lumma | 20b27b89797acc64cf602900667eecf81148a77938af21f6c0c10fcf96527e61

General

Target

AdobeSync.exe
Size

1.2MB
MD5

f778e9136ab0db9de9802a7043de50a7
SHA1

850dca074534a14fdb9ada6afaceea88558764e0
SHA256

90803a583e9f693de5e7b8a196832436f6f648b27fb82e55904c256f30cc8b3a
SHA512

cd6c5c3537f05ad5826d503e38b8e6ef2eaf668616bec15ba51ad3d81e0337a72779d7ca6af9e8ebee12d713891b30c0b73bf34718552bc9f4e7d8909b998156
SSDEEP

24576:+heavSigvk0vhkzswHD4/V3OQdnYKYc4wXUyuy1:qP710vezrj4dJYFYUyuy1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2508	AdobeSync.exe

Loads dropped DLL 3 IoCs

pid	Process
2508	AdobeSync.exe
2508	AdobeSync.exe
2508	AdobeSync.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 3816	2508	AdobeSync.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4528	AdobeSync.exe
2508	AdobeSync.exe
2508	AdobeSync.exe
3816	cmd.exe
3816	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2508	AdobeSync.exe
3816	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2508	4528	AdobeSync.exe	83
PID 4528 wrote to memory of 2508	4528	AdobeSync.exe	83
PID 4528 wrote to memory of 2508	4528	AdobeSync.exe	83
PID 2508 wrote to memory of 3816	2508	AdobeSync.exe	84
PID 2508 wrote to memory of 3816	2508	AdobeSync.exe	84
PID 2508 wrote to memory of 3816	2508	AdobeSync.exe	84
PID 2508 wrote to memory of 3816	2508	AdobeSync.exe	84
PID 3816 wrote to memory of 3208	3816	cmd.exe	99
PID 3816 wrote to memory of 3208	3816	cmd.exe	99
PID 3816 wrote to memory of 3208	3816	cmd.exe	99
PID 3816 wrote to memory of 3208	3816	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\AdobeSync.exe
"C:\Users\Admin\AppData\Local\Temp\AdobeSync.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Roaming\ultraadvanced\AdobeSync.exe
  C:\Users\Admin\AppData\Roaming\ultraadvanced\AdobeSync.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fa054140

Filesize
1023KB

MD5
1115ad7dd428cea5beec669e986bf22a

SHA1
eedd7b2620661551be7f9ad82872601faac983c1

SHA256
9161083a2bb5cbf2e517eea9dabce9fe20517721512ca97cead1f5cf1ec67374

SHA512
6d15e53d2e7c38c1bc1509961dae20dc940d507533bcdf5999a9c8e325ced142f9b938a1f30442091c63b2ac17a62e71f51cee2d492d2b09e64b0ad15fd240aa

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\AXE8SharedExpat.dll

Filesize
165KB

MD5
c8c0cd5ae41f0ca14b008d1d367fc438

SHA1
ea249f15b6cb7bd34c2b164a9a7de9d53faae579

SHA256
85a6260a81c8fbc3897ae84199b0c19ad52c1aa20eccd16bc1bff87ab4232f0e

SHA512
e3b4c2727a013a9e546926db9c8719fff02c99c5e37aabaf2d5e781e0c413e4ec5373518d5222b27a9d40055a09126ccd14188ad8eea57825197b794db974862

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\AdobeSync.exe

Filesize
1.2MB

MD5
f778e9136ab0db9de9802a7043de50a7

SHA1
850dca074534a14fdb9ada6afaceea88558764e0

SHA256
90803a583e9f693de5e7b8a196832436f6f648b27fb82e55904c256f30cc8b3a

SHA512
cd6c5c3537f05ad5826d503e38b8e6ef2eaf668616bec15ba51ad3d81e0337a72779d7ca6af9e8ebee12d713891b30c0b73bf34718552bc9f4e7d8909b998156

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\BIB.dll

Filesize
107KB

MD5
759d71fc9442ab5a9b5749c0f6c0c263

SHA1
07a68c6922d443eb9d6d445da18ae8a6d92f7ac6

SHA256
109647f58e7e8386a4c025f2c8175a4d638e5c0e62768953390764010ea22a2e

SHA512
e3efe66c76ea81285ba01b1978fdb3e807eb0bf2cfe0373bb6fef06f2fd7d9ddc3269acf0d87517cbf9bea5fa09b2703a03792491dc8265d26b724d7dca106c7

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\austral.wav

Filesize
783KB

MD5
d577f2aec0dfaa1614db20ee110da000

SHA1
131b1bf456b399140cfaa14e3bc3eafc1628cd02

SHA256
8d21a1b5060fb8e601037bcfcee715cfae3dfb8412c2aa063bb0dff31f6ec427

SHA512
837a6a456d7be965e85ef09181da2d912759769861d29ceb04974050b3caf5cbfce595747a7fc417c12f481791cce1260cf9e62b6fc3a623be0a893a42052d6f

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\delft.mov

Filesize
26KB

MD5
4983038214bad6dc024c52b6b38e1b25

SHA1
a341ca52d4f57576380267de939e2c86e8673ab5

SHA256
848300f74e3fac2a68ff57dd804c83aa017c89b74e66145614d597dd56aadddd

SHA512
eeffda90fbd44d9f4407233d9881a55bbd6e8debecacff38c740b75c74bc588de0d3322fcf0d43d445ea79ab802348efb81a669beb77cd78da4f792ac2d5a62a

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\sqlite.dll

Filesize
243KB

MD5
596439b3a9f9ea44ff28e2974f69ab07

SHA1
a2074cd3d39045902f82a072455420ab7101a036

SHA256
8cc91d57d45b46b3439eaa017bf1deb8e177f15245ba6f18ebcf2bd0a173a4f3

SHA512
1de8d41fec0844999b88c0cb738aac71c0ae895a51e91f6465afaa864537e692e4576e6699b4976e62aa2c38ef9125d9aaf09a72acaa068a0c2b05d413af858a

Download Submit
memory/2508-23-0x0000000074F73000-0x0000000074F75000-memory.dmp

Filesize
8KB

Download
memory/2508-21-0x0000000074F60000-0x00000000750DB000-memory.dmp

Filesize
1.5MB

Download
memory/2508-22-0x00007FFE1F5D0000-0x00007FFE1F7C5000-memory.dmp

Filesize
2.0MB

Download
memory/2508-24-0x0000000074F60000-0x00000000750DB000-memory.dmp

Filesize
1.5MB

Download
memory/2508-25-0x0000000074F60000-0x00000000750DB000-memory.dmp

Filesize
1.5MB

Download
memory/3208-38-0x0000000000390000-0x00000000003E9000-memory.dmp

Filesize
356KB

Download
memory/3208-35-0x0000000000390000-0x00000000003E9000-memory.dmp

Filesize
356KB

Download
memory/3208-34-0x00007FFE1F5D0000-0x00007FFE1F7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3816-31-0x0000000074F60000-0x00000000750DB000-memory.dmp

Filesize
1.5MB

Download
memory/3816-30-0x0000000074F60000-0x00000000750DB000-memory.dmp

Filesize
1.5MB

Download
memory/3816-29-0x00007FFE1F5D0000-0x00007FFE1F7C5000-memory.dmp

Filesize
2.0MB

Download
memory/3816-33-0x0000000074F60000-0x00000000750DB000-memory.dmp

Filesize
1.5MB

Download
memory/3816-27-0x0000000074F60000-0x00000000750DB000-memory.dmp

Filesize
1.5MB

Download
memory/4528-1-0x00007FFE1F5D0000-0x00007FFE1F7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4528-0-0x0000000074F60000-0x00000000750DB000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing