Extracted

• • Target

    9bfc75e72ad81d1997489c972f263f135398776986af20ca047cec35b622f6e1.exe

  • Size

    160KB

  • MD5

    f1db90bf5d46bb698d7aa9480e2724e0

  • SHA1

    bdee2c1420afe80f5596c358fbb7d5644422713b

  • SHA256

    9bfc75e72ad81d1997489c972f263f135398776986af20ca047cec35b622f6e1

  • SHA512

    9e95d0e49a288ede894e1cb209d1ba97cfeba71ebc504e3be501a49ca91ea5b13e330d070c48db1fca981b56c26c0bdd2f21ccccf803617cfd0a06c02730a55d

  • SSDEEP

    3072:LahKyd2n31P5GWp1icKAArDZz4N9GhbkrNEk1F6uDT:LahOXp0yN90QENuH

  Score

  10^/10

  lummadiscoveryexecutionpersistencestealer

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1