lumma | 6ed72b789e722b398defd07bd4bd88b390f788128c20938bb72c8ddb93efee55

Sharing

Copy URL

Twitter E-mail

General

Target

main.py
Size

111KB
Sample

240624-2m8gdsygkp
MD5

74e88b3a5e1a99f8da4bb70196118a2a
SHA1

6fe34053ff448ffb53c9b09d5ba62c6561dc8b25
SHA256

6ed72b789e722b398defd07bd4bd88b390f788128c20938bb72c8ddb93efee55
SHA512

d06927ee30219346bc9557d6b5e5c56329e4d293b150361103df679763d70857284f51398d33fec9e2c2a4ed901896bb2d01b38d237aa568bd2bd988b51ecff8
SSDEEP

3072:p6ZDuGpHazDq5SRsKj1HcXoNFi66sCowjrMrhps7xw:p6ZDuGpHazD5sKFcXofV6sCoErMrhpsS

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Family

lumma

https://backcreammykiel.shop/api

Targets

- Target
  
  main.py
- Size
  
  111KB
- MD5
  
  74e88b3a5e1a99f8da4bb70196118a2a
- SHA1
  
  6fe34053ff448ffb53c9b09d5ba62c6561dc8b25
- SHA256
  
  6ed72b789e722b398defd07bd4bd88b390f788128c20938bb72c8ddb93efee55
- SHA512
  
  d06927ee30219346bc9557d6b5e5c56329e4d293b150361103df679763d70857284f51398d33fec9e2c2a4ed901896bb2d01b38d237aa568bd2bd988b51ecff8
- SSDEEP
  
  3072:p6ZDuGpHazDq5SRsKj1HcXoNFi66sCowjrMrhps7xw:p6ZDuGpHazD5sKFcXofV6sCoErMrhpsS
Score

10^/10

lumma rhadamanthys discovery evasion execution motw persistence phishing privilege_escalation pyinstaller stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Lumma Stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Mark of the Web detected: This indicates that the page was originally saved or cloned.

Power Settings

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2