lumma | 05e54feabbbe39d4149b0c344b5578ae5b4310be5e6c2690f8935ece5ac8cbd3 | Triage

Sharing

General

Target

05e54feabbbe39d4149b0c344b5578ae5b4310be5e6c2690f8935ece5ac8cbd3
Size

1.8MB
Sample

250106-x919davqe1
MD5

a8db9e4cde35c2e306f1e88e92ee7297
SHA1

54e971e3d94a35e46331fd467db5560b3b2e3e1c
SHA256

05e54feabbbe39d4149b0c344b5578ae5b4310be5e6c2690f8935ece5ac8cbd3
SHA512

48a1cefdf1c2adf36c9dde7182443fe0a156ba685a3c700c5476c905683672b2ec60fa5ec31f43fa6d4a8c5b889abac375eae006d8f89390b28f529ba66db46f
SSDEEP

49152:hWeWnymNdrEs0Zl/yWPgDgXo3UzeUHNgpGwsDIYr:4By0rEFZlAYoKWssYr

Score

10^/10

lumma discovery evasion stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Extracted

Family

lumma

C2

https://fancywaxxers.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

Targets

- Target
  
  05e54feabbbe39d4149b0c344b5578ae5b4310be5e6c2690f8935ece5ac8cbd3
- Size
  
  1.8MB
- MD5
  
  a8db9e4cde35c2e306f1e88e92ee7297
- SHA1
  
  54e971e3d94a35e46331fd467db5560b3b2e3e1c
- SHA256
  
  05e54feabbbe39d4149b0c344b5578ae5b4310be5e6c2690f8935ece5ac8cbd3
- SHA512
  
  48a1cefdf1c2adf36c9dde7182443fe0a156ba685a3c700c5476c905683672b2ec60fa5ec31f43fa6d4a8c5b889abac375eae006d8f89390b28f529ba66db46f
- SSDEEP
  
  49152:hWeWnymNdrEs0Zl/yWPgDgXo3UzeUHNgpGwsDIYr:4By0rEFZlAYoKWssYr
Score

10^/10

lumma evasion stealer discovery
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lummaevasionstealer

behavioral2

lummadiscoveryevasionstealer