lumma | b7289bbe3d9c335f4ebc009ea8939500f80ff1f74fa85f3e42204fe70d4ceee5

General

Target

BoostrappersReleese[3.4].zip
Size

55.3MB
MD5

37cd755beee8ecd09aab5946f5ad8b37
SHA1

4266d2aa62ab9c9cb2e1ca5b04141ed1422a7d99
SHA256

b7289bbe3d9c335f4ebc009ea8939500f80ff1f74fa85f3e42204fe70d4ceee5
SHA512

f889ed18ff8c0783ce1c74af9ea09852d6a48f09564b6cfa3e5105520391b9ce748cc43693e1dc0e7020d08331471b86056bd53c38d2bc90d4383bb230996b53
SSDEEP

786432:pyof+XchgJ/K0QDCO5dOFold5sG/Rnf8ZnpxcMuh7ThcrKxm6mYk5DhOUW1dKleV:AoqOgtYtLpNinrcf7erKx9H1Z4HMyvw

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://scaredsensa.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 4 IoCs

pid	Process
2456	Solara-Set-upX.exe
2912	Solara-Set-upX.exe
2924	Solara-Set-upX.exe
2636	Solara-Set-upX.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara-Set-upX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara-Set-upX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara-Set-upX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara-Set-upX.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2372	7zFM.exe
Token: 35	2372	7zFM.exe
Token: SeSecurityPrivilege	2372	7zFM.exe
Token: SeSecurityPrivilege	2372	7zFM.exe
Token: SeSecurityPrivilege	2372	7zFM.exe
Token: SeSecurityPrivilege	2372	7zFM.exe
Token: SeSecurityPrivilege	2372	7zFM.exe
Token: SeSecurityPrivilege	2372	7zFM.exe
Token: SeSecurityPrivilege	2372	7zFM.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2372	7zFM.exe
2372	7zFM.exe
2372	7zFM.exe
2372	7zFM.exe
2372	7zFM.exe
2372	7zFM.exe
2372	7zFM.exe
2372	7zFM.exe
2372	7zFM.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2456	2372	7zFM.exe	31
PID 2372 wrote to memory of 2456	2372	7zFM.exe	31
PID 2372 wrote to memory of 2456	2372	7zFM.exe	31
PID 2372 wrote to memory of 2456	2372	7zFM.exe	31
PID 2372 wrote to memory of 2912	2372	7zFM.exe	33
PID 2372 wrote to memory of 2912	2372	7zFM.exe	33
PID 2372 wrote to memory of 2912	2372	7zFM.exe	33
PID 2372 wrote to memory of 2912	2372	7zFM.exe	33
PID 2372 wrote to memory of 2924	2372	7zFM.exe	35
PID 2372 wrote to memory of 2924	2372	7zFM.exe	35
PID 2372 wrote to memory of 2924	2372	7zFM.exe	35
PID 2372 wrote to memory of 2924	2372	7zFM.exe	35
PID 2372 wrote to memory of 2636	2372	7zFM.exe	37
PID 2372 wrote to memory of 2636	2372	7zFM.exe	37
PID 2372 wrote to memory of 2636	2372	7zFM.exe	37
PID 2372 wrote to memory of 2636	2372	7zFM.exe	37
PID 2372 wrote to memory of 1476	2372	7zFM.exe	39
PID 2372 wrote to memory of 1476	2372	7zFM.exe	39
PID 2372 wrote to memory of 1476	2372	7zFM.exe	39
PID 2372 wrote to memory of 1476	2372	7zFM.exe	39

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BoostrappersReleese[3.4].zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\7zO449AA527\Solara-Set-upX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO449AA527\Solara-Set-upX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\7zO44906917\Solara-Set-upX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44906917\Solara-Set-upX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\7zO44909017\Solara-Set-upX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44909017\Solara-Set-upX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\7zO44954617\Solara-Set-upX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44954617\Solara-Set-upX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\7zO449A7A67\Solara-Set-upX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO449A7A67\Solara-Set-upX.exe"
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\7zO44906E67\Solara-Set-upX.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44906E67\Solara-Set-upX.exe"
  2⤵
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO44906E67\Solara-Set-upX.exe

Filesize
896KB

MD5
48a6798df54f3d4d20a7fb76c6633eed

SHA1
ae1866a3e79a7799342f7fa89e4894fe8620a8be

SHA256
c654ed550b97f4fb3673fb7a695ebd71bdbfe033e0ad283a0aaba44e60298b33

SHA512
e19975c8172b841ce713cb7603157c3fd4af2074e8b41bf78b7707752815253b4c5bc7dccf5f3f4730736db44fa3c793a2f64b7cb976328811f560de373e6f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44909017\Solara-Set-upX.exe

Filesize
2.1MB

MD5
becc66f1be93faeeb9c79e1b4639f709

SHA1
5d184d55898428c5454c0327dbd2c8e16ce04eca

SHA256
88f0c20145711e3ca13f2c154c756a2e996b23504feade19aa2037929e8217a3

SHA512
f68ea39fdac52bdf84b953ef985140a38f15029821309912e1da40cc806e5783221753406f2067cd57e8ac29abdb826a9b27f4a9521ed8889dcb19ca99486c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44954617\Solara-Set-upX.exe

Filesize
2.0MB

MD5
7be9026feb69307d367b8f456165b146

SHA1
b33dc932c397adcdc39d0f144b1187174e79c280

SHA256
c6c83c4b61c1448dc8fe502874283313efc445fa9128fb723964429b3a3fb83e

SHA512
a6f231de9addcda36f8d791a02cb5622f6fc6f9e83c3696b630362aca66bec109598ee5d2d875f1b03f3ebf982a2c44e9abceeae92b1f1c2b537018bb9e7716d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO449A7A67\Solara-Set-upX.exe

Filesize
1.4MB

MD5
96b8e66a2c20c772120ccd7491a5fe9c

SHA1
b26320202b9b354a28d36465dc801afc3a117ce2

SHA256
b4fd60b2aa6bbc86c5a8f10390ccd228d462ef325e014c15a5c7c16495fd8261

SHA512
08c2104115b944f9730aac82e62d0b45e216a5ad4477d2d97dc5c85bfc8d39a1f5c0adc91ac30cdaa82086a1417e4e301e5bf48b5faa86b51d3a66405f0df063

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO449AA527\Solara-Set-upX.exe

Filesize
4.2MB

MD5
04602651f127a19f43bfcad57514d552

SHA1
2c8a0b841bdab3b5c77794a2bad2be1e08d29d86

SHA256
a6e4e665ebfe59d7bf884c1750bcdd8cddb77fb537e9d1018efe28abf8945d53

SHA512
ddca046391d6318e80b7fdfe335cbbf26ed53ba6f8e2b632aefba1fc34385790fff0a6ac52406fffa7d0a7ab20e25ba1833956a826ff03851b6c80467852db9b

Download Submit
memory/2456-40-0x0000000002440000-0x0000000002503000-memory.dmp

Filesize
780KB

Download
memory/2456-39-0x0000000000890000-0x00000000008E7000-memory.dmp

Filesize
348KB

Download
memory/2456-38-0x0000000000890000-0x00000000008E7000-memory.dmp

Filesize
348KB

Download
memory/2456-37-0x0000000000890000-0x00000000008E7000-memory.dmp

Filesize
348KB

Download
memory/2456-36-0x0000000000890000-0x00000000008E7000-memory.dmp

Filesize
348KB

Download
memory/2456-35-0x0000000000890000-0x00000000008E7000-memory.dmp

Filesize
348KB

Download
memory/2456-12-0x0000000002440000-0x0000000002503000-memory.dmp

Filesize
780KB

Download
memory/2456-13-0x0000000002440000-0x0000000002503000-memory.dmp

Filesize
780KB

Download
memory/2456-11-0x0000000002150000-0x0000000002213000-memory.dmp

Filesize
780KB

Download
memory/2456-85-0x00000000001D0000-0x00000000005FD000-memory.dmp

Filesize
4.2MB

Download
memory/2636-92-0x0000000002550000-0x0000000002613000-memory.dmp

Filesize
780KB

Download
memory/2912-56-0x0000000002460000-0x0000000002523000-memory.dmp

Filesize
780KB

Download
memory/2912-58-0x0000000000900000-0x0000000000957000-memory.dmp

Filesize
348KB

Download
memory/2912-57-0x0000000000900000-0x0000000000957000-memory.dmp

Filesize
348KB

Download
memory/2912-59-0x0000000000900000-0x0000000000957000-memory.dmp

Filesize
348KB

Download
memory/2912-60-0x0000000000900000-0x0000000000957000-memory.dmp

Filesize
348KB

Download
memory/2912-61-0x0000000000900000-0x0000000000957000-memory.dmp

Filesize
348KB

Download
memory/2912-62-0x0000000002460000-0x0000000002523000-memory.dmp

Filesize
780KB

Download
memory/2924-89-0x0000000000D20000-0x0000000000DE3000-memory.dmp

Filesize
780KB

Download

Resubmissions

Analysis

Sharing