lumma | 49c3626b86a498a0346f3cac6ea95a9e320a5cbeca75491ff6fd64ea12b5211b | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2025-05-08_85bc7f02cec175bea7e72b93823725ca_frostygoop_hijackloader_knight_luca-stealer_poet-rat_sliver_snatch
Size

9.4MB
Sample

250508-nrsd3ssrz8
MD5

85bc7f02cec175bea7e72b93823725ca
SHA1

553e10db2546ac14af83c2867f26df42cf8e3c9c
SHA256

49c3626b86a498a0346f3cac6ea95a9e320a5cbeca75491ff6fd64ea12b5211b
SHA512

384d9b504b2a8becda50b12ce4b15b9b17bf894bed9e4344a7d98c8238e97e19b63f0abbea17e36ba12d0ac12b4dac30b242ec52f83fe98bf8504d92372dd34e
SSDEEP

196608:GhvYp8xv9NID47mF49WPNcLXko2Vx/6eg:GhC8VYs7mu9iqbkoy/E

Score

10^/10

lumma discovery persistence spyware stealer

Malware Config

Extracted

Family

lumma

C2

https://improvxf.run/kobe

https://voznessxyy.life/bnaz

https://insidegrah.run/ieop

https://homewappzb.top/tqba

https://clatteqrpq.digital/kljz

https://descenrugb.bet/woap

https://grizzlqzuk.live/qhbu

https://ninepicchf.bet/lznd

https://snakejh.top/adsk

Targets

- Target
  
  2025-05-08_85bc7f02cec175bea7e72b93823725ca_frostygoop_hijackloader_knight_luca-stealer_poet-rat_sliver_snatch
- Size
  
  9.4MB
- MD5
  
  85bc7f02cec175bea7e72b93823725ca
- SHA1
  
  553e10db2546ac14af83c2867f26df42cf8e3c9c
- SHA256
  
  49c3626b86a498a0346f3cac6ea95a9e320a5cbeca75491ff6fd64ea12b5211b
- SHA512
  
  384d9b504b2a8becda50b12ce4b15b9b17bf894bed9e4344a7d98c8238e97e19b63f0abbea17e36ba12d0ac12b4dac30b242ec52f83fe98bf8504d92372dd34e
- SSDEEP
  
  196608:GhvYp8xv9NID47mF49WPNcLXko2Vx/6eg:GhC8VYs7mu9iqbkoy/E
Score

10^/10

lumma discovery persistence spyware stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lummadiscoverypersistencespywarestealer

behavioral2

lummadiscoverypersistencespywarestealer

	
		OSZAR »