lumma | 1a269339c307d963997a3232839f356ce77e099213414d8d0beb632f8cb4c01d

Analysis

max time kernel
145s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

147KB
MD5

0ef6576560aa54889e4230c0ac2da560
SHA1

9f132cfa8f1db8932c9ad0db9cafd4ff0216b3c5
SHA256

c5a1b343d52e741fd91e6d71065a2bf3f2a1119b258a84e4dc026e705da828ac
SHA512

4a309e28338dfc039855534bd3b51632164f2f7effa2b574d2c75afc32a14ae574ef9751466224d3f2b0805de85c4303cc2d07988714d8488911538f0b0cd4bb
SSDEEP

768:2qoXya+G8TyC8t8z+aLx1lMtsPBcq9Sbh9SbLAEpYinAMx8iQP3pXYiui8AMxkEQ:J8yPTyC8ayLspcqCOJ7HxbQ17ZaxZO

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://saturnoy.life/ASzos

https://oreheatq.live/gsopp

https://castmaxw.run/ganzde

https://tweldorae.digital/geds

https://steelixr.live/aguiz

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://smeltingt.run/giiaus

https://ferromny.digital/gwpd

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 1 IoCs

pid	Process
5092	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5844	Setup.exe
5844	Setup.exe
5844	Setup.exe
5844	Setup.exe
5092	explorer.exe
5092	explorer.exe
5092	explorer.exe
5092	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5844	Setup.exe
5844	Setup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5844 wrote to memory of 5092	5844	Setup.exe	78
PID 5844 wrote to memory of 5092	5844	Setup.exe	78
PID 5844 wrote to memory of 5092	5844	Setup.exe	78
PID 5844 wrote to memory of 5092	5844	Setup.exe	78
PID 5844 wrote to memory of 5092	5844	Setup.exe	78

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5844
- C:\Users\Public\374773913\explorer.exe
  C:\Users\Public\374773913\explorer.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6939be55

Filesize
6.0MB

MD5
4c9230c55a7fb3f03b22a593bc84e32f

SHA1
9472c620a41f58b5dd5b03076d83ec14e7aebb8d

SHA256
a3bb52ebfdc9a86f6b3ab962916233b42a0601d74b551d8f041bd4ed08d05ca1

SHA512
dba597b609a5d0f94676e98f3f9b61731d923db14ed5be21590cc951bfa7bbe74125d67349af3e661a40bb2cab941d66b154f36b21ca5c3e5e5eb6edc0e76089

Download Submit
C:\Users\Public\374773913\explorer.exe

Filesize
4.8MB

MD5
1211228111eb7c30c7bd378ad6afeb91

SHA1
588d7b7e4b36fd482120fd69d13b6554b761c9f4

SHA256
06b44d10bcbf819a70a1b876cff97f03f6ab9ca8c31a1830a9fb455c80d893ae

SHA512
4337fed92efd1b0c13700d55fe53f85eb68571c35c8fabb445158461af59894b69b051f6bb3a24e12eae01843d1be7a091f4cda831da5e9730a60366a901c7e6

Download Submit
memory/5092-20-0x0000000001060000-0x00000000010DE000-memory.dmp

Filesize
504KB

Download
memory/5092-25-0x0000000001060000-0x00000000010DE000-memory.dmp

Filesize
504KB

Download
memory/5844-0-0x0000000073960000-0x00000000739AF000-memory.dmp

Filesize
316KB

Download
memory/5844-1-0x00007FF84E020000-0x00007FF84E229000-memory.dmp

Filesize
2.0MB

Download
memory/5844-16-0x0000000073974000-0x0000000073976000-memory.dmp

Filesize
8KB

Download
memory/5844-18-0x0000000073960000-0x00000000739AF000-memory.dmp

Filesize
316KB

Download
memory/5844-22-0x0000000073960000-0x00000000739AF000-memory.dmp

Filesize
316KB

Download