lumma | 5dccb71a2904aac46581cc3069a702613cfb0047633b8e584d62de62dc379575

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DBDownloader.exe
Size

823KB
MD5

a3ccc65ae7d39d213250443588731af9
SHA1

489b07237cf951faca46c6f525d9c436957347f2
SHA256

75542249fc08f4392189a0807595f18580aa17487530bc5527bf928a0b78146c
SHA512

c286e9aef914f008f31de8ce39c7861b8d26459a675d9a17dac80ab3db82e5d3edb04c4382c0c3ef2669a42a0c7867c7399d399d18d9cb154fa7f01111ef702f
SSDEEP

24576:zJDclNQn4W0luDOmFwhdDh2TK+uLfplhyEXwC:tDvTVT94Rrx

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://joyoushammen.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 2456	2984	DBDownloader.exe	31

Executes dropped EXE 1 IoCs

pid	Process
2984	DBDownloader.exe

Loads dropped DLL 7 IoCs

pid	Process
2100	DBDownloader.exe
2984	DBDownloader.exe
2984	DBDownloader.exe
2984	DBDownloader.exe
2984	DBDownloader.exe
2984	DBDownloader.exe
2984	DBDownloader.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2100	DBDownloader.exe
2984	DBDownloader.exe
2984	DBDownloader.exe
2456	cmd.exe
2456	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2984	DBDownloader.exe
2456	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2984	2100	DBDownloader.exe	30
PID 2100 wrote to memory of 2984	2100	DBDownloader.exe	30
PID 2100 wrote to memory of 2984	2100	DBDownloader.exe	30
PID 2100 wrote to memory of 2984	2100	DBDownloader.exe	30
PID 2984 wrote to memory of 2456	2984	DBDownloader.exe	31
PID 2984 wrote to memory of 2456	2984	DBDownloader.exe	31
PID 2984 wrote to memory of 2456	2984	DBDownloader.exe	31
PID 2984 wrote to memory of 2456	2984	DBDownloader.exe	31
PID 2984 wrote to memory of 2456	2984	DBDownloader.exe	31
PID 2456 wrote to memory of 2768	2456	cmd.exe	34
PID 2456 wrote to memory of 2768	2456	cmd.exe	34
PID 2456 wrote to memory of 2768	2456	cmd.exe	34
PID 2456 wrote to memory of 2768	2456	cmd.exe	34
PID 2456 wrote to memory of 2768	2456	cmd.exe	34
PID 2456 wrote to memory of 2768	2456	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\DBDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\DBDownloader.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\DBDownloader.exe
  C:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\DBDownloader.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a5019baf

Filesize
1.0MB

MD5
06ff169b26b628310fa544fb399f4f04

SHA1
2444b9f8c1d3114aa291ba6cf2d35e098630e9be

SHA256
8dba87a79e6b35f491f27194119916335e5e27efff4f5b225a98672e251da544

SHA512
3a4c3936f28cafca39389e369497f875407633cdcc7af8156d4a703cadcb27f00a305d6f5669faca9738742f4db61d42bbf3a03c3c55bef8cced86fb00c0e815

Download Submit
C:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\madExcept_.bpl

Filesize
437KB

MD5
e8818a6b32f06089d5b6187e658684ba

SHA1
7d4f34e3a309c04df8f60e667c058e84f92db27a

SHA256
91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e

SHA512
d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d

Download Submit
C:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\phantasy.mpg

Filesize
799KB

MD5
9a5596e64ea7b45118f7158066465da2

SHA1
688b9b2658019d0c7bfb83e53dc8aa8a53d9af62

SHA256
7ef9fa337554ab75e851db480f42cba199fe2bc8f5bc88c2dad7ce7db537a206

SHA512
e445bbac29bfcc55aa6a2cf7516d27a8b4dc1d227386ed4d7643cfdb01d8ac5a266a8da3fffc506f4f0f140aa0d474d44fcd83c37cf23a92c2612549854f787c

Download Submit
C:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\sciurine.txt

Filesize
57KB

MD5
675a0a5e2f499c09d1f6f596957ad38a

SHA1
0143e96121a575da782a7efda3e1f49621435ba8

SHA256
ede137fab2655320b0b62e5d789f1dc5f6d8c424b37f1efd76462346a430f6da

SHA512
69a5d7e5abc717b8de539ab0c1e898396f73cd27bbe51d3c7e7605076fbac7fbf90149e247b9dad61f58ad1ff8e6b0514ccdf261ef4f7b3fc15e77c8096fed33

Download Submit
C:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
\Users\Admin\AppData\Roaming\PatchDownload_debugv5\DBDownloader.exe

Filesize
823KB

MD5
a3ccc65ae7d39d213250443588731af9

SHA1
489b07237cf951faca46c6f525d9c436957347f2

SHA256
75542249fc08f4392189a0807595f18580aa17487530bc5527bf928a0b78146c

SHA512
c286e9aef914f008f31de8ce39c7861b8d26459a675d9a17dac80ab3db82e5d3edb04c4382c0c3ef2669a42a0c7867c7399d399d18d9cb154fa7f01111ef702f

Download Submit
\Users\Admin\AppData\Roaming\PatchDownload_debugv5\Zip.dll

Filesize
564KB

MD5
f933a5dbb88488307bf51584c9944c90

SHA1
50dc230cf29248f143dc576895bb26c7f3cd421e

SHA256
9bb311b6643500285049addb82fe2286dea34856a0b443af708335e286a44494

SHA512
85f75c6ae4fe350854f8f1ebf70d6bcf277d9a62dbc9da8b618725a62d2c00256b4f067bd54b0269c5995f63c5212df99893731a0fb749ecc25852119bba2f7b

Download Submit
\Users\Admin\AppData\Roaming\PatchDownload_debugv5\madBasic_.bpl

Filesize
211KB

MD5
641c567225e18195bc3d2d04bde7440b

SHA1
20395a482d9726ad80820c08f3a698cf227afd10

SHA256
c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0

SHA512
1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9

Download Submit
\Users\Admin\AppData\Roaming\PatchDownload_debugv5\madDisAsm_.bpl

Filesize
64KB

MD5
3936a92320f7d4cec5fa903c200911c7

SHA1
a61602501ffebf8381e39015d1725f58938154ca

SHA256
2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566

SHA512
747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3

Download Submit
memory/2100-22-0x0000000000550000-0x00000000005E7000-memory.dmp

Filesize
604KB

Download
memory/2100-0-0x0000000000550000-0x00000000005E7000-memory.dmp

Filesize
604KB

Download
memory/2100-21-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/2100-20-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2100-19-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2100-18-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2100-2-0x0000000077220000-0x00000000773C9000-memory.dmp

Filesize
1.7MB

Download
memory/2100-16-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2100-15-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2100-1-0x0000000074630000-0x00000000747A4000-memory.dmp

Filesize
1.5MB

Download
memory/2456-52-0x00000000744B0000-0x0000000074624000-memory.dmp

Filesize
1.5MB

Download
memory/2456-54-0x0000000077220000-0x00000000773C9000-memory.dmp

Filesize
1.7MB

Download
memory/2456-56-0x00000000744B0000-0x0000000074624000-memory.dmp

Filesize
1.5MB

Download
memory/2456-55-0x00000000744B0000-0x0000000074624000-memory.dmp

Filesize
1.5MB

Download
memory/2456-58-0x00000000744B0000-0x0000000074624000-memory.dmp

Filesize
1.5MB

Download
memory/2768-62-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2768-59-0x0000000077220000-0x00000000773C9000-memory.dmp

Filesize
1.7MB

Download
memory/2768-60-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2768-61-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2984-40-0x00000000744C3000-0x00000000744C5000-memory.dmp

Filesize
8KB

Download
memory/2984-47-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2984-46-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2984-45-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2984-48-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2984-50-0x0000000000320000-0x00000000003B7000-memory.dmp

Filesize
604KB

Download
memory/2984-51-0x00000000744B0000-0x0000000074624000-memory.dmp

Filesize
1.5MB

Download
memory/2984-44-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2984-41-0x00000000744B0000-0x0000000074624000-memory.dmp

Filesize
1.5MB

Download
memory/2984-39-0x0000000077220000-0x00000000773C9000-memory.dmp

Filesize
1.7MB

Download
memory/2984-35-0x0000000000320000-0x00000000003B7000-memory.dmp

Filesize
604KB

Download
memory/2984-38-0x00000000744B0000-0x0000000074624000-memory.dmp

Filesize
1.5MB

Download