lumma | 534c66c9756cc17d47fbfa9a7e3fd6adc63a79e5391e07a93ce3ceb947ef7003

General

Target

PsfLauncher32.exe
Size

409KB
MD5

bbfa1775487c17383c10899ab8f9de7b
SHA1

004724f3dde5ca8b5b51d2436b04898567d5dbcf
SHA256

49e941b4c194bb97db10466d29c7dfc4b557b70913b43acc21d2572a936970f4
SHA512

ab774c1c341350b54d3aefe9f0e2ed7048d714409c4e148eb26738a255fdaf0c402e07b17086b73bba724bd3916722cd93e730a0c878d511533289d78632200e
SSDEEP

12288:lFcYBTSR7FqCiiD/UIC7R8muz6gKSCxX4/m03PcdHSg:lK3dDMIW8CSCxIzPctSg

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://latyoutw.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1808	PsfLauncher32.exe

Loads dropped DLL 1 IoCs

pid	Process
1808	PsfLauncher32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 4504	1808	PsfLauncher32.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsfLauncher32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsfLauncher32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1692	PsfLauncher32.exe
1808	PsfLauncher32.exe
1808	PsfLauncher32.exe
4504	cmd.exe
4504	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1808	PsfLauncher32.exe
4504	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1808	1692	PsfLauncher32.exe	82
PID 1692 wrote to memory of 1808	1692	PsfLauncher32.exe	82
PID 1692 wrote to memory of 1808	1692	PsfLauncher32.exe	82
PID 1808 wrote to memory of 4504	1808	PsfLauncher32.exe	83
PID 1808 wrote to memory of 4504	1808	PsfLauncher32.exe	83
PID 1808 wrote to memory of 4504	1808	PsfLauncher32.exe	83
PID 1808 wrote to memory of 4504	1808	PsfLauncher32.exe	83
PID 4504 wrote to memory of 2044	4504	cmd.exe	92
PID 4504 wrote to memory of 2044	4504	cmd.exe	92
PID 4504 wrote to memory of 2044	4504	cmd.exe	92
PID 4504 wrote to memory of 2044	4504	cmd.exe	92
PID 4504 wrote to memory of 2044	4504	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\PsfLauncher32.exe
"C:\Users\Admin\AppData\Local\Temp\PsfLauncher32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Roaming\OKNService\PsfLauncher32.exe
  C:\Users\Admin\AppData\Roaming\OKNService\PsfLauncher32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8a00c8e

Filesize
1023KB

MD5
4ae932c17196940f5425785d258053d5

SHA1
e54c54ee6c7eb5984f591cdaf1e7be9dc4e9b230

SHA256
5d8b40b496a177e06de755aa0429d147fb2d344ce4baa61dd7c11e1398c3da46

SHA512
59ed1dcfad74ba2daed324b2e8dfa56b3a1a7826017ee896bd9573120a417fc735153fee611b0a9d6d2e3226e1935eb8131d6d302f4f1a07b4be126f4bf0fd0a

Download Submit
C:\Users\Admin\AppData\Roaming\OKNService\PsfLauncher32.exe

Filesize
409KB

MD5
bbfa1775487c17383c10899ab8f9de7b

SHA1
004724f3dde5ca8b5b51d2436b04898567d5dbcf

SHA256
49e941b4c194bb97db10466d29c7dfc4b557b70913b43acc21d2572a936970f4

SHA512
ab774c1c341350b54d3aefe9f0e2ed7048d714409c4e148eb26738a255fdaf0c402e07b17086b73bba724bd3916722cd93e730a0c878d511533289d78632200e

Download Submit
C:\Users\Admin\AppData\Roaming\OKNService\PsfRuntime32.dll

Filesize
348KB

MD5
2f930c4a4290be73802a5d650d613203

SHA1
fd98498a18edba028b4f590e7bd618ab7790391d

SHA256
e4ed1603a409bbfe6b6cb2aed7bac31b4c2812011aed11622fe6a00128f8a3e7

SHA512
5369b746856059da218e757bee86436c7c53828cccb7931245e8a96a6429eee6cc884103ee4b1ef678a595ff889933b22e938154b5a31e425340c7845a57b247

Download Submit
C:\Users\Admin\AppData\Roaming\OKNService\capitulary.wma

Filesize
783KB

MD5
aae8d1be7e27e9e67d21182bb6187dec

SHA1
e34c18c6a3f1b3501c4e986167a6cae819f7b69e

SHA256
c30852584dc13abe0b412668fa539651a0bbd9f96eb4b1a262c5db2509452509

SHA512
132429f04f07024f5e262abbd641676040db5149ee9bebca42dff0420807e0f0f56d51de034d77b554c90c6351b977f585de17d1db57540ebe5f499087a36dba

Download Submit
C:\Users\Admin\AppData\Roaming\OKNService\threepiece.zip

Filesize
41KB

MD5
f5b53d748a52cb9e8ac03495d4ad4a65

SHA1
f44d112bc5417f697057b03c307e9a4bf745d87e

SHA256
543de0764080883065f0fef2e20835d89115f4caac7e9cc4c4a56f97fc24f28d

SHA512
713ebfe302e76d38f24b7a07fe6f787c1b65bf5a3f615e87d36408464a9e40ca3f511405cea0e4674c0881a7c288232fd234bfaf1791475d21c98c54b177f8fe

Download Submit
memory/1692-0-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

Filesize
1.5MB

Download
memory/1692-1-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/1808-17-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

Filesize
1.5MB

Download
memory/1808-15-0x0000000074CF3000-0x0000000074CF5000-memory.dmp

Filesize
8KB

Download
memory/1808-16-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

Filesize
1.5MB

Download
memory/1808-14-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/1808-13-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

Filesize
1.5MB

Download
memory/2044-29-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/2044-30-0x00000000000E0000-0x0000000000138000-memory.dmp

Filesize
352KB

Download
memory/4504-19-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

Filesize
1.5MB

Download
memory/4504-21-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/4504-23-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

Filesize
1.5MB

Download
memory/4504-24-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

Filesize
1.5MB

Download
memory/4504-28-0x0000000074CE0000-0x0000000074E5B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing