lumma | 448de767f56dafa0d9db0e90b7f5d1eed24b0baf23cbad4dedea013451be3de0

General

Target

SoftWare_(p@ssw0rd_1212).zip
Size

214.3MB
MD5

c88befa6a84dec14337b743a02fb42c9
SHA1

885cfeb56c18a8711054be595f7ed2f1ae419652
SHA256

448de767f56dafa0d9db0e90b7f5d1eed24b0baf23cbad4dedea013451be3de0
SHA512

f301c52ac20c0bcd093a14ebb4dcc07086bd2865fdc441f26e163259cc67c0ed9a2f1faf937d028610403d316ae371b812beb5dd0957449851582484b00f5319
SSDEEP

6291456:zC07nKVvdGJfEnYVyEHA0d+QUt9OOKVfHB:zCKKBdAaG0QUt9OP5HB

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://remakeveile.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2396	SoftWare.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 608	2396	SoftWare.exe	36

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftWare.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2252	7zFM.exe
Token: 35	2252	7zFM.exe
Token: SeSecurityPrivilege	2252	7zFM.exe
Token: 33	1876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1876	AUDIODG.EXE
Token: 33	1876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1876	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2252	7zFM.exe
2252	7zFM.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36
PID 2396 wrote to memory of 608	2396	SoftWare.exe	36

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SoftWare_(p@ssw0rd_1212).zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2252

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Users\Admin\Downloads\SoftWare.exe
"C:\Users\Admin\Downloads\SoftWare.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\apt\postgresql\13\main\PG_VERSION

Filesize
3B

MD5
aa6ed9e0f26a6eba784aae8267df1951

SHA1
feee44ad365b6b1ec75c5621a0ad067371102854

SHA256
1a252402972f6057fa53cc172b52b9ffca698e18311facd0f3b06ecaaef79e17

SHA512
01765ddfd925d70d41d53cabdba5f2588e678e534ef5d8840a813bc58d33198039006ce6395c6b95747a2e05d21ff3a47389638ba9405fd11ab1b0857f56426f

Download Submit
C:\Users\Admin\Downloads\apt\postgresql\13\main\base\14088\1259_fsm

Filesize
24KB

MD5
9a360591abd6ca7d3aca9b36ce19841d

SHA1
1f3d3f59be3657821aa1f4f66ea9d16c5d545c2d

SHA256
8acdc937fca22a496215056ed3960bff6d3319b9c45f3050e8edfc09d7085c27

SHA512
3ce5e0cb8db3beb16d254a01dfd7019931c1f30b9e5ba7341a95ba8b5db956a95e057a949c4934788c34bc1443f52b02fad93da5bd0ca7f06135927fc7d221a3

Download Submit
C:\Users\Admin\Downloads\apt\postgresql\13\main\base\14088\13938_fsm

Filesize
24KB

MD5
c7cdb534af6bd29fb2c6e3ef3ed24526

SHA1
490b58cb3588090289f7b18e33cb2691dc8fcacf

SHA256
1026c5125dd766e9b5b35a9dc36622cb8b9e441fb4e6c9b62e65cb46566652cf

SHA512
85f587aedfea35bad2857e9f7772bb72aef0ebd96c88f5c29f2bd32cf20dd07befd08ff4ac4eb11ad4d244a20d40be29ebb69815850b75d9bf0702f4e65ffc9a

Download Submit
C:\Users\Admin\Downloads\apt\postgresql\13\main\base\14088\13948_fsm

Filesize
24KB

MD5
99d1debbe47a2018c43693c11dd06300

SHA1
c341d19b9b9011c1dfda387a42b2764dfc44e2a3

SHA256
962a13e899d74c006af6764efbbc6901d740f1a9165dd8f79d1e9338bb3f18c7

SHA512
f5ed0df7f76cf571d4e8d8a9efc53dd5588cfb78187c2fc914451a8d5eae3580d1e4004e59aaa52d7006aef2b746a4fc5f501185765a241824ac48e2cf438883

Download Submit
C:\Users\Admin\Downloads\apt\postgresql\13\main\base\14088\3079_fsm

Filesize
24KB

MD5
2a3216a10d8aeed6ac8058c1f5f6cabb

SHA1
6a01bfc3f8c7c15a5624300cbd6047c5dcfa9a4a

SHA256
a0551e864782ad52e08fb6d723a01d381d7c16a18009bb83025faba4e8179e53

SHA512
ece4efb1d1bc5910c8c967290760a8ee27a1d8dec39a137566c374f946bff14d6a190ba4aa90af6983dceec4f5684d53714ec53242bc8f586c07fe82cede8264

Download Submit
C:\Users\Admin\Downloads\apt\postgresql\13\main\global\1214_fsm

Filesize
24KB

MD5
461ce67a44bad8aa641f0f8ac7f750a3

SHA1
8839d3ce467b401c60f851183bfd7841ce7c0770

SHA256
51e01e110ad6394a405d1cd7d0f18be9e1566302d54d545ff703c30cee71f5b0

SHA512
f8ed6ec80bb7a0b2b396d7fd99a12718a78aacc0215418434549c2e95c2fb9f0daf0340855ff2923c7cd143cc92f3112841c5dc65bfc4f955fb698ef765c66ac

Download Submit
C:\Users\Admin\Downloads\apt\postgresql\13\main\pg_subtrans\0000

Filesize
8KB

MD5
0829f71740aab1ab98b33eae21dee122

SHA1
0631457264ff7f8d5fb1edc2c0211992a67c73e6

SHA256
9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47

SHA512
18790c279e0ca614c2b57a215fecc23a6c3d2d308ce77f314378cb2d1b0f413acd3a9cd353aa6da86ec9f51916925c7210f7dfabc0ef726779f8d44f227f03b1

Download Submit
C:\Users\Admin\Downloads\pam\dpkg\triggers\update-default-ispell

Filesize
28B

MD5
652b20cd6ff7c0aff5a74fa3f6fabeff

SHA1
f0d739861692b2a303e4b654bb9de05e251d9e5a

SHA256
b2eb5757b46fc925e6f149607f3aa9ae31755735a438fd9ae3effabab0ebf2ed

SHA512
220368aa428174cd5d01b9c3a6fc0b2bb36a8c81d8b58c6d7a6722da304894dee82eb961fd5e24995f0c624750a2eb2b7ad04a165190331e5d0d0d1fe7c70f0c

Download Submit
memory/608-2759-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/608-2760-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing