lumma | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

lumma njrat quasar office04 sgvp discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

4.tcp.us-cal-1.ngrok.io:18092

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

lumma

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b96-10.dat	family_quasar
behavioral2/memory/3176-18-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar
behavioral2/files/0x0013000000023bc8-33.dat	family_quasar
behavioral2/memory/1112-40-0x0000000000F60000-0x0000000001284000-memory.dmp	family_quasar

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4620	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 7 IoCs

pid	Process
3176	lmao.exe
624	Client.exe
1112	SGVP%20Client%20program.exe
2024	ExtremeInjector.exe
4736	CrazyCoach.exe
3768	Server.exe
4292	server.exe

Loads dropped DLL 1 IoCs

pid	Process
2024	ExtremeInjector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
86	4.tcp.us-cal-1.ngrok.io
30	raw.githubusercontent.com
31	raw.githubusercontent.com
34	4.tcp.us-cal-1.ngrok.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 5016	2024	ExtremeInjector.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrazyCoach.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExtremeInjector.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
244	schtasks.exe
964	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	4363463463464363463463463.exe
Token: SeDebugPrivilege	3176	lmao.exe
Token: SeDebugPrivilege	624	Client.exe
Token: SeDebugPrivilege	1112	SGVP%20Client%20program.exe
Token: SeDebugPrivilege	4292	server.exe
Token: 33	4292	server.exe
Token: SeIncBasePriorityPrivilege	4292	server.exe
Token: 33	4292	server.exe
Token: SeIncBasePriorityPrivilege	4292	server.exe
Token: 33	4292	server.exe
Token: SeIncBasePriorityPrivilege	4292	server.exe
Token: 33	4292	server.exe
Token: SeIncBasePriorityPrivilege	4292	server.exe
Token: 33	4292	server.exe
Token: SeIncBasePriorityPrivilege	4292	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
624	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
624	Client.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
624	Client.exe
4736	CrazyCoach.exe
4736	CrazyCoach.exe
4736	CrazyCoach.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3176	3240	4363463463464363463463463.exe	90
PID 3240 wrote to memory of 3176	3240	4363463463464363463463463.exe	90
PID 3176 wrote to memory of 244	3176	lmao.exe	91
PID 3176 wrote to memory of 244	3176	lmao.exe	91
PID 3176 wrote to memory of 624	3176	lmao.exe	93
PID 3176 wrote to memory of 624	3176	lmao.exe	93
PID 624 wrote to memory of 964	624	Client.exe	94
PID 624 wrote to memory of 964	624	Client.exe	94
PID 3240 wrote to memory of 1112	3240	4363463463464363463463463.exe	98
PID 3240 wrote to memory of 1112	3240	4363463463464363463463463.exe	98
PID 3240 wrote to memory of 2024	3240	4363463463464363463463463.exe	99
PID 3240 wrote to memory of 2024	3240	4363463463464363463463463.exe	99
PID 3240 wrote to memory of 2024	3240	4363463463464363463463463.exe	99
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 2024 wrote to memory of 5016	2024	ExtremeInjector.exe	101
PID 3240 wrote to memory of 4736	3240	4363463463464363463463463.exe	102
PID 3240 wrote to memory of 4736	3240	4363463463464363463463463.exe	102
PID 3240 wrote to memory of 4736	3240	4363463463464363463463463.exe	102
PID 3240 wrote to memory of 3768	3240	4363463463464363463463463.exe	103
PID 3240 wrote to memory of 3768	3240	4363463463464363463463463.exe	103
PID 3240 wrote to memory of 3768	3240	4363463463464363463463463.exe	103
PID 3768 wrote to memory of 4292	3768	Server.exe	104
PID 3768 wrote to memory of 4292	3768	Server.exe	104
PID 3768 wrote to memory of 4292	3768	Server.exe	104
PID 4292 wrote to memory of 4620	4292	server.exe	105
PID 4292 wrote to memory of 4620	4292	server.exe	105
PID 4292 wrote to memory of 4620	4292	server.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\Files\lmao.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lmao.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:244
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:964
- C:\Users\Admin\AppData\Local\Temp\Files\SGVP%20Client%20program.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SGVP%20Client%20program.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
- C:\Users\Admin\AppData\Local\Temp\Files\CrazyCoach.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\CrazyCoach.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CrazyCoach.exe

Filesize
3.0MB

MD5
3856ef6ff4240222fc69ad7c5c7510a0

SHA1
53f027db2bdb4713bbeb4bc575b2b58b5533ada6

SHA256
59527dad3efdaed76dada214e81b0aa884f0821c86883e27c68fb45fd4e66150

SHA512
2475c6e90280a449ec34f34bf1121695b474d203f80e6266137982f6e9e72557bca65b1f7879179e798bc843e1fb90710edc0297b86241adefa3a094ae723573

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe

Filesize
550KB

MD5
ee6be1648866b63fd7f860fa0114f368

SHA1
42cab62fff29eb98851b33986b637514fc904f4b

SHA256
e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

SHA512
d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SGVP%20Client%20program.exe

Filesize
3.1MB

MD5
1ece671b499dd687e3154240e73ff8a0

SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc

SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Server.exe

Filesize
23KB

MD5
a7a2022d715b3ecb85ea55de936f011b

SHA1
0200512447f2e95d1675b1833d008ea4a7ddaa94

SHA256
d5eaaa22cd69c6ddf1da7b0c8bd0cabbcda679810ed2d95839c08244235fbf81

SHA512
7a0910ef562cb5936ab94fa94dce05eec2d6add7d6c3be3e8ad79a9710bc4fc283aec2d2f20dc6d4b0d641df5a8b1e368e6438f8e04c8f24a61b262d60ce5901

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lmao.exe

Filesize
3.1MB

MD5
942d7d99678d584c4481278378741d51

SHA1
97efb624cfa34da0c5583e61a5982fd496de8e2d

SHA256
4119dedd1d6408f80505394a374cde76124a736913f958c878f54c16c98986e3

SHA512
0c1798628d5c90eaa6cf54277ab917408b5921e4f39ece0505510d9b7241df6748a365bc2a0a1cdaa24771f4ac56a9973a6515a0e32a14a66a9ed98c2871dfba

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
642KB

MD5
9bc424be13dca227268ab018dca9ef0c

SHA1
f6f42e926f511d57ef298613634f3a186ec25ddc

SHA256
59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

SHA512
70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

Download Submit
memory/624-27-0x000000001C8E0000-0x000000001C930000-memory.dmp

Filesize
320KB

Download
memory/624-28-0x000000001C9F0000-0x000000001CAA2000-memory.dmp

Filesize
712KB

Download
memory/1112-40-0x0000000000F60000-0x0000000001284000-memory.dmp

Filesize
3.1MB

Download
memory/2024-52-0x00000000002A0000-0x0000000000330000-memory.dmp

Filesize
576KB

Download
memory/3176-26-0x00007FFB09B30000-0x00007FFB0A5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3176-19-0x00007FFB09B30000-0x00007FFB0A5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3176-18-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download
memory/3176-17-0x00007FFB09B33000-0x00007FFB09B35000-memory.dmp

Filesize
8KB

Download
memory/3240-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/3240-5-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3240-4-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/3240-3-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3240-2-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/3240-1-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/5016-59-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5016-61-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads