Overview

overview

10

Static

static

3

2025-01-11...er.exe

windows7-x64

10

2025-01-11...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe

  • Size

    24.2MB

  • MD5

    d8bdb08dfec797bab9512006bed4a3b2

  • SHA1

    49d0413c51a3dba9cf863e2978ee00d61dd4789e

  • SHA256

    0fda11e70fd15b6001a6a30fc652ed7cbd2384167ca2ea8af0c54f7cae7e1830

  • SHA512

    8cca5cc6c7119f81ea9a095c13babc4f72af28d30f772d564121aa06a29361a07455d3306d73ce0cdfd2c3a478fc1fee1f9a716d5cfccad5de4108c4c79e9245

  • SSDEEP

    196608:rfHADSSTHO9y7FPhCivssjy9bhCeDXqmH5a9y8yvmMhp43lD2akyGwS+7d:rY5rO9y7phJ8lhCeGry8yvmMhp43lK4

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://truculengisau.biz/api

https://spookycappy.biz/api

https://punishzement.biz/api

https://nuttyshop/api

https://nuttyshopr.biz/api

https://marketlumpe.biz/api

https://littlenotii.biz/api

https://grandiouseziu.biz/api

https://fraggielek.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-11_d8bdb08dfec797bab9512006bed4a3b2_avoslocker_luca-stealer.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Label Label.cmd & Label.cmd
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:468
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 606448
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2800
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Newsletters
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2852
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "annotation" Workstation
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 606448\Favour.com + Vegetarian + Queue + Qualification + Lessons + Wanna + Apr + Connections + Do + Auctions + Excuse 606448\Favour.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Marco + ..\Green + ..\Common + ..\Beverly + ..\Changed + ..\Bacterial + ..\Wins s
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2668
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\606448\Favour.com
        Favour.com s
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2136
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\606448\Favour.com
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\606448\s
    Filesize

    482KB

    MD5

    c38eb4bccce4ab0abe48780e4c9b055f

    SHA1

    b72ed6d10bd2382217796f21794872f29f583fb0

    SHA256

    c499414f5730b2752e3914219f5ae242895ed9f26b54421a9d8c9c600a4aef89

    SHA512

    5d36214dc819c18cd35aad40a0db9fa0e6008e08ea359c5a285af796bed21ac98f037bc6e1d06410959914c1381153b22e52de962a817cbe7fea47f8a26735e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Apr
    Filesize

    141KB

    MD5

    55b4d9d9e4fd3c187dc363962a6641f7

    SHA1

    3eaa97240871d48f85c1f497ac93d1f3a358e5b3

    SHA256

    53168df582e3f767877370806c224c7230cbf7904d3124c7be44f7ed4a3c5dde

    SHA512

    a9db81de7d9c8fd994b839e0d013484bb7f48a40567dc5793b3980afe099ca9bdd18588a1efb55368fef772478c960651f4de235a2df5cb6f50a7792462f30d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Auctions
    Filesize

    76KB

    MD5

    caa6674dd8a3c205b74797c8ec69e37b

    SHA1

    e2bd4d8614fdf4b8519268cc9295630135d2a517

    SHA256

    29d9567417607234d7ffd031e650a8ce158ea37411c0ca4d9f8f90a82cc783a8

    SHA512

    c277412d44d330c22d4aa6bedecd88de871998970c1a4c64b086170112d524d519391db17afa729343f181d838b2dbfef307f5d7c388cd39f6be007191ea2ab5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bacterial
    Filesize

    77KB

    MD5

    ad5797fb2bf3fa8f491ba46b12ffc8d2

    SHA1

    e02eee233f659d66350ce5884dc80c3da0a232e9

    SHA256

    5d44b1797e1f1857ee9d75f4377d86035903dfc45385df53a7246c70c0a7d640

    SHA512

    c793f8a4babe42e85bdf30909f915f022453b3998ef64284a336bb88fa899f93898e1661acb0a41b67045b369cc83c5fe1a0c275b0384cf4156cdf50dbdf02e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Beverly
    Filesize

    82KB

    MD5

    f539140515243cbf7d3036dbf64bf7f3

    SHA1

    07336d421214448c006078fa5dc79c91888dd8e0

    SHA256

    72f72038d438514da3c89363962e5ddfb656463b52d95227b4cf7841ec732e30

    SHA512

    99013ef44800b67095c273f41648aca1236d08427f3ca2206f786a518aa7d4021c07ddcce39cb4fe12e69385f76fb5d1871d2b90d9a1dc25ef92e295b2ff37e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Changed
    Filesize

    69KB

    MD5

    7e6c5c04a6b8ba54dbba65d5c5a4641c

    SHA1

    3f7642398923f05d9fcaec960566869b37da02ca

    SHA256

    7daf64c082bcb836df336ae71946ddde34310bd69f9786dfc0652db063cd48df

    SHA512

    86dcf436517d7e8aa17c538702e97476465808ebc373a6d62d9e1d86d56108cc0b71b23a237a214a1a2a52bf546ae0c646dd4a15b77b8ba36d2ba34681094e68

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Common
    Filesize

    69KB

    MD5

    932c3600a491bec7d872d2dc8c33fb49

    SHA1

    482084c5d2ca8b0d7e77da96b4beae8e87a2f729

    SHA256

    77af328c2e7534c878d7da0339999ea11d010e1d75bcebc9d0181826ea9396d9

    SHA512

    d30212cf9663c6d860e9ba26444abbbe91b5fcb661eb136d7131436f2f6c448fe5abcedcf8b15f5ad9a1024788553175e099e5420247d0e8bfeab02aa9110213

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Connections
    Filesize

    87KB

    MD5

    8da2f6ab233a89dc2803749634b54fec

    SHA1

    873be4048ed83d5f3618637e784383d98871c71e

    SHA256

    33aca53446ab82abb69ca598712375eb3f770f66cd467bba5ba222f32f4f24c2

    SHA512

    a203168fc2fb66d542e0a11e6b96543da287cb29a162abf2bf0d0e06358df32daa257b2564aacec2769f8e1b669783aa29e22b92f99b1c5c9cb2ac44e6112931

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Do
    Filesize

    61KB

    MD5

    d491eb91763433d1cf09a0e75343744c

    SHA1

    d706b79c7f54fd048db64619a5bf6a85108375b4

    SHA256

    8adb5752d535491d33590a1cca8076c75c2dbcb58dd2195feb9c3b451b6c8bdd

    SHA512

    60269236aa83c351919f9f387144628bf4f2f952f7cdcb87f8bee38c2df434ee1cf5099c102857bca885b85957a906e984437375273d7aba44809ccc737b541c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Excuse
    Filesize

    79KB

    MD5

    ed2c646e7300b7174bd928845bf32180

    SHA1

    da73bd16d062f2f97f9780ca3233ef3af36af168

    SHA256

    e4116411dafd7205f789b97575d74eae500fa99dbba7adc24a776aebc289c0a2

    SHA512

    6db002d4c8d4d6a977b4ba8b8fd7bc44bfca34b8225b10109afc125c4fa62467dbd5786e0ef338f9d1f19947b8dcde691377e7c245328fd281863acca350a29c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Green
    Filesize

    98KB

    MD5

    def06cb6fedd3f01f02c545fbc609f79

    SHA1

    8c8fca18d229dbe4e8cfeb92df18439dd1fac63d

    SHA256

    4c47f943ae623950e853928735df4d13261d3dcd744dec36986efd482a4ea500

    SHA512

    65689d80b7bfda712238287bb7b553461120465de649afe8ae7444e29aad40dacd573e379d59d8259b1c842d9f2f2e1fe2c40c08044e26ca578e06e148ebbcbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Label
    Filesize

    29KB

    MD5

    4d82b9ea11a42e454b4fddd0ec5d3b90

    SHA1

    821512b2aa3c7f7fe0c52959009c5bee52123dbe

    SHA256

    5cdd6a76decc9079b8677acc84484f34dccd73f7982e40f096905f8ee0a47bca

    SHA512

    c23f8c895ac71faaff3a71d9f94c520d370e83b52787a15ad6e5a9298bc6dd987b101b76b7df10bd73606c5fe9c5af49c1dd681d2f708836f40342862988b5cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lessons
    Filesize

    103KB

    MD5

    a68cc1c9a68e344fa244b38daeb56e83

    SHA1

    d8310cc5360049d52e4fc598261353f9c8c13bfe

    SHA256

    3b7bad75239c96624414156eb1017bce6e9e32a216f4debb447c1c172ee49613

    SHA512

    f9e1168f960d803fb87d50b337ae5b421229125f2346d9c424787a72ec815c15133fedd5f16bc59a9d5d895d10c92395409b71a87bc74e92ce0820b44f7d4ab5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Marco
    Filesize

    69KB

    MD5

    a4680cbaacc5fba01255b4f5da73c118

    SHA1

    4fb2428fe94ac0b89dbe18862fa5127b1ee0a98f

    SHA256

    29968dffb337e4febbc39791bd39b2adb098ad2530143d8264abd047a8b17cb0

    SHA512

    a4c4c423136d6fd4998f4aa82ffb447fd570e6d25b98ad143ddc4aea4dd6c4887f55319ca014c2a306a3ee6233436c96ac48cbb50de7ba5da3214c83f03ba4fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Newsletters
    Filesize

    476KB

    MD5

    4c1732d6011b698150caf93a74df4b72

    SHA1

    541028d65ee40688220c81fb5ad885797b06001d

    SHA256

    d154848e37723dfa82ca7806479ee5cfeb09191a7cf0724b866a8dbc87c978b0

    SHA512

    d1e821542d16544ffeb65cc7efb4dd8d0a8042f57faad1a2773c02e12312abd0e336ac5210d8f52e697a5bddf4868b4d9570e99a99abbf710c9692e9728cc335

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Qualification
    Filesize

    78KB

    MD5

    d3d19eac5db617389ad060d29a0d2c77

    SHA1

    4cdd3dbb0338b7d1bdf917105eb4a228141be9aa

    SHA256

    8188c74cd18a50d35539364c5de3c93095b0a6ff5b766411964bc2357f02985f

    SHA512

    92d439cd148d7d831915097b0b402fdb3bad6954707bcf9006f078fee51ad9b3ef8437f111ca4b697f0392a1c57a99e4f9126009859783ab01a934fade214a11

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Queue
    Filesize

    99KB

    MD5

    e6264ad94d7a0271ab31e4791b1c5e34

    SHA1

    fb02e7296508987980b0497fbcb432c67a96dbe3

    SHA256

    be9b563f046c15eeecc3fb0022d54a2285539d26391447ce17e2b397faa27a0a

    SHA512

    c69e659fb40f347bbda6ede297c9a107ad639c0fec4fdb831ae4f2b1de102cddbb47e4d1eba497614b055e651960a09fa30448d4dd52e6a8222b84633a8b5377

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vegetarian
    Filesize

    77KB

    MD5

    415a6d5e8e0524531b400fbf0dcf63f6

    SHA1

    ca675a0f7a97ff98c3cc028b8043cc806fb2c761

    SHA256

    1d886a96ad64a1b0eb98a1aa75bfa407b8a60d402a3ad412a898b7050514fed0

    SHA512

    53edcdb45d517259f131b0c46253770b4f9aa2910a890470a656788177e0cd738567e07732d419b358f2475306898a088ea7e64c8e7e7cc749bdeb44e551f29b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wanna
    Filesize

    121KB

    MD5

    8c3494cea83acc4494633c107fcea0f0

    SHA1

    cbe8841c682008e7e9d5fbbe138ea6284c54482c

    SHA256

    2b9d04fcca22bd3700ced51aa1659748bf77907eab5c924f6f888f7bbb78bb59

    SHA512

    26e51f75b0ac4ff9ef1b3ea022f745bd78ca5db4e6ee3254630bbc317a978331acb7fde1da561a2080ee854879b2472a3c71f15e651ef2686c685e736e8ae618

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wins
    Filesize

    18KB

    MD5

    30da36acbe9efb97ce5304f5546f581f

    SHA1

    b9907b8d50a46089ddf93f4c73cdd664dd3f016d

    SHA256

    ac0608d81a966d5f8e39c8e161fb880e56d4634252eeb6ba00c72f66f71aa2c5

    SHA512

    2f3549bf58ab411d13a0db5e1bbcad457f64b6315d9c9c89a683cec68d2de6c67b935726c03f173d0cc8e0e5fc2de97dab0a836bd9081230fcca74a73b3d21a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Workstation
    Filesize

    2KB

    MD5

    3cb3b315bfdb1a41d08d4cb490b66975

    SHA1

    91465ed8dee183a0db72356c0d37e4d2f5fb4de7

    SHA256

    628712d50778c63167cb657b714553a70e6bc07e776aeda6ad20cd981d3d4519

    SHA512

    6521ee0be600ea70dde60a785ca10037abe1e2667517026252fd2ce904d299e1fc6256bb08967081ada3a675baee4703250deb3a2d91754a1bf99748ef09a89b

    Download Submit

  • memory/2136-72-0x0000000003520000-0x000000000357C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2136-71-0x0000000003520000-0x000000000357C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2136-73-0x0000000003520000-0x000000000357C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2136-75-0x0000000003520000-0x000000000357C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2136-74-0x0000000003520000-0x000000000357C000-memory.dmp

    Filesize

    368KB

    Download