dd2417813060f97714a8b809f878138c58822a304810447726ccfa9f

Download Submit
C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\prxvo

Filesize
751KB

MD5
93750bf7b03ebf0bc462a308458656d3

SHA1
d5ddb99730ee960a16820c2869c482d4c1094079

SHA256
59418a7d2152581883d1921038bd997cdb7efc858dcef8ea01dcdca170b0ae61

SHA512
5f8dcabf3472722c3c87f7c9239947b07e290bb5859ef298f38281dbb97e6aea06c9ee62eb9c38c2ed9398d32f26cc518c6816882eac65586e03f4a14dc6f334

Download Submit
C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Windows\Temp\{1044AB5B-1BF9-4D2B-9C90-2BB4D9B8EC61}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
bb952ab294a9da0b2661d868b2149e53

SHA1
533731634cfb7b2c43424cc505d3f7adc2e34281

SHA256
28551a4768d6ecb9a86ca947fea902d257543c41e8c8a7be76adb9f41a4dfa69

SHA512
5dd888feae808b451406e82017888db29539d30c1e1616ee22dc5510be65bc27d1fa7863ca0546817fc28b1cae41386c0d054bf56a8c1d3ef31b2986821f88a4

Download Submit
C:\Windows\Temp\{861C6F83-486E-4E64-92B8-13E42D1906FB}\.cr\b50c9429015516339ca1948d490540a71053c6de085c12fbfd72dc8bde711525.exe

Filesize
2.9MB

MD5
da04d5ecf2c51129b644f8b3bf1b5787

SHA1
6bcc3055762df15502fc38d45138476e253faefb

SHA256
a2d6e2c349178cf4e71af7622833ab3c9e5f834d0c3520db0cdb1f4baa2c72f2

SHA512
4f7ff816c3c6813edcc83da4102152ede0a17a18158023f5fe592d551fd47cc9802d2540f3f009ab263ded6109f3e0d8149d38836de4762cf8c2df55f0d94e85

Download Submit
memory/1668-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1668-25-0x0000000073930000-0x0000000073AAB000-memory.dmp

Filesize
1.5MB

Download
memory/1668-38-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1668-37-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1668-26-0x00007FFCF3870000-0x00007FFCF3A65000-memory.dmp

Filesize
2.0MB

Download
memory/1812-57-0x0000000074CF0000-0x0000000074E6B000-memory.dmp

Filesize
1.5MB

Download
memory/1812-55-0x00007FFCF3870000-0x00007FFCF3A65000-memory.dmp

Filesize
2.0MB

Download
memory/2348-47-0x0000000074CF0000-0x0000000074E6B000-memory.dmp

Filesize
1.5MB

Download
memory/2348-52-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2348-49-0x0000000074CF0000-0x0000000074E6B000-memory.dmp

Filesize
1.5MB

Download
memory/2348-48-0x00007FFCF3870000-0x00007FFCF3A65000-memory.dmp

Filesize
2.0MB

Download
memory/5004-59-0x00007FFCF3870000-0x00007FFCF3A65000-memory.dmp

Filesize
2.0MB

Download
memory/5004-60-0x0000000000AD0000-0x0000000000B23000-memory.dmp

Filesize
332KB

Download
memory/5004-63-0x0000000000AD0000-0x0000000000B23000-memory.dmp

Filesize
332KB

Download