lumma | d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30

Analysis

max time kernel
93s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QGFQTHIU.exe
Size

5.4MB
MD5

6e3dc1be717861da3cd7c57e8a1e3911
SHA1

767e39aa9f02592d4234f38a21ea9a0e5aa66c62
SHA256

d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
SHA512

da91742e1494c027616e114e42d3333d61eda91379f6ad2ba415dc39e0b5165a25498d60537b3cb12a49267c306dfbec87d3af528e27abc9946cd5fda6b129c1
SSDEEP

98304:UK/ZoaSs+bgcPlK+rSN2xeELJ4g1x3+FbdYapMDrEPxiJVwJyHLcnP6WfwCA+D://uVs+bH9K+OGeIBSHqDIPI7WOLyyWfF

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 3 IoCs

pid	Process
4868	QGFQTHIU.exe
2036	msn.exe
1500	msn.exe

Loads dropped DLL 7 IoCs

pid	Process
4868	QGFQTHIU.exe
2036	msn.exe
2036	msn.exe
2036	msn.exe
1500	msn.exe
1500	msn.exe
1500	msn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 4608	1500	msn.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2036	msn.exe
1500	msn.exe
1500	msn.exe
4608	cmd.exe
4608	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1500	msn.exe
4608	cmd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 4868	1472	QGFQTHIU.exe	82
PID 1472 wrote to memory of 4868	1472	QGFQTHIU.exe	82
PID 4868 wrote to memory of 2036	4868	QGFQTHIU.exe	83
PID 4868 wrote to memory of 2036	4868	QGFQTHIU.exe	83
PID 4868 wrote to memory of 2036	4868	QGFQTHIU.exe	83
PID 2036 wrote to memory of 1500	2036	msn.exe	84
PID 2036 wrote to memory of 1500	2036	msn.exe	84
PID 2036 wrote to memory of 1500	2036	msn.exe	84
PID 1500 wrote to memory of 4608	1500	msn.exe	85
PID 1500 wrote to memory of 4608	1500	msn.exe	85
PID 1500 wrote to memory of 4608	1500	msn.exe	85
PID 1500 wrote to memory of 4608	1500	msn.exe	85
PID 4608 wrote to memory of 2436	4608	cmd.exe	96
PID 4608 wrote to memory of 2436	4608	cmd.exe	96
PID 4608 wrote to memory of 2436	4608	cmd.exe	96
PID 4608 wrote to memory of 2436	4608	cmd.exe	96
PID 4608 wrote to memory of 2436	4608	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe
"C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\TEMP\{83696744-26A2-45A2-A85B-42AE1C997D07}\.cr\QGFQTHIU.exe
  "C:\Windows\TEMP\{83696744-26A2-45A2-A85B-42AE1C997D07}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe" -burn.filehandle.attached=596 -burn.filehandle.self=564
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\TEMP\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\msn.exe
    C:\Windows\TEMP\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\msn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
      C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4608
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bb11481

Filesize
1.0MB

MD5
558d4f97364fe2953cba2660d8d7d00c

SHA1
e4e59251b6d1e7449b010ca28b38ecdaa0c29d00

SHA256
01bbf6e73bdae7bdb8b171adb1c507e4dc70ad1ce09e8c86a7c1fbd9758dcf9b

SHA512
af84155d4f09c611b6bb8096fbb1ea2d7fcacf3603164b7f55743352cb07e0bd0afe5a84a43134ec03a94dc1985f89b072fe7fe0829a3daca3a8afba616d55c9

Download Submit
C:\Windows\TEMP\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\MSNCore.dll

Filesize
982KB

MD5
ac97328f67d0877e526fb6ac131bf4be

SHA1
9f61ffe3f3ca2463929bfea3292ffe9ca003af18

SHA256
f73e3f3d3fea1a556b8a91680c13b3969136c2abdf9121604b9389bdd1fc58e9

SHA512
d0ac3def81d5def886a2655d61ec6a5481157c4f0d9440df2c175725960f0e06021cd5e43705db0b864760af983d7c6e8d578f086612d0da8c28e4bcc9cfa705

Download Submit
C:\Windows\TEMP\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\bray.xls

Filesize
799KB

MD5
ab2b9ef9cc48c63955a738881a8ca4cc

SHA1
28e5484e1d3cf98d56f764eed95a437c11621a86

SHA256
13177433700e91c2efaf3ec155efe30c1d53f9b5a1fd65e7931c789bf65ffb91

SHA512
7678e02a465c90feaff16d4eeca8e823b5e5289ba86746323bb0323dc9381260a1501da3288c2d358fac5caef950d361256ebbf15aa22fce3b490c3f863c316e

Download Submit
C:\Windows\TEMP\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\cerebrotonia.aspx

Filesize
54KB

MD5
9982438cc8eb86ab120ef0a8241f8efc

SHA1
132ed9d13d612bc11ea45bcc8b25e5536e488d08

SHA256
c777b4d375643b20887e8b3dced8eb53d8dae98b94cfca4107da9f446b297e82

SHA512
3e2e816f61b6cbf19556ed4d5690a04ce74b994f9fe684bf29d2ee8078f0254b7a1b905b1f01d4c59977d32b63ce9062eea7c71048851eed164e1b5d70e6abe7

Download Submit
C:\Windows\TEMP\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\msidcrl40.dll

Filesize
791KB

MD5
ef66829b99bbfc465b05dc7411b0dcfa

SHA1
c6f6275f92053b4b9fa8f2738ed3e84f45261503

SHA256
257e6489f5b733f2822f0689295a9f47873be3cec5f4a135cd847a2f2c82a575

SHA512
6839b7372e37e67c270a4225f91df21f856158a292849da2101c2978ce37cd08b75923ab30ca39d7360ce896fc6a2a2d646dd88eb2993cef612c43a475fdb2ea

Download Submit
C:\Windows\TEMP\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Windows\Temp\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\Celesta.dll

Filesize
1.4MB

MD5
dad4d39ac979cf5c545116b4f459e362

SHA1
54632d73df4ddf43ab38ed66c00989ee55569f7d

SHA256
c63054e681f9acbec7e12a8ba691bc3657e3279825734517929ccd9f1e43db4d

SHA512
cb81c2a457d7a65a52a0cc03161308aeaa1e39b4cdaeb16e70dfefbe79212d015674e6662bf9d0edbb95a7d4de8b33d0dfdb9da3d214e537cf557f042362811d

Download Submit
C:\Windows\Temp\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\contactsUX.dll

Filesize
331KB

MD5
54ee6a204238313dc6aca21c7e036c17

SHA1
531fd1c18e2e4984c72334eb56af78a1048da6c7

SHA256
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

SHA512
19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

Download Submit
C:\Windows\Temp\{30555DC0-B8BE-40FD-BB56-8BFCF20F5E5E}\.ba\msn.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
C:\Windows\Temp\{83696744-26A2-45A2-A85B-42AE1C997D07}\.cr\QGFQTHIU.exe

Filesize
4.8MB

MD5
74302d09606255cb10a7df3a744e6908

SHA1
c64b9de79b68cdd0531219c8be07110caee014bc

SHA256
b040fd107e566c5e4bbd3d84fc51ae33d393fd3a03b33d07772733e36a2eb25d

SHA512
451c91b9b8454755c5a816f88c99b42e228ec21d4ab36938daa72e49b1490e93df6d28c53f6e3f1d97b21cb747714966c144928e141c481e10550b3c7eaea961

Download Submit
memory/1500-49-0x0000000073AF0000-0x0000000073C6B000-memory.dmp

Filesize
1.5MB

Download
memory/1500-50-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

Filesize
2.0MB

Download
memory/1500-51-0x0000000073AF0000-0x0000000073C6B000-memory.dmp

Filesize
1.5MB

Download
memory/2036-28-0x0000000073AF0000-0x0000000073C6B000-memory.dmp

Filesize
1.5MB

Download
memory/2036-29-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

Filesize
2.0MB

Download
memory/2436-61-0x0000000000450000-0x00000000004AC000-memory.dmp

Filesize
368KB

Download
memory/2436-62-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

Filesize
2.0MB

Download
memory/2436-63-0x0000000000450000-0x00000000004AC000-memory.dmp

Filesize
368KB

Download
memory/4608-54-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

Filesize
2.0MB

Download
memory/4608-56-0x0000000073AF0000-0x0000000073C6B000-memory.dmp

Filesize
1.5MB

Download