lumma | 52d8ad7e3af648b152b1f389c09e476c9fc1c6d919205a3b761ea45494f9707f

Analysis

max time kernel
56s
max time network
62s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-01-2025 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

App v1.9 loader.rar
Size

114.3MB
MD5

99307f63c41c423a36d45cfda5d5b7be
SHA1

aad3b4249e78f4f7290d653e9ed43e4b9429f2cb
SHA256

52d8ad7e3af648b152b1f389c09e476c9fc1c6d919205a3b761ea45494f9707f
SHA512

5dacba32dd0340fdbe41bc63e59138195a2ba3d1a03f15c099d3c2253d06f7c07d0192e138622d4a0d1436dc1fc5587ac5b63b3c299e033b4a3db361553dad2f
SSDEEP

3145728:LYAf8wsnMaUjhgfGTuK4G63nxnhMaOT7EyjWDWAkRI33nWN87/:L9DqGy3/3nphLOBKWAoW7/

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

https://letterdrive.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 5 IoCs

pid	Process
4084	app v1.9 loader.exe
3732	app v1.9 loader.exe
4464	app v1.9 loader.exe
1528	app v1.9 loader.exe
4668	app v1.9 loader.exe

Loads dropped DLL 5 IoCs

pid	Process
4084	app v1.9 loader.exe
3732	app v1.9 loader.exe
4464	app v1.9 loader.exe
1528	app v1.9 loader.exe
4668	app v1.9 loader.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4084 set thread context of 1504	4084	app v1.9 loader.exe	95
PID 3732 set thread context of 2200	3732	app v1.9 loader.exe	98
PID 4464 set thread context of 976	4464	app v1.9 loader.exe	102
PID 1528 set thread context of 3184	1528	app v1.9 loader.exe	107
PID 4668 set thread context of 2708	4668	app v1.9 loader.exe	110

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app v1.9 loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app v1.9 loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app v1.9 loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app v1.9 loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app v1.9 loader.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1112	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2956	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2956	7zFM.exe
Token: 35	2956	7zFM.exe
Token: SeSecurityPrivilege	2956	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2956	7zFM.exe
2956	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 4084 wrote to memory of 1504	4084	app v1.9 loader.exe	95
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 3732 wrote to memory of 2200	3732	app v1.9 loader.exe	98
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 4464 wrote to memory of 976	4464	app v1.9 loader.exe	102
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 1528 wrote to memory of 3184	1528	app v1.9 loader.exe	107
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110
PID 4668 wrote to memory of 2708	4668	app v1.9 loader.exe	110

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\App v1.9 loader.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2956

C:\Users\Admin\Desktop\app v1.9 loader.exe
"C:\Users\Admin\Desktop\app v1.9 loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1504

C:\Users\Admin\Desktop\app v1.9 loader.exe
"C:\Users\Admin\Desktop\app v1.9 loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200

C:\Users\Admin\Desktop\app v1.9 loader.exe
"C:\Users\Admin\Desktop\app v1.9 loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:976

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3660

C:\Users\Admin\Desktop\app v1.9 loader.exe
"C:\Users\Admin\Desktop\app v1.9 loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3184

C:\Users\Admin\Desktop\app v1.9 loader.exe
"C:\Users\Admin\Desktop\app v1.9 loader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\app v1.9 loader.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC8BDE7D7\x64\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
460KB

MD5
003840b1825f92bf6fdf4c4483eb9f6e

SHA1
84c40f1dc81520c316b64e8cbd8d86d1f58ace58

SHA256
7a7a0977bdc09696f40a083f10f705487053c07db3546657ffc966a0fe5613a3

SHA512
9ecf2621e6bc4a3f056c5e454af0bf436a2b0db8d69e644469dcdc259082f91419fb04d42689e777e3a7fb4398ee58a5e24cce2ae093fef6fbb3ba0237e265eb

Download Submit
C:\Users\Admin\Desktop\ReadMe.txt

Filesize
238B

MD5
74133194d36f34e3420b720225df4cb2

SHA1
c86d448a9233cbb8fcaf55380c4005e13f03e914

SHA256
c6270012e406d50641e4bcddfb45b56ab639d2142e6d76d0c84139028b68169d

SHA512
e86cc52fce0b24e27bb301eed8dc9efb50b94d487439bdc9482a8d986a4a52e42b7c3a5c12d0fb2f32a6ac16a91242f42f3a6fc59b5d6479bc60f466fc675694

Download Submit
C:\Users\Admin\Desktop\app v1.9 loader.exe

Filesize
519KB

MD5
9564ca08ac251244fe67f54662ef372b

SHA1
846f769ea9f793bcb370bf1ee6d526aa4d57fc65

SHA256
0c6615f5105eccafdb84cd900b5155e5107a92aad8ea0d638dc69ce6d33a571a

SHA512
f03370579177ad387e55c4263dde68c9480505569fc3d3b06cf6f20e3688cf95bf2fb5a3ca3e48f5227865740dfd481a12215fd75231d7d01dea70aaa79036ea

Download Submit
memory/976-521-0x00000000009C0000-0x0000000000A2A000-memory.dmp

Filesize
424KB

Download
memory/976-522-0x00000000009C0000-0x0000000000A2A000-memory.dmp

Filesize
424KB

Download
memory/976-525-0x00000000009C0000-0x0000000000A2A000-memory.dmp

Filesize
424KB

Download
memory/1504-495-0x0000000000F00000-0x0000000000F5A000-memory.dmp

Filesize
360KB

Download
memory/1504-491-0x0000000000F00000-0x0000000000F5A000-memory.dmp

Filesize
360KB

Download
memory/1504-499-0x0000000000F00000-0x0000000000F5A000-memory.dmp

Filesize
360KB

Download
memory/2200-513-0x00000000003A0000-0x0000000000409000-memory.dmp

Filesize
420KB

Download
memory/2200-509-0x00000000003A0000-0x0000000000409000-memory.dmp

Filesize
420KB

Download
memory/2200-510-0x00000000003A0000-0x0000000000409000-memory.dmp

Filesize
420KB

Download
memory/2708-550-0x0000000000B60000-0x0000000000BC9000-memory.dmp

Filesize
420KB

Download
memory/2708-547-0x0000000000B60000-0x0000000000BC9000-memory.dmp

Filesize
420KB

Download
memory/3184-535-0x0000000001370000-0x00000000013D9000-memory.dmp

Filesize
420KB

Download
memory/3184-538-0x0000000001370000-0x00000000013D9000-memory.dmp

Filesize
420KB

Download
memory/4084-482-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/4084-483-0x0000000000970000-0x00000000009F8000-memory.dmp

Filesize
544KB

Download
memory/4084-490-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download
memory/4084-500-0x0000000074890000-0x0000000075041000-memory.dmp

Filesize
7.7MB

Download