lumma | 48d5ec1851b92ae79d8bcf69c904b7eb5126c9bbf472333d2f269ec1430b373d | Triage

Sharing

General

Target

complete-this-to-continue.html
Size

4KB
Sample

250106-y9pq1swrfs
MD5

1e8806239ca150b6da46ae985edc2ce4
SHA1

a722167fe371437aa735718cf772d03ed4d7e225
SHA256

48d5ec1851b92ae79d8bcf69c904b7eb5126c9bbf472333d2f269ec1430b373d
SHA512

67ff81f52d1b32ffae93f1fb9d59778f47df8d109d0cc0c1793c0addfad72152c38f57bc3e6d72c2813ec6f52ecb9f7c15ede10c4216e8ff22271612664422d8
SSDEEP

96:SWHqSNEk6h39WgrQDBcTI5FkLofmfqMOSs:SWl2h39gD2lLofgFs

Score

10^/10

lumma discovery execution persistence privilege_escalation stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://simplerwebs.space/anrek.mp4

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://klipdiheqoe.shop/ruwkl.png

Extracted

Family

lumma

C2

https://grooveoiy.cyou/api

https://wholersorie.shop/api

https://noisycuttej.shop/api

Targets

- Target
  
  complete-this-to-continue.html
- Size
  
  4KB
- MD5
  
  1e8806239ca150b6da46ae985edc2ce4
- SHA1
  
  a722167fe371437aa735718cf772d03ed4d7e225
- SHA256
  
  48d5ec1851b92ae79d8bcf69c904b7eb5126c9bbf472333d2f269ec1430b373d
- SHA512
  
  67ff81f52d1b32ffae93f1fb9d59778f47df8d109d0cc0c1793c0addfad72152c38f57bc3e6d72c2813ec6f52ecb9f7c15ede10c4216e8ff22271612664422d8
- SSDEEP
  
  96:SWHqSNEk6h39WgrQDBcTI5FkLofmfqMOSs:SWl2h39gD2lLofgFs
Score

10^/10

lumma discovery execution persistence privilege_escalation stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Accessibility Features

Privilege Escalation

Event Triggered Execution

Accessibility Features

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lummadiscoveryexecutionpersistenceprivilege_escalationstealer