lumma | 561ac9394509138348480e01174b172865a62e459b513eaf563e56383f6245d2 | Triage

Analysis

max time kernel
309s
max time network
405s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 18:26

Sharing

Report Analysis Logs

General

Target

KFlauncher.exe
Size

800.0MB
MD5

f7c1dc7f9dac099eb30107e510c7dcb9
SHA1

083e11e618ace120afb92f917b09000e09fca66e
SHA256

530196d385b60cf89a3b2373aa02160327a8fee5ea4b5f75cbeba09442fcdadc
SHA512

52017c0c279854c28350b51fbaad917e9c384a6ef3eb081d687ac9443d12658b37135cc12f296a3af45b0bc0a5236bb1a205065dc03e758cdba6e7eb505c87fe
SSDEEP

12288:q5oTYAP7BBXdQo3XnS0aC/RGmhQrQEEctA21JW:0EDBrQo3X74zrQE9J

Score

10^/10

Malware Config

Extracted

Family

lumma

C2

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

KFlauncher.exe

description pid process target process

PID 5116 set thread context of 3272 5116 KFlauncher.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1868 5116 WerFault.exe KFlauncher.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

KFlauncher.exe

description	pid	process	target process
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe
PID 5116 wrote to memory of 3272	5116	KFlauncher.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\KFlauncher.exe
"C:\Users\Admin\AppData\Local\Temp\KFlauncher.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 596
2⤵
- Program crash
PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3272-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3272-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3272-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5116-1-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download