General

  • Target

    eae4aa0f083a86a6b40dd4d5451129411f549fd9f736737b9364450ad4fb3690.bin

  • Size

    1.8MB

  • Sample

    250630-thjcpssry2

  • MD5

    517735da69f918bddeab9f1aadf47c42

  • SHA1

    bc76a04f3efd8da6c77d6488b6a28e8f2ee8d187

  • SHA256

    eae4aa0f083a86a6b40dd4d5451129411f549fd9f736737b9364450ad4fb3690

  • SHA512

    eb8854a683df0c4682ca7cf242a24e0cc879c31a298d73758e6c5a1f1e4ce23ec5bb81e0cbdb238469e439adc8dc9acc0e717bade64701eb94622c5e137626cf

  • SSDEEP

    49152:0BhZW92dD1yMr/e0gcIXNPcDVcpFHVwLOM+JjFWbyKJ3:8ZNr/OmDVcpF3Wua3

Malware Config

Extracted

Family

lumma

C2

https://rbmlh.xyz/lakd

https://pacwpw.xyz/qwpr

https://comkxjs.xyz/taox

https://unurew.xyz/anhd

https://trsuv.xyz/gait

https://sqgzl.xyz/taoa

https://cexpxg.xyz/airq

https://urarfx.xyz/twox

https://liaxn.xyz/nbzh

Attributes
  • build_id

    390bea80c680e8ad8f5a7491c21e9997d7df1956cb

Targets

    • Target

      eae4aa0f083a86a6b40dd4d5451129411f549fd9f736737b9364450ad4fb3690.bin

    • Size

      1.8MB

    • MD5

      517735da69f918bddeab9f1aadf47c42

    • SHA1

      bc76a04f3efd8da6c77d6488b6a28e8f2ee8d187

    • SHA256

      eae4aa0f083a86a6b40dd4d5451129411f549fd9f736737b9364450ad4fb3690

    • SHA512

      eb8854a683df0c4682ca7cf242a24e0cc879c31a298d73758e6c5a1f1e4ce23ec5bb81e0cbdb238469e439adc8dc9acc0e717bade64701eb94622c5e137626cf

    • SSDEEP

      49152:0BhZW92dD1yMr/e0gcIXNPcDVcpFHVwLOM+JjFWbyKJ3:8ZNr/OmDVcpF3Wua3

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks