lumma | 644676713bdf4b81f8ec0a3a96a8f861c500a41a24a1cc4e93a3ee0c171bcba8

Analysis

max time kernel
96s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

074ca842ea52396751bb6015979f2f79.exe
Size

3.4MB
MD5

074ca842ea52396751bb6015979f2f79
SHA1

11e746f0c8f9cb91b55dfbf8920e54853d2b8e2b
SHA256

644676713bdf4b81f8ec0a3a96a8f861c500a41a24a1cc4e93a3ee0c171bcba8
SHA512

993379c41abd9d6730831019aec0769268148d74a4a1699370cd2fb3f8894fe02a558991e80e7b67b247409cd819b55080eb45f1e1f8b55db62c2488bd13f91d
SSDEEP

98304:8fUbK7jkYWHLX4ntIAvQGRhXZlg4Rj9hrwq8jj6Y+NU:8fUW7gYAL46AvQGRtZqmBhsq8KYYU

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 3 IoCs

pid	Process
4844	074ca842ea52396751bb6015979f2f79.exe
2340	DBDownloader.exe
2012	DBDownloader.exe

Loads dropped DLL 21 IoCs

pid	Process
4844	074ca842ea52396751bb6015979f2f79.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2340	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 2520	2012	DBDownloader.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	074ca842ea52396751bb6015979f2f79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	074ca842ea52396751bb6015979f2f79.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2340	DBDownloader.exe
2012	DBDownloader.exe
2012	DBDownloader.exe
2520	cmd.exe
2520	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2012	DBDownloader.exe
2520	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4844	4516	074ca842ea52396751bb6015979f2f79.exe	83
PID 4516 wrote to memory of 4844	4516	074ca842ea52396751bb6015979f2f79.exe	83
PID 4516 wrote to memory of 4844	4516	074ca842ea52396751bb6015979f2f79.exe	83
PID 4844 wrote to memory of 2340	4844	074ca842ea52396751bb6015979f2f79.exe	84
PID 4844 wrote to memory of 2340	4844	074ca842ea52396751bb6015979f2f79.exe	84
PID 4844 wrote to memory of 2340	4844	074ca842ea52396751bb6015979f2f79.exe	84
PID 2340 wrote to memory of 2012	2340	DBDownloader.exe	85
PID 2340 wrote to memory of 2012	2340	DBDownloader.exe	85
PID 2340 wrote to memory of 2012	2340	DBDownloader.exe	85
PID 2012 wrote to memory of 2520	2012	DBDownloader.exe	86
PID 2012 wrote to memory of 2520	2012	DBDownloader.exe	86
PID 2012 wrote to memory of 2520	2012	DBDownloader.exe	86
PID 2012 wrote to memory of 2520	2012	DBDownloader.exe	86
PID 2520 wrote to memory of 3872	2520	cmd.exe	103
PID 2520 wrote to memory of 3872	2520	cmd.exe	103
PID 2520 wrote to memory of 3872	2520	cmd.exe	103
PID 2520 wrote to memory of 3872	2520	cmd.exe	103
PID 2520 wrote to memory of 3872	2520	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\074ca842ea52396751bb6015979f2f79.exe
"C:\Users\Admin\AppData\Local\Temp\074ca842ea52396751bb6015979f2f79.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\Temp\{0870B090-8B99-4857-B71E-7E238073B5DA}\.cr\074ca842ea52396751bb6015979f2f79.exe
  "C:\Windows\Temp\{0870B090-8B99-4857-B71E-7E238073B5DA}\.cr\074ca842ea52396751bb6015979f2f79.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\074ca842ea52396751bb6015979f2f79.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\DBDownloader.exe
    C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\DBDownloader.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe
      C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f0d159

Filesize
1.0MB

MD5
c940432655da9d6d54f23619581682b0

SHA1
d69d6307c5ed5cb465c9af234679b94de5805744

SHA256
7cdba2db82fc705d6b05c3bb844d9311a36eed578f08b988700f97557921701e

SHA512
a5111d336f29d75ef43152ff0c431c9ccf70e5c903027d38cbef32db2b01744f3cb1eea8ec013080945cde429cf6ced4de80671a3d090d56e91a1af51092fac6

Download Submit
C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\madDisAsm_.bpl

Filesize
64KB

MD5
3936a92320f7d4cec5fa903c200911c7

SHA1
a61602501ffebf8381e39015d1725f58938154ca

SHA256
2aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566

SHA512
747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3

Download Submit
C:\Windows\Temp\{0870B090-8B99-4857-B71E-7E238073B5DA}\.cr\074ca842ea52396751bb6015979f2f79.exe

Filesize
3.3MB

MD5
32988cd64d1e643b30203cb3a99f01c6

SHA1
b706ad0b4995f09697bd562fa9fcec07d687ee33

SHA256
9c26112798af866022db506c5a8592bc6baf19a81dd600a67becfb581a0dae70

SHA512
7eda4e061a87efc9db79f31391807cd887f6b02d677d421598eee1324e27d9132d45c918ad342c2d84def6e56432b4025dd075a8fc8d5175ae1ed23850ef8ae9

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\Curette.dll

Filesize
64KB

MD5
571bd6140bb7c0daa429da0de6dc2ce1

SHA1
45e0e315767edf25fc5ce4a518a2d41f818c3290

SHA256
1219792a1a5467bf3ebcad4fe73838f89bf0608a61d987d9b72605d995829552

SHA512
ec8d55fdeec9932afb5eb144803b36926597fb6c2971d597eb9612b43049adc8f64eb67d490efa2dfa77b59649f74bd018400d27fe5050f3eafeacb80d348962

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\DBDownloader.exe

Filesize
823KB

MD5
a3ccc65ae7d39d213250443588731af9

SHA1
489b07237cf951faca46c6f525d9c436957347f2

SHA256
75542249fc08f4392189a0807595f18580aa17487530bc5527bf928a0b78146c

SHA512
c286e9aef914f008f31de8ce39c7861b8d26459a675d9a17dac80ab3db82e5d3edb04c4382c0c3ef2669a42a0c7867c7399d399d18d9cb154fa7f01111ef702f

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\Zip.dll

Filesize
564KB

MD5
27cf2e5fecbc9dd6f8a9bc866dc78e00

SHA1
3e11aaa9416d7702ace2176ef27230efd08ec5ab

SHA256
5155ba4c5e46c898a7cb9d619c67a1626636e7854200bbbeb698fb5af3b541f2

SHA512
87ebe9bc31dd6c91b46fc561bb6a9ffd9bcf29eee98da5d58caefa1d4ace940a9aeccc264e4cceb933bbcea10d4b33f95767c803c34badd62ddaec60863344c0

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\glucocorticoid.txt

Filesize
51KB

MD5
b14b27cad72654c3b49ab32aae9b80d1

SHA1
4304dbab114f5de0373b7a52eae484c577231741

SHA256
a5db93ad3d6e8b4d58ec25282583ca77f70f3a9629f4f23c3c72cbadfc5294ee

SHA512
d330f9a15b04d21f34ff8e6885d71a7b427bc38534d65d124f68c4cf44f77cf8fc0b419a5ed4518fb52f0ddbe4108d5081915ffa9a2ef5cb55b5386b512fa834

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\madBasic_.bpl

Filesize
211KB

MD5
641c567225e18195bc3d2d04bde7440b

SHA1
20395a482d9726ad80820c08f3a698cf227afd10

SHA256
c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0

SHA512
1e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\madExcept_.bpl

Filesize
437KB

MD5
e8818a6b32f06089d5b6187e658684ba

SHA1
7d4f34e3a309c04df8f60e667c058e84f92db27a

SHA256
91ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e

SHA512
d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\theophobia.xml

Filesize
807KB

MD5
1fa471a09f4b7d85fc76545cca3a1961

SHA1
80ac45cb84b2d2da34c77a021d11f1b3ecd250f6

SHA256
ee9a8633c78d7d559cb20f52aa481699b2b26329e3f8cbd0e5e3d879a53ecb69

SHA512
e5b860462dbd927594212e66130c9d57557618c76f53479a52ad87160294ff632c38c39763354ed01c8413910bca45b23cc35ae1570b6408df70303b0cc9bad6

Download Submit
C:\Windows\Temp\{10E958F5-EDEF-491F-87F4-50E52F4A1BED}\.ba\vcl120.bpl

Filesize
1.9MB

MD5
c594d746ff6c99d140b5e8da97f12fd4

SHA1
f21742707c5f3fee776f98641f36bd755e24a7b0

SHA256
572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

SHA512
33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

Download Submit
memory/2012-88-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2012-79-0x00007FFACE4D0000-0x00007FFACE6C5000-memory.dmp

Filesize
2.0MB

Download
memory/2012-78-0x0000000073DD0000-0x0000000073F4B000-memory.dmp

Filesize
1.5MB

Download
memory/2012-83-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2012-84-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2012-74-0x00000000007C0000-0x0000000000857000-memory.dmp

Filesize
604KB

Download
memory/2012-89-0x00000000007C0000-0x0000000000857000-memory.dmp

Filesize
604KB

Download
memory/2012-82-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2012-80-0x0000000073DD0000-0x0000000073F4B000-memory.dmp

Filesize
1.5MB

Download
memory/2340-65-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/2340-36-0x0000000000AB0000-0x0000000000B47000-memory.dmp

Filesize
604KB

Download
memory/2340-55-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2340-58-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2340-59-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2340-77-0x0000000000AB0000-0x0000000000B47000-memory.dmp

Filesize
604KB

Download
memory/2340-39-0x0000000073DD0000-0x0000000073F4B000-memory.dmp

Filesize
1.5MB

Download
memory/2340-40-0x00007FFACE4D0000-0x00007FFACE6C5000-memory.dmp

Filesize
2.0MB

Download
memory/2340-66-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2340-68-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2520-91-0x00007FFACE4D0000-0x00007FFACE6C5000-memory.dmp

Filesize
2.0MB

Download
memory/2520-95-0x0000000073DD0000-0x0000000073F4B000-memory.dmp

Filesize
1.5MB

Download
memory/3872-100-0x00007FFACE4D0000-0x00007FFACE6C5000-memory.dmp

Filesize
2.0MB

Download
memory/3872-101-0x0000000000B40000-0x0000000000B9D000-memory.dmp

Filesize
372KB

Download
memory/4844-90-0x0000000069700000-0x0000000069717000-memory.dmp

Filesize
92KB

Download