lumma | 2cc415a2842f99afca9b19c3a4d57d48cfa681cf389650c8a3b53d4fe0e0bca0

General

Target

GMBH_Bremen.2.1.zip
Size

169.4MB
Sample

250416-3ljbjsxsc1
MD5

190ffcea0308d68c6b1d9a9e2bf105c5
SHA1

cef0b5c4836c636432479795e11328241638e226
SHA256

2cc415a2842f99afca9b19c3a4d57d48cfa681cf389650c8a3b53d4fe0e0bca0
SHA512

2210a73360912a71a3d1a40316c8fb94afc838ba2c51fbf224c281709fbf6614fb8dc20d8b666bb8df7b6a5bc6cc521025801f42b4dabb5661b40402edbd8158
SSDEEP

3145728:lfZLrU3YWd/aFvTsEJzB3ZCXYk04Oa1fZLrU3YWd/aFAEJzB3ZCXYk04OU:lhUIfTd3ZCXYkLZhUIfzd3ZCXYkLd

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
64.52.80.157
Port:
21
Username:
SSA
Password:
PASS

Extracted

Credentials

Protocol: ftp
Host:
188.120.227.9
Port:
21
Username:
PK1
Password:
PK1

Extracted

Family

lumma

C2

https://asalaccgfa.top/gsooz

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://lonfgshadow.live/xawi

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://owlflright.digital/qopy

Extracted

Family

vidar

Version

13.5

Botnet

5e0c4261602b0cd231c9ba5491376d7b

C2

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Targets

- Target
  
  Start_setup.exe
- Size
  
  37KB
- MD5
  
  f6f76de82f4a87fcabbe011876e53670
- SHA1
  
  b7aec7f9870935daf1faba58aeb2a4deaeba116c
- SHA256
  
  a97e2a8da8d70d6f4e5df730b4fe7996e2d6b1cab9971faa4a8ec2857f1eecc9
- SHA512
  
  d089c54324467e120fe0040f78f01b663287b7082e70e37bb387b9bd12d94102786259f3318a7483a3edea634c07aa8aecbb10e749fbb1869ae827333f9ccad2
- SSDEEP
  
  768:xn04RNfdSXe28HjPxWlk0CoCzXtBi4PY//I0D3fmoxbxAuauIRdzOcSQbNC:h04f1SMHjZ0k/tB1g//I0DuoxbxAHsci
Score

10^/10

lumma vidar 5e0c4261602b0cd231c9ba5491376d7b credential_access discovery spyware stealer persistence
- Detect Vidar Stealer
  stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2