lumma | 534c66c9756cc17d47fbfa9a7e3fd6adc63a79e5391e07a93ce3ceb947ef7003

General

Target

PsfLauncher32.exe
Size

409KB
MD5

bbfa1775487c17383c10899ab8f9de7b
SHA1

004724f3dde5ca8b5b51d2436b04898567d5dbcf
SHA256

49e941b4c194bb97db10466d29c7dfc4b557b70913b43acc21d2572a936970f4
SHA512

ab774c1c341350b54d3aefe9f0e2ed7048d714409c4e148eb26738a255fdaf0c402e07b17086b73bba724bd3916722cd93e730a0c878d511533289d78632200e
SSDEEP

12288:lFcYBTSR7FqCiiD/UIC7R8muz6gKSCxX4/m03PcdHSg:lK3dDMIW8CSCxIzPctSg

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://latyoutw.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1096	PsfLauncher32.exe

Loads dropped DLL 1 IoCs

pid	Process
1096	PsfLauncher32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 1888	1096	PsfLauncher32.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsfLauncher32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PsfLauncher32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3792	PsfLauncher32.exe
1096	PsfLauncher32.exe
1096	PsfLauncher32.exe
1888	cmd.exe
1888	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1096	PsfLauncher32.exe
1888	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 1096	3792	PsfLauncher32.exe	85
PID 3792 wrote to memory of 1096	3792	PsfLauncher32.exe	85
PID 3792 wrote to memory of 1096	3792	PsfLauncher32.exe	85
PID 1096 wrote to memory of 1888	1096	PsfLauncher32.exe	86
PID 1096 wrote to memory of 1888	1096	PsfLauncher32.exe	86
PID 1096 wrote to memory of 1888	1096	PsfLauncher32.exe	86
PID 1096 wrote to memory of 1888	1096	PsfLauncher32.exe	86
PID 1888 wrote to memory of 3284	1888	cmd.exe	101
PID 1888 wrote to memory of 3284	1888	cmd.exe	101
PID 1888 wrote to memory of 3284	1888	cmd.exe	101
PID 1888 wrote to memory of 3284	1888	cmd.exe	101
PID 1888 wrote to memory of 3284	1888	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\PsfLauncher32.exe
"C:\Users\Admin\AppData\Local\Temp\PsfLauncher32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Roaming\OKNService\PsfLauncher32.exe
  C:\Users\Admin\AppData\Roaming\OKNService\PsfLauncher32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d772146

Filesize
1023KB

MD5
57c28e74d2fa37136b87569870d2da47

SHA1
311be10c8344cb4f3bdf056e4fad730a2a368be5

SHA256
132583eb330704eb878430e090f736b897fa36d5cc47aca5135c141ce34dc84c

SHA512
9651220d8d35c741c49ec589d39d9d89543fc1cafd0a08c0488bc2fca1a93c16f63671e3aba1d3a96763eadd57c3c97731135c5dd152d55549b80adc2cfa7d15

Download Submit
C:\Users\Admin\AppData\Roaming\OKNService\PsfLauncher32.exe

Filesize
409KB

MD5
bbfa1775487c17383c10899ab8f9de7b

SHA1
004724f3dde5ca8b5b51d2436b04898567d5dbcf

SHA256
49e941b4c194bb97db10466d29c7dfc4b557b70913b43acc21d2572a936970f4

SHA512
ab774c1c341350b54d3aefe9f0e2ed7048d714409c4e148eb26738a255fdaf0c402e07b17086b73bba724bd3916722cd93e730a0c878d511533289d78632200e

Download Submit
C:\Users\Admin\AppData\Roaming\OKNService\PsfRuntime32.dll

Filesize
348KB

MD5
2f930c4a4290be73802a5d650d613203

SHA1
fd98498a18edba028b4f590e7bd618ab7790391d

SHA256
e4ed1603a409bbfe6b6cb2aed7bac31b4c2812011aed11622fe6a00128f8a3e7

SHA512
5369b746856059da218e757bee86436c7c53828cccb7931245e8a96a6429eee6cc884103ee4b1ef678a595ff889933b22e938154b5a31e425340c7845a57b247

Download Submit
C:\Users\Admin\AppData\Roaming\OKNService\capitulary.wma

Filesize
783KB

MD5
aae8d1be7e27e9e67d21182bb6187dec

SHA1
e34c18c6a3f1b3501c4e986167a6cae819f7b69e

SHA256
c30852584dc13abe0b412668fa539651a0bbd9f96eb4b1a262c5db2509452509

SHA512
132429f04f07024f5e262abbd641676040db5149ee9bebca42dff0420807e0f0f56d51de034d77b554c90c6351b977f585de17d1db57540ebe5f499087a36dba

Download Submit
C:\Users\Admin\AppData\Roaming\OKNService\threepiece.zip

Filesize
41KB

MD5
f5b53d748a52cb9e8ac03495d4ad4a65

SHA1
f44d112bc5417f697057b03c307e9a4bf745d87e

SHA256
543de0764080883065f0fef2e20835d89115f4caac7e9cc4c4a56f97fc24f28d

SHA512
713ebfe302e76d38f24b7a07fe6f787c1b65bf5a3f615e87d36408464a9e40ca3f511405cea0e4674c0881a7c288232fd234bfaf1791475d21c98c54b177f8fe

Download Submit
memory/1096-17-0x0000000074B30000-0x0000000074CAB000-memory.dmp

Filesize
1.5MB

Download
memory/1096-13-0x0000000074B30000-0x0000000074CAB000-memory.dmp

Filesize
1.5MB

Download
memory/1096-14-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

Filesize
2.0MB

Download
memory/1096-15-0x0000000074B43000-0x0000000074B45000-memory.dmp

Filesize
8KB

Download
memory/1096-16-0x0000000074B30000-0x0000000074CAB000-memory.dmp

Filesize
1.5MB

Download
memory/1888-23-0x0000000074B30000-0x0000000074CAB000-memory.dmp

Filesize
1.5MB

Download
memory/1888-20-0x0000000074B30000-0x0000000074CAB000-memory.dmp

Filesize
1.5MB

Download
memory/1888-21-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

Filesize
2.0MB

Download
memory/1888-22-0x0000000074B30000-0x0000000074CAB000-memory.dmp

Filesize
1.5MB

Download
memory/1888-27-0x0000000074B30000-0x0000000074CAB000-memory.dmp

Filesize
1.5MB

Download
memory/3284-28-0x0000000000D80000-0x0000000000DD8000-memory.dmp

Filesize
352KB

Download
memory/3284-29-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

Filesize
2.0MB

Download
memory/3284-30-0x0000000000D80000-0x0000000000DD8000-memory.dmp

Filesize
352KB

Download
memory/3792-1-0x00007FFAB8B90000-0x00007FFAB8D85000-memory.dmp

Filesize
2.0MB

Download
memory/3792-0-0x0000000074B30000-0x0000000074CAB000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing