lumma | 23d2e6d18aa3677e9e545429c67ae0b97594714edf50e9790a63f7532b42e49a

General

Target

❂↶Fяοм†Sωι†cн✦$ε†μρ✦Codε✦∀sα†Lωor❂🎶9192/Set-up.exe
Size

1.8MB
MD5

098ac4621ee0e855e0710710736c2955
SHA1

ce7b88657c3449d5d05591314aaa43bd3e32bdaa
SHA256

46afbf1cbd2e1b5e108c133d4079faddc7347231b0c48566fd967a3070745e7f
SHA512

3042785b81bd18b641f0a2b5d8aec8ef86f9bf1269421fb96d1db35a913e744eaff16d9da7a02c8001435d59befb9f26bc0bbfa6e794811abf4282ed68b185fe
SSDEEP

49152:GpjwrP6yVgBd39sUUzFti4aTotmIT3SxLmNKbx:GpjwrP6yKTOUmi4aTo1NK9

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://powerful-avoids.sbs/api

https://motion-treesz.sbs/api

https://disobey-curly.sbs/api

https://leg-sate-boat.sbs/api

https://story-tense-faz.sbs/api

https://blade-govern.sbs/api

https://occupy-blushi.sbs/api

https://frogs-severz.sbs/api

https://other-rans.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1952	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 3412	1688	Set-up.exe	81

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1688	Set-up.exe
1688	Set-up.exe
1688	Set-up.exe
1688	Set-up.exe
3412	more.com
3412	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1688	Set-up.exe
3412	more.com

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 3412	1688	Set-up.exe	81
PID 1688 wrote to memory of 3412	1688	Set-up.exe	81
PID 1688 wrote to memory of 3412	1688	Set-up.exe	81
PID 1688 wrote to memory of 3412	1688	Set-up.exe	81
PID 3412 wrote to memory of 1952	3412	more.com	83
PID 3412 wrote to memory of 1952	3412	more.com	83
PID 3412 wrote to memory of 1952	3412	more.com	83
PID 3412 wrote to memory of 1952	3412	more.com	83
PID 3412 wrote to memory of 1952	3412	more.com	83

C:\Users\Admin\AppData\Local\Temp\❂↶Fяοм†Sωι†cн✦$ε†μρ✦Codε✦∀sα†Lωor❂🎶9192\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\❂↶Fяοм†Sωι†cн✦$ε†μρ✦Codε✦∀sα†Lωor❂🎶9192\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\636342b

Filesize
1.0MB

MD5
5bc1337462eb13b2a4b16d2ba77ab427

SHA1
b50366c43b98d287ac12321fab3bfc64842e0d1e

SHA256
768c935056285b9368070c56ce17b3077bbfeb7bf57a37e418cc5d3d814697f4

SHA512
aa233b11ed02877933ae499836ba55c030995a3ecee1c10cf84e1c2f017019fa27bfa1b8945acdc063d719ff009ceb5691a01060cc454d768a77964f80b24c7a

Download Submit
memory/1688-7-0x00007FFA9FB00000-0x00007FFA9FD09000-memory.dmp

Filesize
2.0MB

Download
memory/1688-15-0x00000000737CB000-0x0000000074000000-memory.dmp

Filesize
8.2MB

Download
memory/1688-3-0x0000000073080000-0x0000000075037000-memory.dmp

Filesize
31.7MB

Download
memory/1688-1-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1688-0-0x00000000737CB000-0x0000000074000000-memory.dmp

Filesize
8.2MB

Download
memory/1688-11-0x0000000073080000-0x0000000075037000-memory.dmp

Filesize
31.7MB

Download
memory/1688-12-0x0000000072CF0000-0x0000000072E6D000-memory.dmp

Filesize
1.5MB

Download
memory/1688-6-0x0000000072CF0000-0x0000000072E6D000-memory.dmp

Filesize
1.5MB

Download
memory/1688-2-0x0000000073080000-0x0000000075037000-memory.dmp

Filesize
31.7MB

Download
memory/1688-14-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1952-27-0x00007FFA9FB00000-0x00007FFA9FD09000-memory.dmp

Filesize
2.0MB

Download
memory/1952-28-0x0000000000F20000-0x0000000000F7E000-memory.dmp

Filesize
376KB

Download
memory/1952-29-0x0000000000030000-0x0000000000058000-memory.dmp

Filesize
160KB

Download
memory/3412-17-0x0000000072CF1000-0x0000000072CFF000-memory.dmp

Filesize
56KB

Download
memory/3412-18-0x00007FFA9FB00000-0x00007FFA9FD09000-memory.dmp

Filesize
2.0MB

Download
memory/3412-20-0x0000000072CF0000-0x0000000072E6D000-memory.dmp

Filesize
1.5MB

Download
memory/3412-21-0x0000000072CF0000-0x0000000072E6D000-memory.dmp

Filesize
1.5MB

Download
memory/3412-25-0x0000000072CF0000-0x0000000072E6D000-memory.dmp

Filesize
1.5MB

Download
memory/3412-26-0x0000000072CF1000-0x0000000072CFF000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing