lumma | e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1

General

Target

e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe
Size

44KB
MD5

2b8bcef4db3812c27d540f4cc146879a
SHA1

fe5dba4ff84a9f4b8eb409d15c69d74bd48fe8d7
SHA256

e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1
SHA512

1688d760b33bd4588b2f3aee94db8a32ff2fe5c390ddc1e868f101bb776e2c5055e67f6564dc66ae96d134768f31159f839e58df1669b9e2c3f9e93b712bd6cb
SSDEEP

768:Srn01NSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fehnXn:Sr01N7aeGEk+11Tu9AnQVLNppvk9RN4s

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3764	1940	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4348	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	83
PID 2040 wrote to memory of 4348	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	83
PID 2040 wrote to memory of 4348	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	83
PID 4348 wrote to memory of 4560	4348	csc.exe	85
PID 4348 wrote to memory of 4560	4348	csc.exe	85
PID 4348 wrote to memory of 4560	4348	csc.exe	85
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86
PID 2040 wrote to memory of 1940	2040	e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe	86

C:\Users\Admin\AppData\Local\Temp\e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe
"C:\Users\Admin\AppData\Local\Temp\e3fc82016d019a3879b3ebace9b949bc38212447e3d1775e618a57ef982b41a1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yeihptjz\yeihptjz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9616.tmp" "c:\Users\Admin\AppData\Local\Temp\yeihptjz\CSC536F80658D6B40A8B7F12FE8EAD32662.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 568
    3⤵
    - Program crash
    PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1940 -ip 1940
1⤵
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9616.tmp

Filesize
1KB

MD5
a5b39664706cf13cbb0118e3e4ade67d

SHA1
dfd2460905743d0d6bcb54098b6797bb3e9dd927

SHA256
8ba9ee497327f4a5ae2b897494182c0c9772b4adccc26a6858b38b5a8ff27022

SHA512
e9f5a1346b921452ee7d07dc062fce366a2f55132595b3fd83212440e512a71a4cb989143eea74a35d0979db48ddcc42e6f4200e764e5a3d59286b4365333e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeihptjz\yeihptjz.dll

Filesize
8KB

MD5
abf07749fad829f6447a8e2fadd7652e

SHA1
b2253ebd9314720d216928f48580671cced886c3

SHA256
c85037423f6a8e5b53cf563c45f9dc00a05237c748a12eef8e1a5fcb7114ac20

SHA512
5800976238d6c1c2402192279c62f0d1b5ab1d5eaad5530698153d0847d4d2c3f3fabbae58a2c932723615816179f6b887e482066e051a4bcc390058b922e749

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yeihptjz\CSC536F80658D6B40A8B7F12FE8EAD32662.TMP

Filesize
652B

MD5
b2b6912bfde25cb4ee0daa79c1e8540d

SHA1
833547ecdb783d034cb6dab8900d0a51df642466

SHA256
460f2d3675d1397283d1dd273d6d6db59a0265d70545fe74cfdbb0146e7ba02a

SHA512
e14ccede124f9c6e395c3e8533982f650a824db2d1abf6719d00d7a5f940e0f4a60df66843376ee5c0e32eac0ed6334aebdd42cad0dfb16b1d716470d83505d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yeihptjz\yeihptjz.0.cs

Filesize
10KB

MD5
b022c6fe4494666c8337a975d175c726

SHA1
8197d4a993e7547d19d7b067b4d28ebe48329793

SHA256
d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

SHA512
df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yeihptjz\yeihptjz.cmdline

Filesize
204B

MD5
9e7b9898fd66782c060f3fcea3b95d92

SHA1
cfdfda70e352d2de2a9f9c480d38d0715298b3a9

SHA256
260f0043556368ba296aa702c13da11af0144f47b82f096f326037198fc06d91

SHA512
f649c663d1d85647492ef78c55bf002d7a8d48d544417b5aa4a98abc24407df5344540471a0d6753f88f147cb42b675d89debda8d3707c615a0c9d76c7e37c79

Download Submit
memory/1940-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1940-20-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1940-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2040-0-0x000000007508E000-0x000000007508F000-memory.dmp

Filesize
4KB

Download
memory/2040-2-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/2040-1-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2040-15-0x00000000057C0000-0x00000000057C8000-memory.dmp

Filesize
32KB

Download
memory/2040-23-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing