lumma | a70c77735f279fe76a22770ce7abb6dcff5fabe7d1e1647c72137ec6e690329b | Triage

Sharing

General

Target

Setup.exe
Size

1.2MB
Sample

250410-vmg6waxpw9
MD5

2eb62a9cb4bf34aa7148a76820c51d31
SHA1

c286f05d2aa11a67976312bfbf4bc792cc971764
SHA256

a70c77735f279fe76a22770ce7abb6dcff5fabe7d1e1647c72137ec6e690329b
SHA512

13dbf48b6f384f78b5d6007866c172617a0774b9e27ecca48d3af6326c8e8f613163bf5a5d2e3dde98bab0d2d86ab93e37b3fb1b4a5ae9965a28e4b8dc8831e5
SSDEEP

24576:afaicdIfRzYcuRFKUb79GO7UufzmFKUb79GO7Uufz:ayic4I3KUbh57U2GKUbh57U2

Score

10^/10

lumma defense_evasion discovery persistence spyware stealer

Malware Config

Extracted

Family

lumma

C2

https://clarmodq.top/qoxo

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://ueasyupgw.live/eosz

https://liftally.top/xasj

https://upmodini.digital/gokk

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://xcelmodo.run/nahd

Targets

- Target
  
  Setup.exe
- Size
  
  1.2MB
- MD5
  
  2eb62a9cb4bf34aa7148a76820c51d31
- SHA1
  
  c286f05d2aa11a67976312bfbf4bc792cc971764
- SHA256
  
  a70c77735f279fe76a22770ce7abb6dcff5fabe7d1e1647c72137ec6e690329b
- SHA512
  
  13dbf48b6f384f78b5d6007866c172617a0774b9e27ecca48d3af6326c8e8f613163bf5a5d2e3dde98bab0d2d86ab93e37b3fb1b4a5ae9965a28e4b8dc8831e5
- SSDEEP
  
  24576:afaicdIfRzYcuRFKUb79GO7UufzmFKUb79GO7Uufz:ayic4I3KUbh57U2GKUbh57U2
Score

10^/10

lumma defense_evasion discovery persistence spyware stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Downloads MZ/PE file
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Power Settings

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Obfuscated Files or Information

Command Obfuscation

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lummadefense_evasiondiscoverypersistencespywarestealer