General

  • Target

    4dc6817bec53dd590507242b48c8d43a908de0a2e0225323172279d6e2d5082c.bin

  • Size

    1.8MB

  • Sample

    250630-y1qxqavlx2

  • MD5

    11325a637812037257049898bfd84d8e

  • SHA1

    f898f3ee90b1e84ad277637000db6b81ec505e43

  • SHA256

    4dc6817bec53dd590507242b48c8d43a908de0a2e0225323172279d6e2d5082c

  • SHA512

    85f8a8db124391b67b6b12a13c59d258414547cd81c2a8519ca5e7578b143355cbdfc857f72b8e66e2e9f05835ac15231315e472677b2447de5ea1c55fdbc4d9

  • SSDEEP

    49152:+ytDIJgj4BbpJPWeSKiX4K4NcJULh6WZxt7Gk:tuQi9hWeSKiXahLtik

Malware Config

Extracted

Family

lumma

C2

https://rbmlh.xyz/lakd

https://pacwpw.xyz/qwpr

https://comkxjs.xyz/taox

https://unurew.xyz/anhd

https://trsuv.xyz/gait

https://sqgzl.xyz/taoa

https://cexpxg.xyz/airq

https://urarfx.xyz/twox

https://liaxn.xyz/nbzh

Attributes
  • build_id

    080ec158e4fa90ee075f94002685e208ef12426b62

Targets

    • Target

      4dc6817bec53dd590507242b48c8d43a908de0a2e0225323172279d6e2d5082c.bin

    • Size

      1.8MB

    • MD5

      11325a637812037257049898bfd84d8e

    • SHA1

      f898f3ee90b1e84ad277637000db6b81ec505e43

    • SHA256

      4dc6817bec53dd590507242b48c8d43a908de0a2e0225323172279d6e2d5082c

    • SHA512

      85f8a8db124391b67b6b12a13c59d258414547cd81c2a8519ca5e7578b143355cbdfc857f72b8e66e2e9f05835ac15231315e472677b2447de5ea1c55fdbc4d9

    • SSDEEP

      49152:+ytDIJgj4BbpJPWeSKiX4K4NcJULh6WZxt7Gk:tuQi9hWeSKiXahLtik

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks