lumma | d27b7d7734c4f718e09bdd9864771c821607a92b91deb0946c8808ee97a20e06

General

Target

New folder/Set-up.exe
Size

86KB
MD5

3bd79a1f6d2ea0fddea3f8914b2a6a0c
SHA1

3ea3f44f81b3501e652b448a7dc33a8ee739772e
SHA256

332e6806eff846a2e6d0dc04a70d3503855dabfa83e6ec27f37e2d9103e80e51
SHA512

7bbb3f3af90443803f7689c973a64f894fb48bd744ab0c70af7dfa7c763354dc6f67a7fbb7053d38b0c6611b0aaa532e73eb2579c1445b8a31c573f8bf972a67
SSDEEP

1536:EU5EG5XI/6POYy6SAi11XFDwYVyjThxXeZBHl+YMk8iVbNuissy:95EG5XI/SOOQyYVF9l+DkvVp6

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://wishbusher.click/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
564	Caller.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
34	1652	msiexec.exe
42	1652	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4668 set thread context of 4260	4668	Set-up.exe	90

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4668	Set-up.exe
4668	Set-up.exe
4668	Set-up.exe
4668	Set-up.exe
4260	more.com
4260	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4668	Set-up.exe
4260	more.com

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 564	4668	Set-up.exe	87
PID 4668 wrote to memory of 564	4668	Set-up.exe	87
PID 4668 wrote to memory of 564	4668	Set-up.exe	87
PID 4668 wrote to memory of 4260	4668	Set-up.exe	90
PID 4668 wrote to memory of 4260	4668	Set-up.exe	90
PID 4668 wrote to memory of 4260	4668	Set-up.exe	90
PID 4668 wrote to memory of 4260	4668	Set-up.exe	90
PID 4260 wrote to memory of 1652	4260	more.com	92
PID 4260 wrote to memory of 1652	4260	more.com	92
PID 4260 wrote to memory of 1652	4260	more.com	92
PID 4260 wrote to memory of 1652	4260	more.com	92
PID 4260 wrote to memory of 1652	4260	more.com	92

C:\Users\Admin\AppData\Local\Temp\New folder\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Roaming\Context\MRZEZGAIESVOAYYQNX\Caller.exe
  C:\Users\Admin\AppData\Roaming\Context\MRZEZGAIESVOAYYQNX\Caller.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:564
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1883be95

Filesize
5.2MB

MD5
5187863e6f89ef4263c93e577f2201fe

SHA1
e8f9f9971a848c20cd0989534864a7b6970de602

SHA256
bef4cea044af6b6e39eddf4d8dc0c4c8c1f8e9547fadcfdf7923c9e4cfd88d28

SHA512
04c7343cba8ed2f8d320cab56f4ea21a752183eee114281e2aa9de0f6bdcddd92405daf985c1c4a64151b61225e62d07bda3266e0a7dd76d321190c3da16175a

Download Submit
C:\Users\Admin\AppData\Roaming\Context\MRZEZGAIESVOAYYQNX\Caller.exe

Filesize
4.2MB

MD5
2018644aac84a2de8a767ec1da19993e

SHA1
4ec18507a02d88f49a089851e773c082327ffa42

SHA256
d2251490ca5bd67e63ea52a65bbff8823f2012f417ad0bd073366c02aa0b3828

SHA512
4b171ce616756ace308b61d3d2cc43ced952ce4dc04360ab18499cc959cbf08dc5331610f7bb59c34fcdcb72694b455dc556757cba4cb1ed17b78503bcc26c48

Download Submit
memory/1652-27-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1652-26-0x0000000000EE0000-0x0000000000F38000-memory.dmp

Filesize
352KB

Download
memory/1652-25-0x00007FFEA92B0000-0x00007FFEA94A8000-memory.dmp

Filesize
2.0MB

Download
memory/4260-17-0x0000000077361000-0x000000007736F000-memory.dmp

Filesize
56KB

Download
memory/4260-24-0x0000000077361000-0x000000007736F000-memory.dmp

Filesize
56KB

Download
memory/4260-20-0x0000000077360000-0x0000000077937000-memory.dmp

Filesize
5.8MB

Download
memory/4260-19-0x00007FFEA92B0000-0x00007FFEA94A8000-memory.dmp

Filesize
2.0MB

Download
memory/4668-6-0x00007FFEA92B0000-0x00007FFEA94A8000-memory.dmp

Filesize
2.0MB

Download
memory/4668-14-0x0000000077360000-0x0000000077937000-memory.dmp

Filesize
5.8MB

Download
memory/4668-13-0x00000000019F5000-0x0000000001F91000-memory.dmp

Filesize
5.6MB

Download
memory/4668-12-0x00000000019E0000-0x00000000029C6000-memory.dmp

Filesize
15.9MB

Download
memory/4668-8-0x0000000077360000-0x0000000077937000-memory.dmp

Filesize
5.8MB

Download
memory/4668-0-0x00000000019F5000-0x0000000001F91000-memory.dmp

Filesize
5.6MB

Download
memory/4668-5-0x0000000077360000-0x0000000077937000-memory.dmp

Filesize
5.8MB

Download
memory/4668-2-0x00000000019E0000-0x00000000029C6000-memory.dmp

Filesize
15.9MB

Download
memory/4668-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing