lumma | e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1

General

Target

2b8bcef4db3812c27d540f4cc146879a.exe
Size

44KB
MD5

2b8bcef4db3812c27d540f4cc146879a
SHA1

fe5dba4ff84a9f4b8eb409d15c69d74bd48fe8d7
SHA256

e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1
SHA512

1688d760b33bd4588b2f3aee94db8a32ff2fe5c390ddc1e868f101bb776e2c5055e67f6564dc66ae96d134768f31159f839e58df1669b9e2c3f9e93b712bd6cb
SSDEEP

768:Srn01NSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fehnXn:Sr01N7aeGEk+11Tu9AnQVLNppvk9RN4s

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2296	2960	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b8bcef4db3812c27d540f4cc146879a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	2b8bcef4db3812c27d540f4cc146879a.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2488	2584	2b8bcef4db3812c27d540f4cc146879a.exe	30
PID 2584 wrote to memory of 2488	2584	2b8bcef4db3812c27d540f4cc146879a.exe	30
PID 2584 wrote to memory of 2488	2584	2b8bcef4db3812c27d540f4cc146879a.exe	30
PID 2584 wrote to memory of 2488	2584	2b8bcef4db3812c27d540f4cc146879a.exe	30
PID 2488 wrote to memory of 2124	2488	csc.exe	32
PID 2488 wrote to memory of 2124	2488	csc.exe	32
PID 2488 wrote to memory of 2124	2488	csc.exe	32
PID 2488 wrote to memory of 2124	2488	csc.exe	32
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2584 wrote to memory of 2960	2584	2b8bcef4db3812c27d540f4cc146879a.exe	33
PID 2960 wrote to memory of 2296	2960	RegAsm.exe	34
PID 2960 wrote to memory of 2296	2960	RegAsm.exe	34
PID 2960 wrote to memory of 2296	2960	RegAsm.exe	34
PID 2960 wrote to memory of 2296	2960	RegAsm.exe	34

C:\Users\Admin\AppData\Local\Temp\2b8bcef4db3812c27d540f4cc146879a.exe
"C:\Users\Admin\AppData\Local\Temp\2b8bcef4db3812c27d540f4cc146879a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ol04xxvx\ol04xxvx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB22F.tmp" "c:\Users\Admin\AppData\Local\Temp\ol04xxvx\CSCE691C030863484A81EA6E99F4DED07B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 252
    3⤵
    - Program crash
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB22F.tmp

Filesize
1KB

MD5
7dd6784e149c706faaef0c6c8d935081

SHA1
c20f0cfc35d9dd0eba36a7214d0cfe8a529054b2

SHA256
419307571ce5389fe119be7eac5d1816e32354a2d79cb7290a45ac5b9db2077c

SHA512
e7f13a678b33c41e7a540a9d7c42e7f8708c0d5808b7be6be238555313e973a8088722ab20680ff08b9688998f9c2c7e9555f1916c28c06c509e3c4b42f52df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ol04xxvx\ol04xxvx.dll

Filesize
8KB

MD5
5791e63dd39f9f26b3289823552d62ae

SHA1
5eb233249d31ec1958ba82feebd3c39f10f2716e

SHA256
263f697095eacd908592023b67f9cb56fdcf995b66966896f1bf14e14ab923ab

SHA512
2ab9691b278f2c2c984a288548af4a61990bc4eb70428c3c3316516af1020d25f1b53fc1544a4f2ebe411292576777e919b827bbdb6b66a3e5211a2e2adac5e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ol04xxvx\CSCE691C030863484A81EA6E99F4DED07B.TMP

Filesize
652B

MD5
7cb5578b653c15835d298ec44dd40c12

SHA1
e4ca12b8a2a93b62aa28ab5a7da49250a3d53b2a

SHA256
d50b4ccf2e338b9f8afeb68ad23928eb123b94603cf2010b509ae2b358add2c2

SHA512
c5e16a06228040d75b5da1d1fdcc7090ad16e8b2dd27a3b90135f6cc8ffcef4a5495ecd160b152b919a033f2b2c02c1acfa6bef0fac788bc9548c05d43c14ba5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ol04xxvx\ol04xxvx.0.cs

Filesize
10KB

MD5
b022c6fe4494666c8337a975d175c726

SHA1
8197d4a993e7547d19d7b067b4d28ebe48329793

SHA256
d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

SHA512
df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ol04xxvx\ol04xxvx.cmdline

Filesize
204B

MD5
633e2c7b6f5378719180ec96ee37375b

SHA1
09dcab60f76d1118a4adbfebbc80ab4447044ec3

SHA256
a23e0242088fd94a18cf25ca6c16466ee1b71a8c89a844696571a6ef81063b3e

SHA512
f18b84875623c7945326e9fff4b4719a62ac4479b391e167a238cc88b10584e8387b1d03989bd0557ed37d863380dda768c624d08c656c95ca3304ed12afde4e

Download Submit
memory/2584-15-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/2584-2-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-1-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/2584-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/2584-30-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-20-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-19-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-18-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2960-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing