lumma | 6aa911d2f11777555fe26594220bb419cbed102620e9ac5c3f2c57e8a7bfdf1c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReFB.exe
Size

80KB
MD5

2a8613b7d99903516b8fe02fd820bf52
SHA1

78a96addcb556ab1d490fac80f929305263d06b9
SHA256

f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407
SHA512

af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436
SSDEEP

1536:9A8oAY5SXfidLez+Q+EGfdUHLLXJ+CqoVpPBucQwk7qnKXKo5OMY8xk03ben8TK:M7Ohz+Q+EGlUHLLXJ+CqoTPBucQwktXS

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
348	ReFB.exe

Loads dropped DLL 7 IoCs

pid	Process
3044	ReFB.exe
348	ReFB.exe
348	ReFB.exe
348	ReFB.exe
348	ReFB.exe
348	ReFB.exe
348	ReFB.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 348 set thread context of 1924	348	ReFB.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReFB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3044	ReFB.exe
348	ReFB.exe
348	ReFB.exe
1924	cmd.exe
1924	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
348	ReFB.exe
1924	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 348	3044	ReFB.exe	30
PID 3044 wrote to memory of 348	3044	ReFB.exe	30
PID 3044 wrote to memory of 348	3044	ReFB.exe	30
PID 3044 wrote to memory of 348	3044	ReFB.exe	30
PID 348 wrote to memory of 1924	348	ReFB.exe	31
PID 348 wrote to memory of 1924	348	ReFB.exe	31
PID 348 wrote to memory of 1924	348	ReFB.exe	31
PID 348 wrote to memory of 1924	348	ReFB.exe	31
PID 348 wrote to memory of 1924	348	ReFB.exe	31
PID 1924 wrote to memory of 2656	1924	cmd.exe	34
PID 1924 wrote to memory of 2656	1924	cmd.exe	34
PID 1924 wrote to memory of 2656	1924	cmd.exe	34
PID 1924 wrote to memory of 2656	1924	cmd.exe	34
PID 1924 wrote to memory of 2656	1924	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ReFB.exe
"C:\Users\Admin\AppData\Local\Temp\ReFB.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Roaming\ugscheck\ReFB.exe
  C:\Users\Admin\AppData\Roaming\ugscheck\ReFB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a01a3c2f

Filesize
1.0MB

MD5
07b27eba47b52ccbb4c5b89f0feb3662

SHA1
44f4953e172ca2b0a73c5f8f75dd72072418f442

SHA256
7e66314fd6d4e3ee00a014046e9a65e9ea500cbaeb240f75fb45eb73037379f5

SHA512
12896b4b9dec330feef5a299d6da73476397b44b571f4f03f9252c9994446723b4a09ca350fbb1e8c00d17acf872ba4aa7b2527dbda8e9e6a9c408d0a399800c

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\MSVCP100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\MSVCR100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\QtCore4.dll

Filesize
2.5MB

MD5
fecc62a37d37d9759e6b02041728aa23

SHA1
0c5f646caef7a6e9073d58ed698f6cfbfb2883a3

SHA256
94c1395153d7758900979351e633ab68d22ae9b306ef8e253b712a1aab54c805

SHA512
698f90f1248dacbd4bdc49045a4e80972783d9dcec120d187abd08f5ef03224b511f7870320938b7e8be049c243ffb1c450c847429434ef2e2c09288cb9286a6

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\QtGui4.dll

Filesize
8.2MB

MD5
831ba3a8c9d9916bdf82e07a3e8338cc

SHA1
6c89fd258937427d14d5042736fdfccd0049f042

SHA256
d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

SHA512
beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\QtNetwork4.dll

Filesize
1.0MB

MD5
8a2e025fd3ddd56c8e4f63416e46e2ec

SHA1
5f58feb11e84aa41d5548f5a30fc758221e9dd64

SHA256
52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

SHA512
8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\QtWebKit4.dll

Filesize
12.5MB

MD5
df68febc876575329e93938eba19848f

SHA1
a96949f2782e70911f33937043ac54e6fe48ca24

SHA256
3127cbbf3afaeb191ca918175ad4c6bfbdd68f8ce38ffa06206ba543576e84e2

SHA512
f0f6dc90dd640a1f90de77e3c99c8306446bfd79d0c4b4f7119e421efd26137a9fb6607de8a229ed4dd8686fd84a2f042334a7e836db1eeab69f33f232fa3385

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\airframe.psd

Filesize
799KB

MD5
a634e0a7d3ee770d4a6a05faf21065e6

SHA1
a9b078d0fc8d218234fd1d57eb612418e0ef80f9

SHA256
8006b6f93bb6ad3e70a411c3d29226e57bc550a12feb0036b7ac934d69843df2

SHA512
675d9906901712126ce0b00212479d0e1211f397da244dd617cb658f54d12bc42dc1768e49310f694651d173716e0cbde397e5db9cde5dd1cde42add73e9c1f0

Download Submit
C:\Users\Admin\AppData\Roaming\ugscheck\caracul.db

Filesize
50KB

MD5
fec22c03622fb5151eb820ad7580d972

SHA1
2fe9cc2fcd4fe7a839f9e4c039ebf228b08cbf2a

SHA256
7c2aa43307d8d155cafcbce4c3f3ddbdc2dcfb60ec8c4b44a3bf03e26c85f267

SHA512
aa736cdcd63810b7ddcc206d9d073ef4a21dd87720e54be3775a5bbf8422c4791e78a7bf1136632eaa376e7c9275a9a19ba39235bde39eb847f401f5d3e2cb06

Download Submit
\Users\Admin\AppData\Roaming\ugscheck\ReFB.exe

Filesize
80KB

MD5
2a8613b7d99903516b8fe02fd820bf52

SHA1
78a96addcb556ab1d490fac80f929305263d06b9

SHA256
f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407

SHA512
af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436

Download Submit
memory/348-30-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/348-33-0x0000000073D60000-0x0000000073ED4000-memory.dmp

Filesize
1.5MB

Download
memory/348-29-0x0000000073D60000-0x0000000073ED4000-memory.dmp

Filesize
1.5MB

Download
memory/348-32-0x0000000073D60000-0x0000000073ED4000-memory.dmp

Filesize
1.5MB

Download
memory/348-31-0x0000000073D73000-0x0000000073D75000-memory.dmp

Filesize
8KB

Download
memory/1924-40-0x0000000073D60000-0x0000000073ED4000-memory.dmp

Filesize
1.5MB

Download
memory/1924-35-0x0000000073D60000-0x0000000073ED4000-memory.dmp

Filesize
1.5MB

Download
memory/1924-37-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/1924-39-0x0000000073D60000-0x0000000073ED4000-memory.dmp

Filesize
1.5MB

Download
memory/1924-43-0x0000000073D60000-0x0000000073ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2656-42-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2656-44-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2656-45-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3044-1-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/3044-0-0x0000000073D90000-0x0000000073F04000-memory.dmp

Filesize
1.5MB

Download