lumma | 00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447

Analysis

max time kernel
94s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe
Size

70.0MB
MD5

062791084ec4605d7bbacf1105f5b885
SHA1

dc68b7eb995dc6462016e18c90fb5ecb2311e290
SHA256

00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447
SHA512

a5ecbe3995ed230fc92ecb9e0566a36bd7c7ee26e160952b94c694ec6cedb4359366aee0e9fa4c404f05f4c64b70fa6bff0578f24f77f1501d5ae4af4c1a0a67
SSDEEP

24576:PcdAO+ciGEFSv5osh93ZkB0CMBR3EkuKrpXSsfN1htUIyDcOc7O7g:kMGNhBWK5BR3EkZNp1yDcx

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://preside-comforter.sbs/api

https://savvy-steereo.sbs/api

https://copper-replace.sbs/api

https://record-envyp.sbs/api

https://slam-whipp.sbs/api

https://wrench-creter.sbs/api

https://looky-marked.sbs/api

https://plastic-mitten.sbs/api

https://lumharmonyfields.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe

Executes dropped EXE 1 IoCs

pid	Process
4572	Confusion.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3332	tasklist.exe
2164	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GraduatedCredit	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe
File opened for modification	C:\Windows\MaterialsFunny	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe
File opened for modification	C:\Windows\EconomyFinances	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe
File opened for modification	C:\Windows\DevelopmentsGraham	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confusion.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4572	Confusion.com
4572	Confusion.com
4572	Confusion.com
4572	Confusion.com
4572	Confusion.com
4572	Confusion.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4572	Confusion.com
4572	Confusion.com
4572	Confusion.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4572	Confusion.com
4572	Confusion.com
4572	Confusion.com

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2332	3744	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe	82
PID 3744 wrote to memory of 2332	3744	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe	82
PID 3744 wrote to memory of 2332	3744	00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe	82
PID 2332 wrote to memory of 3332	2332	cmd.exe	84
PID 2332 wrote to memory of 3332	2332	cmd.exe	84
PID 2332 wrote to memory of 3332	2332	cmd.exe	84
PID 2332 wrote to memory of 2144	2332	cmd.exe	85
PID 2332 wrote to memory of 2144	2332	cmd.exe	85
PID 2332 wrote to memory of 2144	2332	cmd.exe	85
PID 2332 wrote to memory of 2164	2332	cmd.exe	87
PID 2332 wrote to memory of 2164	2332	cmd.exe	87
PID 2332 wrote to memory of 2164	2332	cmd.exe	87
PID 2332 wrote to memory of 924	2332	cmd.exe	88
PID 2332 wrote to memory of 924	2332	cmd.exe	88
PID 2332 wrote to memory of 924	2332	cmd.exe	88
PID 2332 wrote to memory of 5068	2332	cmd.exe	91
PID 2332 wrote to memory of 5068	2332	cmd.exe	91
PID 2332 wrote to memory of 5068	2332	cmd.exe	91
PID 2332 wrote to memory of 4036	2332	cmd.exe	92
PID 2332 wrote to memory of 4036	2332	cmd.exe	92
PID 2332 wrote to memory of 4036	2332	cmd.exe	92
PID 2332 wrote to memory of 4572	2332	cmd.exe	93
PID 2332 wrote to memory of 4572	2332	cmd.exe	93
PID 2332 wrote to memory of 4572	2332	cmd.exe	93
PID 2332 wrote to memory of 956	2332	cmd.exe	94
PID 2332 wrote to memory of 956	2332	cmd.exe	94
PID 2332 wrote to memory of 956	2332	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe
"C:\Users\Admin\AppData\Local\Temp\00b9d1d9fdecf5c56035cd90461a9a3a93d74b588d203253b2698c64eddcb447.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Gst Gst.cmd && Gst.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 366694
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Hardcover + ..\Palestine + ..\Marked + ..\Chargers + ..\Important + ..\Bloomberg d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
- - C:\Users\Admin\AppData\Local\Temp\366694\Confusion.com
    Confusion.com d
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4572
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\366694\Confusion.com

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\366694\d

Filesize
495KB

MD5
967367e7bc3abdd43001ac80771bbc69

SHA1
4c85bc55a4c97a836d8ec3fa938418c76a908ab5

SHA256
06c48947250eba20b9911955fb38d53d5983109a6bf9e03da13c313c08ebbc1c

SHA512
108c9f54d3e1eda3bde8c4e9473b95202760b370ef61b8f09f1412ff2312df9bcb6f0cbd20ff2b3687c4dbc1c7853a872c856856eb947a17d20abbba9a7287c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bloomberg

Filesize
66KB

MD5
91ce1eb0208993a4cc3fb34e1546f426

SHA1
fac48e9ef003c665fd09bf6f0c2989440bc3fc71

SHA256
4d243732b785b2e7f59b2eecacaf84a5b2208a8edb021ba334ae8e9c6627abc4

SHA512
24177d1ab703994908caa39f41ce78bd98e69529f8e855e21e9baed5e0fdeb78d7b677b6a6a4901344bfa790800db3488c1389e88fc9ce30ce8550aa1d041116

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chargers

Filesize
80KB

MD5
eebbb090700c0267918bd6d3c62a3dcb

SHA1
1f710f6d79fe533a2ec9ab7d9687693137d48453

SHA256
eba892494b1c5c907a759c4117324364c8578e1055cb83771690e72363973263

SHA512
93e5fb9e90186b5bb606e945e390d7f0f5a76478bb26427452cb810b0a2f48209e417c12216fb82d8582fb95cb3e8a13f391e1d76f407eea89214c9480a16bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gst

Filesize
18KB

MD5
525a1fbfd01b226cdd9567311120ece3

SHA1
93b3b1cdc48d809fd75b005d665e7a1847056f3b

SHA256
08866f002a9a44c8fadf47ced1a4a4ee884a349e0b41feed9496707ad424ea31

SHA512
131cbdf48f43fbd28521aa255e89f6e6a5156ab50d7061f0b0afc951e21d604b954b55a3cf68b3e145a32f38118957b6549e61b58d89ff47f4c73aea1bf2360b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hardcover

Filesize
84KB

MD5
149c1b7a5fd92f6ce76e31259b6cc694

SHA1
d95ff1e129134d522f4a078e0cbe31aca2104739

SHA256
61129bc10a6cc409aabc5618e1badd406ebd115a2e1605eee246b50b57087253

SHA512
b93971f864f44c12cdf721ee37f1a94b80b1b9faa3370eda66325bf827a988dde058e19751cf0f82ea2a2b8f55e9b73cc65aea392ccd96e8379c042fb9742fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Important

Filesize
87KB

MD5
6d0f8d8f9a768ac700ea461ad028b82a

SHA1
4445ce81851cc1d4cd5f9654d0bb97e2023a277a

SHA256
06ee6af7e165f13d40c0c303a149bcb8ac047cf4bb719c15c6b212c9c71e4327

SHA512
9b0b07660fd8bfa21ec211daf704ae75f0b8ef1ced70475e9e27888e288a5293bf5a4d09e2413660c6e9a429ce943e9c8f5eecbb4224fe286b1f5c876a003205

Download Submit
C:\Users\Admin\AppData\Local\Temp\Marked

Filesize
91KB

MD5
c4b6b683cd11871d48887170d648b730

SHA1
48f6cea1569c5010589cfc920209bda425391a7e

SHA256
f5352a91d4be396fa5a34f8a24c83bfbe7f7675fa56c4d9413ebd3b232cbc775

SHA512
50f1fbb10044070520563c06fb30d92c18e3e5f8b9c6276d934b65f462357bf7d87090e43ef53447571c65219e26c9ce3a695018c5611b9860d642a0226cb219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Palestine

Filesize
87KB

MD5
06263e5e099db2ac80685c8e0cf24157

SHA1
044ea93d3a9cf211c2c799a3cecbc691e3490d33

SHA256
0712dab7f1a3aad3ccacaf351eb05158ed6b23ac522e7b6b386bf5788d7adfb7

SHA512
e556560ae12d2e13fb9f4cb6f613ba4389cdc938e32e76a73db4e01237f929179b0f633f2bf1ed6973073314e63f0c04f4ab1d834953c2e7b291ee93fe6007fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tribes

Filesize
872KB

MD5
d7bf348096e384a360a291c002c905b3

SHA1
b360b8869bbae24d8fa2262afdf4cffcb028cd77

SHA256
ceb9d4dfbd2602d2827051c969a54f4b22910c7557d4f71c8f6529cd7720c2c7

SHA512
351ee7216bfc3eb0cdbb9ce6760ef70a4e4ff029b8071f74b5a5208cd7edc55cff7f2a8b2f0ecc1ca47cee3a77ba8fef1727848c0c1453e00cdab73ee2085105

Download Submit
memory/4572-436-0x0000000004A50000-0x0000000004AAA000-memory.dmp

Filesize
360KB

Download
memory/4572-437-0x0000000004A50000-0x0000000004AAA000-memory.dmp

Filesize
360KB

Download
memory/4572-438-0x0000000004A50000-0x0000000004AAA000-memory.dmp

Filesize
360KB

Download
memory/4572-439-0x0000000004A50000-0x0000000004AAA000-memory.dmp

Filesize
360KB

Download
memory/4572-440-0x0000000004A50000-0x0000000004AAA000-memory.dmp

Filesize
360KB

Download
memory/4572-441-0x0000000004A50000-0x0000000004AAA000-memory.dmp

Filesize
360KB

Download