lumma | 6aa911d2f11777555fe26594220bb419cbed102620e9ac5c3f2c57e8a7bfdf1c

Analysis

max time kernel
98s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReFB.exe
Size

80KB
MD5

2a8613b7d99903516b8fe02fd820bf52
SHA1

78a96addcb556ab1d490fac80f929305263d06b9
SHA256

f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407
SHA512

af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436
SSDEEP

1536:9A8oAY5SXfidLez+Q+EGfdUHLLXJ+CqoVpPBucQwk7qnKXKo5OMY8xk03ben8TK:M7Ohz+Q+EGlUHLLXJ+CqoTPBucQwktXS

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
3840	ReFB.exe
3592	ReFB.exe

Loads dropped DLL 13 IoCs

pid	Process
3840	ReFB.exe
3840	ReFB.exe
3840	ReFB.exe
3840	ReFB.exe
3840	ReFB.exe
3840	ReFB.exe
3592	ReFB.exe
3592	ReFB.exe
3592	ReFB.exe
3592	ReFB.exe
3592	ReFB.exe
3592	ReFB.exe
3592	ReFB.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3840 set thread context of 3508	3840	ReFB.exe	84
PID 3592 set thread context of 4548	3592	ReFB.exe	111

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2272	ReFB.exe
3840	ReFB.exe
3840	ReFB.exe
3508	cmd.exe
3508	cmd.exe
444	ReFB.exe
3592	ReFB.exe
3592	ReFB.exe
4548	cmd.exe
4548	cmd.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3840	ReFB.exe
3508	cmd.exe
3592	ReFB.exe
4548	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3840	2272	ReFB.exe	83
PID 2272 wrote to memory of 3840	2272	ReFB.exe	83
PID 2272 wrote to memory of 3840	2272	ReFB.exe	83
PID 3840 wrote to memory of 3508	3840	ReFB.exe	84
PID 3840 wrote to memory of 3508	3840	ReFB.exe	84
PID 3840 wrote to memory of 3508	3840	ReFB.exe	84
PID 3840 wrote to memory of 3508	3840	ReFB.exe	84
PID 3508 wrote to memory of 2276	3508	cmd.exe	101
PID 3508 wrote to memory of 2276	3508	cmd.exe	101
PID 3508 wrote to memory of 2276	3508	cmd.exe	101
PID 3508 wrote to memory of 2276	3508	cmd.exe	101
PID 444 wrote to memory of 3592	444	ReFB.exe	110
PID 444 wrote to memory of 3592	444	ReFB.exe	110
PID 444 wrote to memory of 3592	444	ReFB.exe	110
PID 3592 wrote to memory of 4548	3592	ReFB.exe	111
PID 3592 wrote to memory of 4548	3592	ReFB.exe	111
PID 3592 wrote to memory of 4548	3592	ReFB.exe	111
PID 3592 wrote to memory of 4548	3592	ReFB.exe	111
PID 4548 wrote to memory of 2000	4548	cmd.exe	114
PID 4548 wrote to memory of 2000	4548	cmd.exe	114
PID 4548 wrote to memory of 2000	4548	cmd.exe	114
PID 4548 wrote to memory of 2000	4548	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\ReFB.exe
"C:\Users\Admin\AppData\Local\Temp\ReFB.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Roaming\ugscheck\ReFB.exe
  C:\Users\Admin\AppData\Roaming\ugscheck\ReFB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\ReFB.exe
"C:\Users\Admin\AppData\Local\Temp\ReFB.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:444
- C:\Users\Admin\AppData\Roaming\ugscheck\ReFB.exe
  C:\Users\Admin\AppData\Roaming\ugscheck\ReFB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19dc7287

Filesize
1.0MB

MD5
dbfc3f7e9fa4674d3880ab9fe4215606

SHA1
30649fb4ef4e7508db5156d7dc03aab6f7563da1

SHA256
30d4ceac21c72c64a5005bf43e7137f03008b95e0bb9d2bf7e662cf89ef49317

SHA512
f740683da3a774a82a1394962a627463504cb1a20efdf0e7cd61c8c7b13790a457652196739b7ff45c809e2bc9221a72d8a79a5a8090650ceef9d3db0faca413

Download Submit
C:\Users\Admin\AppData\Local\Temp\34bcb97

Filesize
1.0MB

MD5
402f294fedc5d819589889b020f1af8c

SHA1
a6549ea33c1d885e4f499306dd31e9a26fbc1464

SHA256
5d804dec5099b46c0ab586feb25d29617f7f0231d0d32faeb152ed2722197a87

SHA512
cfce2da31620e29516854fad53b4b27c9c39e477413c7f8b38d20eca7e72c91366da49970abdf75d275099ccaf052cea834619bb77c8cacf372969d6b52d0558

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\MSVCR100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\QtCore4.dll

Filesize
2.5MB

MD5
fecc62a37d37d9759e6b02041728aa23

SHA1
0c5f646caef7a6e9073d58ed698f6cfbfb2883a3

SHA256
94c1395153d7758900979351e633ab68d22ae9b306ef8e253b712a1aab54c805

SHA512
698f90f1248dacbd4bdc49045a4e80972783d9dcec120d187abd08f5ef03224b511f7870320938b7e8be049c243ffb1c450c847429434ef2e2c09288cb9286a6

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\QtGui4.dll

Filesize
8.2MB

MD5
831ba3a8c9d9916bdf82e07a3e8338cc

SHA1
6c89fd258937427d14d5042736fdfccd0049f042

SHA256
d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

SHA512
beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\QtNetwork4.dll

Filesize
1.0MB

MD5
8a2e025fd3ddd56c8e4f63416e46e2ec

SHA1
5f58feb11e84aa41d5548f5a30fc758221e9dd64

SHA256
52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

SHA512
8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\QtWebKit4.dll

Filesize
12.5MB

MD5
df68febc876575329e93938eba19848f

SHA1
a96949f2782e70911f33937043ac54e6fe48ca24

SHA256
3127cbbf3afaeb191ca918175ad4c6bfbdd68f8ce38ffa06206ba543576e84e2

SHA512
f0f6dc90dd640a1f90de77e3c99c8306446bfd79d0c4b4f7119e421efd26137a9fb6607de8a229ed4dd8686fd84a2f042334a7e836db1eeab69f33f232fa3385

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\ReFB.exe

Filesize
80KB

MD5
2a8613b7d99903516b8fe02fd820bf52

SHA1
78a96addcb556ab1d490fac80f929305263d06b9

SHA256
f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407

SHA512
af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\airframe.psd

Filesize
799KB

MD5
a634e0a7d3ee770d4a6a05faf21065e6

SHA1
a9b078d0fc8d218234fd1d57eb612418e0ef80f9

SHA256
8006b6f93bb6ad3e70a411c3d29226e57bc550a12feb0036b7ac934d69843df2

SHA512
675d9906901712126ce0b00212479d0e1211f397da244dd617cb658f54d12bc42dc1768e49310f694651d173716e0cbde397e5db9cde5dd1cde42add73e9c1f0

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\caracul.db

Filesize
50KB

MD5
fec22c03622fb5151eb820ad7580d972

SHA1
2fe9cc2fcd4fe7a839f9e4c039ebf228b08cbf2a

SHA256
7c2aa43307d8d155cafcbce4c3f3ddbdc2dcfb60ec8c4b44a3bf03e26c85f267

SHA512
aa736cdcd63810b7ddcc206d9d073ef4a21dd87720e54be3775a5bbf8422c4791e78a7bf1136632eaa376e7c9275a9a19ba39235bde39eb847f401f5d3e2cb06

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\msvcp100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
memory/444-48-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

Filesize
2.0MB

Download
memory/444-47-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/2000-86-0x0000000000340000-0x000000000039D000-memory.dmp

Filesize
372KB

Download
memory/2000-85-0x0000000000340000-0x000000000039D000-memory.dmp

Filesize
372KB

Download
memory/2000-84-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

Filesize
2.0MB

Download
memory/2272-0-0x00000000738B0000-0x0000000073A2B000-memory.dmp

Filesize
1.5MB

Download
memory/2272-1-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

Filesize
2.0MB

Download
memory/2276-45-0x00000000008B0000-0x000000000090D000-memory.dmp

Filesize
372KB

Download
memory/2276-40-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

Filesize
2.0MB

Download
memory/2276-42-0x00000000008B0000-0x000000000090D000-memory.dmp

Filesize
372KB

Download
memory/3508-37-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3508-38-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3508-41-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3508-36-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

Filesize
2.0MB

Download
memory/3508-34-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3592-76-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3592-77-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

Filesize
2.0MB

Download
memory/3592-78-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3840-32-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3840-31-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3840-30-0x0000000073B43000-0x0000000073B45000-memory.dmp

Filesize
8KB

Download
memory/3840-29-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

Filesize
2.0MB

Download
memory/3840-28-0x0000000073B30000-0x0000000073CAB000-memory.dmp

Filesize
1.5MB

Download
memory/4548-81-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

Filesize
2.0MB

Download