Overview

overview

10

Static

static

10

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Resubmissions

12-01-2025 13:38

250112-qxcxpatrew 10

12-01-2025 12:12

250112-pde29strbq 10

Analysis

  • max time kernel
    25s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2025 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    489KB

  • MD5

    d685ae29670dbc00b6665b5511bda6cb

  • SHA1

    2f49b83a6d7a5f9e5151c6f7f1b3fa9e6f4b25a9

  • SHA256

    0518c095cc948ab003cd4d12a1f95f0579c52c17f9102976b5799cd0bd85e6a2

  • SHA512

    d7705fcd8751a49cc17962ac9b6e228f55ef74aab066cabdd5de74518686feaea951487a042683ea3e055ce04e0b971b528572aac920f325fcf64d34167450de

  • SSDEEP

    12288:uiNSSLq47oIkbTUINbTDw7j/puQ/FU5A8e2CI582g/c10/nGZj:uicGq47oDwgbTDGjxJ/2i8MI

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4908
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1592
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\gdi32.dll
      Filesize

      428KB

      MD5

      36c0b5018242a87d99e2b5000dfc29ad

      SHA1

      d46f1ba661e3d18c8b1e7895920368e9bddbc7ae

      SHA256

      94cc3d303105493943c6cce20473c82eff3942515bfd73df976e802d97be78b4

      SHA512

      8f10af3f519e2c52539fb79ec16cd82470f25c0863b622030ed4bd59f437c9109caf46d151c18889c4939a44672339d75029c8f757cf7118e759b90355317f0a

      Download Submit

    • memory/1592-31-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-32-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-21-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-28-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-29-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-30-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-33-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-22-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-23-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-27-0x000001C4D4A90000-0x000001C4D4A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4708-7-0x0000000074DD0000-0x0000000075580000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4708-19-0x0000000074DD0000-0x0000000075580000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4708-1-0x0000000000990000-0x0000000000A10000-memory.dmp

      Filesize

      512KB

      Download

    • memory/4708-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4708-18-0x0000000074DD0000-0x0000000075580000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4708-20-0x0000000074DD0000-0x0000000075580000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4908-9-0x0000000000B90000-0x0000000000BFB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/4908-14-0x0000000000B90000-0x0000000000BFB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/4908-17-0x0000000000B90000-0x0000000000BFB000-memory.dmp

      Filesize

      428KB

      Download