lumma | ac9881ba3da632e68be376d6ac307962bd9116fa2240a3eb53f564f8f8d2673e

Analysis

max time kernel
231s
max time network
234s
platform
windows11-21h2_x64
resource
win11-20241007-de
resource tags

arch:x64arch:x86image:win11-20241007-delocale:de-deos:windows11-21h2-x64systemwindows
submitted
16-01-2025 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fluxion Launcher.rar
Size

3.3MB
MD5

eee78ef06b0bee50ebeb26dd87c810ce
SHA1

a098985153e9b9c68f42e891045845cbb4d3b915
SHA256

ac9881ba3da632e68be376d6ac307962bd9116fa2240a3eb53f564f8f8d2673e
SHA512

135c0c65cd9cfc4f146aba090899ebaffbdbc71816365a568473e8837e0b43e0cb9e031f78dfa4469334a519d09d516db5204a344bbeedc65cf2840d40a776f3
SSDEEP

98304:3sMGdImCv5E3aYmlKvA43Y0Ozi/uIArpyKg:395mqE37A6XNOu/uNrpyL

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

https://letterdrive.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 9 IoCs

pid	Process
1948	fluxionlauncher.exe
3324	fluxionlauncher.exe
1356	fluxionlauncher.exe
4468	fluxionlauncher.exe
2964	fluxionlauncher.exe
2468	fluxionlauncher.exe
4176	fluxionlauncher.exe
3412	fluxionlauncher.exe
3524	fluxionlauncher.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 3324	1948	fluxionlauncher.exe	83
PID 1948 set thread context of 1356	1948	fluxionlauncher.exe	84
PID 4468 set thread context of 2964	4468	fluxionlauncher.exe	90
PID 4468 set thread context of 3524	4468	fluxionlauncher.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1464	1948	WerFault.exe	79
3848	4468	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fluxionlauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fluxionlauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fluxionlauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fluxionlauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fluxionlauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fluxionlauncher.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2632	7zFM.exe
Token: 35	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2632	7zFM.exe
2632	7zFM.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 3324	1948	fluxionlauncher.exe	83
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 1948 wrote to memory of 1356	1948	fluxionlauncher.exe	84
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2964	4468	fluxionlauncher.exe	90
PID 4468 wrote to memory of 2468	4468	fluxionlauncher.exe	91
PID 4468 wrote to memory of 2468	4468	fluxionlauncher.exe	91
PID 4468 wrote to memory of 2468	4468	fluxionlauncher.exe	91
PID 4468 wrote to memory of 4176	4468	fluxionlauncher.exe	92
PID 4468 wrote to memory of 4176	4468	fluxionlauncher.exe	92
PID 4468 wrote to memory of 4176	4468	fluxionlauncher.exe	92
PID 4468 wrote to memory of 3412	4468	fluxionlauncher.exe	93
PID 4468 wrote to memory of 3412	4468	fluxionlauncher.exe	93
PID 4468 wrote to memory of 3412	4468	fluxionlauncher.exe	93
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94
PID 4468 wrote to memory of 3524	4468	fluxionlauncher.exe	94

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Fluxion Launcher.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3652

C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
"C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
  "C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3324
- C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
  "C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 816
  2⤵
  - Program crash
  PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948
1⤵
PID:1284

C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
"C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
  "C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
  "C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
  "C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
  "C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe
  "C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 832
  2⤵
  - Program crash
  PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4468 -ip 4468
1⤵
PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\Fluxion Launcher\Autoupdate.dll

Filesize
2.5MB

MD5
51397005ac7db572e3af109699f4ba73

SHA1
c9bcb56dd1a4c4b687917aac34f703908a5d4bde

SHA256
07bd44748b663d9efbf35cd962408b57ad72a7ce65bdc2722db284f343b2d891

SHA512
512740d00adf5512cd8f6ca163a1c137a0e17091243d880271945b90306f7ddc6b47928b27985c5b60b4474e5be57273308babe50986fda638dc6b8ea2f0f2c8

Download Submit
C:\Users\Admin\Downloads\Fluxion Launcher\fluxionlauncher.exe

Filesize
339KB

MD5
0faa74d371ad58d493b2df890c610774

SHA1
c7a155aca4a20258fc1105b91d5d94205415546a

SHA256
4d6330d6d983a30c5a0e469058075e96b6e8109daff1ac41a910aab2621f488d

SHA512
fa603a7a93062d72ff33e3a0562357169148470ac0defef8145d629a5efa7e87f5481a82ee1a7c4e8bcb26e242f7fa4074076f2ca0a08fa0e0b158544f9da223

Download Submit
C:\Users\Admin\Downloads\Fluxion Launcher\x64\cfg.dll

Filesize
5.0MB

MD5
7bfe885d87026d0d41dba5fb4173201c

SHA1
027637e1c7fd24a7bbaba6b926cce67e47d8e7dc

SHA256
2b529e8afa002053744bb4e2430513e7745f91b5052446ef2d0568e91d5b1280

SHA512
d2ded5d1c216900e340425f652c585398f2662f3aefe552e80161af90d1656d2ed202366c2ac794564dbf6eca0c1d769f62fcb979a0d666ea06540e389a30951

Download Submit
memory/1356-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1948-44-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/1948-45-0x0000000000110000-0x000000000016C000-memory.dmp

Filesize
368KB

Download
memory/1948-46-0x00000000050D0000-0x0000000005676000-memory.dmp

Filesize
5.6MB

Download
memory/1948-58-0x00000000743C0000-0x0000000074B71000-memory.dmp

Filesize
7.7MB

Download
memory/3324-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3324-53-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3324-59-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download