lumma | 1a269339c307d963997a3232839f356ce77e099213414d8d0beb632f8cb4c01d

Analysis

max time kernel
100s
max time network
155s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

147KB
MD5

0ef6576560aa54889e4230c0ac2da560
SHA1

9f132cfa8f1db8932c9ad0db9cafd4ff0216b3c5
SHA256

c5a1b343d52e741fd91e6d71065a2bf3f2a1119b258a84e4dc026e705da828ac
SHA512

4a309e28338dfc039855534bd3b51632164f2f7effa2b574d2c75afc32a14ae574ef9751466224d3f2b0805de85c4303cc2d07988714d8488911538f0b0cd4bb
SSDEEP

768:2qoXya+G8TyC8t8z+aLx1lMtsPBcq9Sbh9SbLAEpYinAMx8iQP3pXYiui8AMxkEQ:J8yPTyC8ayLspcqCOJ7HxbQ17ZaxZO

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://saturnoy.life/ASzos

https://oreheatq.live/gsopp

https://castmaxw.run/ganzde

https://tweldorae.digital/geds

https://steelixr.live/aguiz

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://smeltingt.run/giiaus

https://ferromny.digital/gwpd

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 1 IoCs

pid	Process
2372	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1032	Setup.exe
1032	Setup.exe
1032	Setup.exe
1032	Setup.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe
2372	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1032	Setup.exe
1032	Setup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2372	1032	Setup.exe	82
PID 1032 wrote to memory of 2372	1032	Setup.exe	82
PID 1032 wrote to memory of 2372	1032	Setup.exe	82
PID 1032 wrote to memory of 2372	1032	Setup.exe	82
PID 1032 wrote to memory of 2372	1032	Setup.exe	82

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Public\374773913\explorer.exe
  C:\Users\Public\374773913\explorer.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\379b764

Filesize
6.0MB

MD5
23b52bafee8a8e09691c7b49941d1a41

SHA1
1d9c4de2a91a480f9dc3a1e8b8e329d036cb5a31

SHA256
45af694908caa88d875248e4282dfebb5f1be967e80dcde34308292083efadc5

SHA512
196606179cf3ef36325deffcecf4982c7d3e91992c473c55b3098c2454aee79d87e74ad8e894bd53f95db8d26815b56abd946052fe54a701187edc1e31894a5b

Download Submit
C:\Users\Public\374773913\explorer.exe

Filesize
4.8MB

MD5
1211228111eb7c30c7bd378ad6afeb91

SHA1
588d7b7e4b36fd482120fd69d13b6554b761c9f4

SHA256
06b44d10bcbf819a70a1b876cff97f03f6ab9ca8c31a1830a9fb455c80d893ae

SHA512
4337fed92efd1b0c13700d55fe53f85eb68571c35c8fabb445158461af59894b69b051f6bb3a24e12eae01843d1be7a091f4cda831da5e9730a60366a901c7e6

Download Submit
memory/1032-0-0x00000000743C0000-0x000000007440F000-memory.dmp

Filesize
316KB

Download
memory/1032-1-0x00007FFB13330000-0x00007FFB13528000-memory.dmp

Filesize
2.0MB

Download
memory/1032-4-0x00000000743D4000-0x00000000743D6000-memory.dmp

Filesize
8KB

Download
memory/1032-6-0x00000000743C0000-0x000000007440F000-memory.dmp

Filesize
316KB

Download
memory/1032-9-0x00000000743C0000-0x000000007440F000-memory.dmp

Filesize
316KB

Download
memory/2372-12-0x0000000000620000-0x000000000069E000-memory.dmp

Filesize
504KB

Download