lumma | ac9a60aff7f73c0def1bd6a4f760b06f98475b8e23251c3905ed8619216ad956 | Triage

Sharing

General

Target

Setup.exe
Size

1.2MB
Sample

250410-vet6gaxmv7
MD5

14153af1a6bf3908ee65c711bd02968c
SHA1

d50be887eff8c4c83b6f60dcbb1795c695aee3d0
SHA256

ac9a60aff7f73c0def1bd6a4f760b06f98475b8e23251c3905ed8619216ad956
SHA512

56db2fa7a5142be94421ebd63f43bb3844c348d6fda42216d9dde364e7ca413a31a8940ab28b0d3c80ba51aba77b011da78576ccfc1aa2352822dc6ff1dec751
SSDEEP

24576:mQBrDZNBpy9p/uGnNVJWA6E1KzfHRkjHirD+gyus7:XBPURuGNVJWA62Kz+jqygyuW

Score

10^/10

lumma defense_evasion discovery persistence spyware stealer

Malware Config

Extracted

Family

lumma

C2

https://gclarmodq.top/qoxo

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://easyupgw.live/eosz

https://liftally.top/xasj

https://upmodini.digital/gokk

https://salaccgfa.top/gsooz

https://mzestmodp.top/zeda

https://xcelmodo.run/nahd

Targets

- Target
  
  Setup.exe
- Size
  
  1.2MB
- MD5
  
  14153af1a6bf3908ee65c711bd02968c
- SHA1
  
  d50be887eff8c4c83b6f60dcbb1795c695aee3d0
- SHA256
  
  ac9a60aff7f73c0def1bd6a4f760b06f98475b8e23251c3905ed8619216ad956
- SHA512
  
  56db2fa7a5142be94421ebd63f43bb3844c348d6fda42216d9dde364e7ca413a31a8940ab28b0d3c80ba51aba77b011da78576ccfc1aa2352822dc6ff1dec751
- SSDEEP
  
  24576:mQBrDZNBpy9p/uGnNVJWA6E1KzfHRkjHirD+gyus7:XBPURuGNVJWA62Kz+jqygyuW
Score

10^/10

lumma defense_evasion discovery persistence spyware stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Downloads MZ/PE file
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Power Settings

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lummadefense_evasiondiscoverypersistencespywarestealer