lumma | e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1

General

Target

2b8bcef4db3812c27d540f4cc146879a.exe
Size

44KB
MD5

2b8bcef4db3812c27d540f4cc146879a
SHA1

fe5dba4ff84a9f4b8eb409d15c69d74bd48fe8d7
SHA256

e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1
SHA512

1688d760b33bd4588b2f3aee94db8a32ff2fe5c390ddc1e868f101bb776e2c5055e67f6564dc66ae96d134768f31159f839e58df1669b9e2c3f9e93b712bd6cb
SSDEEP

768:Srn01NSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fehnXn:Sr01N7aeGEk+11Tu9AnQVLNppvk9RN4s

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3440	1700	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b8bcef4db3812c27d540f4cc146879a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4944	2b8bcef4db3812c27d540f4cc146879a.exe
4944	2b8bcef4db3812c27d540f4cc146879a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	2b8bcef4db3812c27d540f4cc146879a.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4084	4944	2b8bcef4db3812c27d540f4cc146879a.exe	85
PID 4944 wrote to memory of 4084	4944	2b8bcef4db3812c27d540f4cc146879a.exe	85
PID 4944 wrote to memory of 4084	4944	2b8bcef4db3812c27d540f4cc146879a.exe	85
PID 4084 wrote to memory of 1776	4084	csc.exe	87
PID 4084 wrote to memory of 1776	4084	csc.exe	87
PID 4084 wrote to memory of 1776	4084	csc.exe	87
PID 4944 wrote to memory of 3508	4944	2b8bcef4db3812c27d540f4cc146879a.exe	88
PID 4944 wrote to memory of 3508	4944	2b8bcef4db3812c27d540f4cc146879a.exe	88
PID 4944 wrote to memory of 3508	4944	2b8bcef4db3812c27d540f4cc146879a.exe	88
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89
PID 4944 wrote to memory of 1700	4944	2b8bcef4db3812c27d540f4cc146879a.exe	89

C:\Users\Admin\AppData\Local\Temp\2b8bcef4db3812c27d540f4cc146879a.exe
"C:\Users\Admin\AppData\Local\Temp\2b8bcef4db3812c27d540f4cc146879a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0m51ynsh\0m51ynsh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A4C.tmp" "c:\Users\Admin\AppData\Local\Temp\0m51ynsh\CSCA816EA723B2C4DECB0A0B749332DB8A5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:3508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 556
    3⤵
    - Program crash
    PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0m51ynsh\0m51ynsh.dll

Filesize
8KB

MD5
170aa085b91f3a2bf13b32517bdb39d3

SHA1
4bb02c4f4647db4de9e02e9b0c772dea95ba9366

SHA256
83e4a566e860208993ece747cb62df52ee1bc049b1e6c020fc80d73837a48377

SHA512
c6a15ffb209464b2c0684dbc910f9885d3eaff21b10b71584984dbe4f00a8ff25244addcdda25641debc71c556790a665eadfbaa975d43998ee8023d55cb3a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A4C.tmp

Filesize
1KB

MD5
c9e75710c7ae2c6c29621a7c05ea640b

SHA1
48015cba3e36feeb260e364f670600382ab95209

SHA256
efb185ec2996d15b7769b12e0b6ee3e0370f0fe346e0233dc8e8c1c91b82c45a

SHA512
a6865d24ebfd20d15ad3a053c8502a30fc4672d627f184f0e6c02bcc590e58c6f80442b4de66b21853fa8051c3ef37ca1d187c13a3ca22d2f262861b33fad649

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0m51ynsh\0m51ynsh.0.cs

Filesize
10KB

MD5
b022c6fe4494666c8337a975d175c726

SHA1
8197d4a993e7547d19d7b067b4d28ebe48329793

SHA256
d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

SHA512
df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0m51ynsh\0m51ynsh.cmdline

Filesize
204B

MD5
ac40b8dc84564b033c6dc55848958bea

SHA1
f20d3622867dcdd56d49a5ffc9e65417b9d64f1d

SHA256
294dd75e4c855193a9aa20004ac2f75d91c8159c93a9a1e0b4c8914c82f66c24

SHA512
04ac167f2e91418116baab19e0b98f0ba69fb63ec0fc96bfaab7f215a5ba2fd0d3722e84f8c4488999cfa66606a834d1cd2d89f122aab2dfda9cc58963e3e745

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0m51ynsh\CSCA816EA723B2C4DECB0A0B749332DB8A5.TMP

Filesize
652B

MD5
7d88b79e7c3b1702072913518f0b3456

SHA1
2b000331e8ee11e24f3b799d0d6485d0b653acf1

SHA256
2d0a7772a4029a013b6962c083c7346bc72fcb5ab4e13ce3b86331c928792f64

SHA512
a6a553498a6161bbf68c61fdbda23dd18914e948022f37a55f70fa41dd6c622377ff5e3b6048aae608ebe34688f25cbb54e451ac0ab55e9a7b019cb9798c0987

Download Submit
memory/1700-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1700-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1700-20-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4944-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/4944-2-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-1-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/4944-15-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/4944-23-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing