Extracted

• • Target

    8feef4a4753bf33560a69d2020deb6f7.exe

  • Size

    133KB

  • MD5

    8feef4a4753bf33560a69d2020deb6f7

  • SHA1

    8cfed3ec74c914f97c4de4ae60ff3e0cde3a85e1

  • SHA256

    12604e1184d3c656d4c8307cd73e79b808d37a09d08710bccb6f7e9da872e77b

  • SHA512

    c48d98b134b4052f7bba7110c3ca4e32471a02f63198bf85e791dda93252a942507df2c86472a824a50fbce3c3767496207e6d0c05e90c1fe704c6c6e38eb77b

  • SSDEEP

    3072:/23Z9FK2ku2HuAQTTl7MuRXv+ClEtVoHpHVGqozKuQgxbEEHK:Gku2HuAQTTRMoXvDHVBKO

  Score

  10^/10

  discoverylummaexecutionspywarestealer

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Lumma family

    lumma

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to execute payload.

    execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2