lumma | a83cb75995c565ee3256f9314d82359cfee8765608d913178c1c28e353f70de1

General

Target

Get__File𝔃/setup.exe
Size

697.3MB
MD5

32f57bd28256571f9802a594d310c987
SHA1

a0c047b57c554aeae98a5cd1990f5e8eec03f740
SHA256

6c25f32e6e5f179833a56b8872a487f416597565bd1f4976fea154ad0071ae43
SHA512

591f8890093f7fc3fca1a01f82d84e0d7f7420736cb7fafcab1b6e50b2ac28f0c0f726847ba72f0da219dc4275b13362ad1b007977b1b327e29fdc37a2d7b15e
SSDEEP

98304:SpaOTEikjpnQ1Ow/V0vkFVuvRHyqP4wVrozQ3:Sp9IVNR3ww5

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

C2

https://calfmhaven.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
3132	vcpkgsrv.exe
4348	vcpkgsrv.exe

Loads dropped DLL 8 IoCs

pid	Process
3132	vcpkgsrv.exe
3132	vcpkgsrv.exe
3132	vcpkgsrv.exe
3132	vcpkgsrv.exe
4348	vcpkgsrv.exe
4348	vcpkgsrv.exe
4348	vcpkgsrv.exe
4348	vcpkgsrv.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 824	4348	vcpkgsrv.exe	93

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcpkgsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcpkgsrv.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3368	setup.exe
3368	setup.exe
3368	setup.exe
3368	setup.exe
3368	setup.exe
3368	setup.exe
3132	vcpkgsrv.exe
4348	vcpkgsrv.exe
4348	vcpkgsrv.exe
824	choice.exe
824	choice.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4348	vcpkgsrv.exe
824	choice.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3132	3368	setup.exe	91
PID 3368 wrote to memory of 3132	3368	setup.exe	91
PID 3368 wrote to memory of 3132	3368	setup.exe	91
PID 3132 wrote to memory of 4348	3132	vcpkgsrv.exe	92
PID 3132 wrote to memory of 4348	3132	vcpkgsrv.exe	92
PID 3132 wrote to memory of 4348	3132	vcpkgsrv.exe	92
PID 4348 wrote to memory of 824	4348	vcpkgsrv.exe	93
PID 4348 wrote to memory of 824	4348	vcpkgsrv.exe	93
PID 4348 wrote to memory of 824	4348	vcpkgsrv.exe	93
PID 4348 wrote to memory of 824	4348	vcpkgsrv.exe	93
PID 824 wrote to memory of 3812	824	choice.exe	95
PID 824 wrote to memory of 3812	824	choice.exe	95
PID 824 wrote to memory of 3812	824	choice.exe	95
PID 824 wrote to memory of 3812	824	choice.exe	95
PID 824 wrote to memory of 3812	824	choice.exe	95
PID 824 wrote to memory of 3812	824	choice.exe	95

C:\Users\Admin\AppData\Local\Temp\Get__File𝔃\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Get__File𝔃\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\YZYMBSR1U9PNX5N6HFLT0J46DX\vcpkgsrv.exe
  "C:\Users\Admin\AppData\Local\Temp\YZYMBSR1U9PNX5N6HFLT0J46DX\vcpkgsrv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\ProgramData\FNPLicensingService\vcpkgsrv.exe
    C:\ProgramData\FNPLicensingService\vcpkgsrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\choice.exe
      C:\Windows\SysWOW64\choice.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YZYMBSR1U9PNX5N6HFLT0J46DX\CONCRT140.dll

Filesize
254KB

MD5
f36dae6ea00f102b60a5011af0732123

SHA1
06fabdbf1fa14b5a637716f9f7a28c95ea4a8661

SHA256
0a3894dd420ed6b4c7ebbde463dbbde69cdb032e290b1c86c21ccdaa4da95526

SHA512
c585e25ac9d733ca82d36d4cee0fa5f7d34a0455c359e010c501d1474c612bc73429093ba302ae14222d7e3a89d5b11777529b3005c7c0966aff06c92c7cce12

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZYMBSR1U9PNX5N6HFLT0J46DX\airstrip.eps

Filesize
5.7MB

MD5
93fd78e011ac0e5255ed8bc3d652fd13

SHA1
ffe198e7a0ebb879c5ab6446a96894b5784cdc13

SHA256
dac4389e990c7238ba6ee08e0505cea5ddabaf4d8dc38354c47d18de1624f43d

SHA512
fa2952f8028a088546e2b667cb9bb9d11258626dabc918bd3119c2d92d18b2caeddd2191e2f54c4813fbbe3a0299c7cb8ad3d05030a16f435c6ccf6e84f9fdee

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZYMBSR1U9PNX5N6HFLT0J46DX\cassoulet.pkg

Filesize
55KB

MD5
ac65af3eb9bada3d75d7f2c9f86d8273

SHA1
f4b75c457b32bba5352dca361ef3c477ff0b5c23

SHA256
e68bce3f61193576d743fcd7f4cf6ce98ca57b0e3db3ca2bc46d41ccf0d5b9a9

SHA512
1bbd5ac6fdad7a3305598a37235b32cb8c85282fe2a746b1dd5b4e63f06d1a10ed31972ee614d888e22b431dc37a2d2043ed98d879300bc90d60ea7e9feb1094

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZYMBSR1U9PNX5N6HFLT0J46DX\msvcp140.dll

Filesize
438KB

MD5
cdae969102e88f6704d853f9521eedd2

SHA1
3d9a57652a3634cb9b5a83c973c1c77b30c60bf4

SHA256
4ad3de3443d7658f74c978e7eb04730e3d812bc592fee47be4e6348d1fb4814e

SHA512
6714f7886ed21a97a3d70e8a55637f0d0e6d2c43ffd433e7f9c38c100ada99c6aaf136135b5fa6b77483987e34f4c57086c574309b798512cd668c54f845ec49

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZYMBSR1U9PNX5N6HFLT0J46DX\vcpkgsrv.exe

Filesize
1.4MB

MD5
38901633c833cba7f682472ced0dbe4b

SHA1
0c11a1ac834d2b270ba60f3605109933ca11a7f0

SHA256
a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089

SHA512
70d71197c68c9a92883c482aee76978e2a01e785be6fb3b6082369e25d991d3e03d8467e11d87493e54f5a3dc4bcd59fa588f0fabe5f6fdcf3361de95cb471c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZYMBSR1U9PNX5N6HFLT0J46DX\vcruntime140.dll

Filesize
88KB

MD5
984c36e57e47581e267151aca04e9580

SHA1
aa54e9133ba3ed675f9b5255a515780438163ae1

SHA256
e0850ad7c2431f822359e129c85b708373759a1aaadb70b3740642ea44345a04

SHA512
9c8ce4e86173066ab8584a08aa1449f36808f0abd6de01a86f83914a44a8b07b31266c1f38ec0cd46faabf819ac6e1c74e29d5b8b2163ac5d9e1797df8282fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0fcdcd1

Filesize
6.3MB

MD5
d5569774c081f83226981fff4ddbf64d

SHA1
fcb2fe0e50787cb5371ad3bfe2db33b35ef3c1b1

SHA256
53f73aaf7634eaee11614a774790aab75b0946a0ff909212d0c2e6c836025767

SHA512
3da053e08b196edd99a9a2a17955776b6a3c0443c64adf7ca0159676d5c5e57f2b2826935e9ca7aad52572208549329eeabbd91d29faa79a1095ebc743f2b7ee

Download Submit
memory/824-57-0x00000000733E0000-0x000000007355B000-memory.dmp

Filesize
1.5MB

Download
memory/824-59-0x00000000733E0000-0x000000007355B000-memory.dmp

Filesize
1.5MB

Download
memory/824-56-0x00007FF8DDE70000-0x00007FF8DE068000-memory.dmp

Filesize
2.0MB

Download
memory/3132-44-0x00000000736A0000-0x000000007381B000-memory.dmp

Filesize
1.5MB

Download
memory/3132-45-0x00007FF8DDE70000-0x00007FF8DE068000-memory.dmp

Filesize
2.0MB

Download
memory/3368-1-0x0000000003050000-0x00000000030AA000-memory.dmp

Filesize
360KB

Download
memory/3368-3-0x0000000000400000-0x00000000014B1000-memory.dmp

Filesize
16.7MB

Download
memory/3368-0-0x0000000003050000-0x00000000030AA000-memory.dmp

Filesize
360KB

Download
memory/3812-68-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-71-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-75-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-64-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-65-0x00007FF8DDE70000-0x00007FF8DE068000-memory.dmp

Filesize
2.0MB

Download
memory/3812-66-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-67-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-74-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-69-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-70-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-73-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/3812-72-0x0000000001290000-0x000000000184C000-memory.dmp

Filesize
5.7MB

Download
memory/4348-53-0x00000000733E0000-0x000000007355B000-memory.dmp

Filesize
1.5MB

Download
memory/4348-51-0x00000000733E0000-0x000000007355B000-memory.dmp

Filesize
1.5MB

Download
memory/4348-52-0x00007FF8DDE70000-0x00007FF8DE068000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing