Extracted

• • Target

    Ughhiwlsl.exe

  • Size

    290KB

  • MD5

    3d7b6e6ec8e0ea92b7ac6d380cf7b689

  • SHA1

    90e902eb6d1ce1ec955fce54f695f751b5abe96a

  • SHA256

    6232ffd99002b4613913f2a8c03beccb005687c0db190d7f12d7cd841a4d5337

  • SHA512

    76ecf6646f0a4bb419e7b5475cf1da614f1f16ffa97e5c3bbff21e41570e973a2018d86908d3a293828472b280052a8bf18f249214cc73f54f284a4334d74b21

  • SSDEEP

    6144:N+wQSN+rztLEeUlDgldHcCkTq+FCy5dDuOvOeGJUj:NbhZDKWZ9hv2

  Score

  10^/10

  discoverylummaexecutionspywarestealer

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to execute payload.

    execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2