lumma | 34de42bdf2b9429c9069106b052533d3d8242336a9624a370be2b07d0557f9cc

General

Target

Epsilon (Epsilon).zip
Size

17.1MB
MD5

5e7e3fdab96e2e593c884b3d2f27d340
SHA1

8507f07bf0279ad43099a717d17f175704a94ff3
SHA256

34de42bdf2b9429c9069106b052533d3d8242336a9624a370be2b07d0557f9cc
SHA512

98195eef47a1eee3c3326695e8a3a7f59e582284bd1aacf35898a4197da86bc04d0448e37cb478df755e748dc32697cb791d2c18ce3ffec6d709580285e741b5
SSDEEP

196608:fkH6/dEdNCFWoOG0z1NYr1BIIUZc8Ovno3MP5M16JZ2g7gY6zExf6xtwkIZmBQcu:EdgWlZNYsImMx46J45EQU7ZwasJ3B3Dg

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

https://letterdrive.shop/api

Extracted

Family

lumma

C2

https://letterdrive.shop/api

https://soundtappysk.shop/api

https://femalsabler.shop/api

https://apporholis.shop/api

https://crowdwarek.shop/api

https://versersleep.shop/api

https://chipdonkeruz.shop/api

https://handscreamny.shop/api

https://robinsharez.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 4 IoCs

pid	Process
1608	Epsilon.exe
3200	Epsilon.exe
2152	Epsilon.exe
3632	Epsilon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 3632	1608	Epsilon.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4256	1608	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epsilon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epsilon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5072	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	5072	7zFM.exe
Token: 35	5072	7zFM.exe
Token: SeSecurityPrivilege	5072	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5072	7zFM.exe
5072	7zFM.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 3200	1608	Epsilon.exe	96
PID 1608 wrote to memory of 3200	1608	Epsilon.exe	96
PID 1608 wrote to memory of 3200	1608	Epsilon.exe	96
PID 1608 wrote to memory of 2152	1608	Epsilon.exe	97
PID 1608 wrote to memory of 2152	1608	Epsilon.exe	97
PID 1608 wrote to memory of 2152	1608	Epsilon.exe	97
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98
PID 1608 wrote to memory of 3632	1608	Epsilon.exe	98

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Epsilon (Epsilon).zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2168

C:\Users\Admin\Desktop\New folder\Epsilon.exe
"C:\Users\Admin\Desktop\New folder\Epsilon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\Desktop\New folder\Epsilon.exe
  "C:\Users\Admin\Desktop\New folder\Epsilon.exe"
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Users\Admin\Desktop\New folder\Epsilon.exe
  "C:\Users\Admin\Desktop\New folder\Epsilon.exe"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Users\Admin\Desktop\New folder\Epsilon.exe
  "C:\Users\Admin\Desktop\New folder\Epsilon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 792
  2⤵
  - Program crash
  PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1608 -ip 1608
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE0D308D87\bin\modificator\showfiltersgames.cfg

Filesize
19B

MD5
a88082a7664be4f56db07c5e5112d163

SHA1
2271f7061d8e3c3f7b5f4b25b8eb09b4f92b7657

SHA256
c5b3cf05ed6e2a79e8d7305b3af7ccb5ed02918ddc7624b330ed97f41e066f02

SHA512
f2be5ddf15d61348f71da98148f2f4739d0d7025db8c3e596d502d4e9dd8427adb776554607b31365202949ac6d39c87df82d8074f1f2b2adf4d053854adb5ed

Download Submit
C:\Users\Admin\Desktop\New folder\Epsilon.exe

Filesize
337KB

MD5
22007bd7f27b6705cf82d8c5cd5d6459

SHA1
8c66802d4586c5b5a909fe61f801a25141b99384

SHA256
243d8ca96e144167a037a3b57412fdee3cd1b6cb7bec93dedb3c12e783272d3e

SHA512
d2fd0a92a18489cb17871ea18201d8939da447c57ef28decb8dd90fe8b4dbfe344de84343d3073d41e88d91e17f81952685a6b3373c49838411e2d26a1175a4e

Download Submit
memory/1608-452-0x000000007527E000-0x000000007527F000-memory.dmp

Filesize
4KB

Download
memory/1608-453-0x0000000000E10000-0x0000000000E6A000-memory.dmp

Filesize
360KB

Download
memory/1608-454-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/1608-462-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/3632-458-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3632-461-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3632-463-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads