Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Lumma

8
Global rank
5 infographic chevron month
Month rank
6 infographic chevron week
Week rank
0
IOCs

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Stealer
Type
ex-USSR
Origin
1 August, 2022
First seen
24 October, 2025
Last seen
Also known as
Lumma Stealer
LummaC2 Stealer

How to analyze Lumma with ANY.RUN

Type
ex-USSR
Origin
1 August, 2022
First seen
24 October, 2025
Last seen

IOCs

IP addresses
94.158.244.69
77.73.134.68
195.123.227.138
195.123.226.91
195.123.226.167
45.9.74.78
82.118.23.50
82.117.255.80
144.76.173.247
82.117.255.127
185.99.133.246
217.12.206.230
Hashes
9eb3236d8299927a2d714a54dcde090928ea5a9ef86cf04163b05bf2acb5d13e
c8eaa77c17c91d5d9c9cb2601fde4b2cfff8124113c755e3abc70dc2dde418b8
03eccfa5dea23fc185bcca277520d7ef473ff752649aac485ac055dd4111b2c1
dc5fc48cbd764acf7dd28c385279cf8b4296fb2d1e7b9aca3bc2352893194c94
1e92acabf037a60e7fbb97c0ba73e997bb4b602ad51333871423b778cae4f0b1
014db9057094603d58b0a9a917e3643220bcdb594be28437fcb26fb3d5c39de9
68c4b56a3aeac907d39a09ec6b53c252393cc68b69ffe9c553be893b2e7bd2a8
b6aa024e2681961c93d29f8600baa935b545e274db48eb832de1f3dea17db546
ad1d476e0f07d67f1fd670ba4a7227794f436c1fa01f08a2cdcd57f2f7d1be51
7ac90091d7037384ca3dc9a7a0459e3875e976496b3afd9a6a81ad6ace0ba002
821ca194a12d0085b5ea043efc6417e53227244da585af0bcc8995e1946cbebd
a1d9659e8f9df7dbcfebec0faafadeec8b43e0e5d0818aab0d63d0815490bce5
c42b0d200c2022fba3332dd1078cf1412ba37eb52bd74acf7edb4672b1d0f330
65e1a8e550df1000eb91a7b679cf586efab0f24385b810f50349d50eb80ae806
b1b8ea15e6bbfc7c38eb394d7e81a99a93689464faf991d77e28722e5b0e4681
194b8a204fa49ebeb6788ff2d3296251a0083331a4495e154c0c6012bcaa6cd7
bdabfcabcd75d8450c7982310542bbb78df553cee98fdfe56919fdaa2b10af84
e69961d10df9e57bc9bd9a230903c52b020eed6cda03ff17127a556c6e07f0a9
82cb239612d74eab70b12a0ca448bd82b3c5b418b8f05213d75ddddbbf0b4a5d
a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5
Domains
gservice-node.io
gstatic-node.io
colomndead.xyz
cloudsaled.xyz
exitlife.xyz
programmbox.xyz
coolworks.xyz
fisholl.xyz
doorblu.xyz
woodcat.xyz
polandgames.xyz
costexcise.xyz
balancelag.xyz
gapi-node.io
coursenote.xyz
quotamoney.xyz
singlesfree.xyz
gitarlessonfinger.xyz
buyerbrand.xyz
droppicches.xyz
URLs
http://185.99.133.246/c2sock
http://195.123.227.138/c2sock
http://82.117.255.80/c2sock
http://195.123.226.91/c2sock
http://195.123.226.167/c2sock
http://217.12.206.230/c2sock
http://gservice-node.io/c2sock
http://flowers-my.xyz/c2sock
http://agustfreeday-my.xyz/c2sock
http://2flowers-my.xyz/c2sock
http://vipcloud-my.xyz/c2sock
http://gstatic-node.io/c2sock
http://clonecloud-my.xyz/c2sock
http://solopodvip-my.xyz/c2sock
http://speedtestip.xyz/c2sock
http://crazypictures.xyz/c2sock
http://many-verses.xyz/c2sock
http://worldofpoetry.xyz/c2sock
http://winhttp.dll/c2sock
http://aloowforest.xyz/c2sock
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Recognized as Threat Intelligence Com...
watchers 164
comments 0
post image
ANY.RUN & ThreatQ: Boost Detection Rate,...
watchers 274
comments 0
post image
No Threats Left Behind: SOC Analyst’s Guide t...
watchers 438
comments 0

What is Lumma Stealer malware?

Lumma is a widely accessible malware stealer that is sold openly across Dark Web forums and Telegram channels. Although not as popular as other stealers, such as RedLine and Formbook, it has gained considerable traction among cybercriminals that focus on exfiltrating sensitive information from unsuspecting victims. Operated by a group believed to originate from former USSR countries, LummaC2 Stealer has been actively evolving since its initial emergence in 2022, getting substantial updates that enhance its capabilities.

Lumma Stealer poses a significant threat to a wide range of computer systems, targeting devices running Windows operating systems from Windows 7 up to Windows 11. This broad compatibility allows the malware to infiltrate a vast network of systems, increasing its potential reach and impact.

Since it operates under a malware-as-a-service model, Lumma Stealer is accessible to anyone with the financial means to purchase a subscription. This accessibility has contributed to the malware's widespread adoption. There are three subscription plans, each providing a varying range of features to users, including access to a command-and-control (C2) panel, which allows criminals to monitor and manage the malware's activities on compromised machines.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the Lumma Stealer malicious software

Lumma enables criminals to engage in a variety of illicit activities and a has a long list of capabilities, including:

  • Data exfiltration: The malware effectively gathers sensitive information from targeted applications, including login credentials, financial data, and personal details.
  • Regular updates: LummaC2 Stealer receives automatic updates on a regular basis.
  • Data log collection: Lumma Stealer collects detailed data logs from compromised endpoints, including information extracted from browsers and cryptocurrency wallets.
  • Loader capability: The stealer can drop additional malware onto compromised machines, expanding its malicious capabilities and potential impact.

Lumma malware analysis shows a vast range of features that make it a versatile tool for cybercriminals. For instance, all data transmitted by the stealer is decrypted on the server side, which makes it more difficult to analyze the malware’s traffic during the exfiltration process.

Another notable capability of the malware is its neighbor detection, which notifies operators about other instances of the malware running on the same system. The malware supports ARM, x86, and x64 architectures, demonstrating its cross-platform compatibility and ability to target a wide range of devices.

The stealer can also be configured to be used via a Telegram bot.

Execution process of Lumma Stealer

ANY.RUN lets us expose the malicious activities of Lumma Stealer and collect IOCs by uploading its sample to the sandbox.

Since stealers are trying their best to hide their activities, the execution chain of malware Lumma is kept as simple as possible. Therefore, there are not a lot of processes, and no usage of system tools occurs inside the infected OS. After the payload makes its way into the infected system, it immediately starts execution.

Lumma graph shown in ANY.RUN The process graph of Lumma Stealer demonstrated by the ANY.RUN sandbox

The only process of the malware is responsible for carrying out all malicious activities, including data theft, C&C server communication, etc. If there is no connection with the C&C, Lumma stops its execution.

Gathering threat intelligence on Lumma malware

To collect up-to-date intelligence for Lumma stealer malware analysis and better understand what is Lumma malware, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Lumma Stealer.

Lumma ANY.RUN Search results for Lumma Stealer in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"Lumma" AND domain:"" will generate a list of files, events, domain names, and other data extracted from Lumma samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of the Lumma Stealer malware

Lumma malware is utilized by numerous threat actors, both individuals and groups, who employ a variety of ways to deliver the payload to the target system.

  • Fake Software: One of the most prevalent methods used to distribute Lumma Stealer is through fake software. When unsuspecting users download and install these fake applications, they introduce the malware onto their systems.
  • Phishing Emails: Phishing emails remain a widely used attack vector for malware distribution, including Lumma Stealer. Cybercriminals craft emails that appear to be from legitimate sources, such as banks, e-commerce platforms, or social media networks.
  • Discord Messages: In some cases, Lumma Stealer operators have taken to targeting users through direct messaging on Discord, a popular chat platform. These actors engage with victims, attempting to build trust and persuade them to download infected executables under false pretenses.

Conclusion

The growing threat of LummaC2 Stealer calls for a proactive approach to cybersecurity. As this malware becomes more common, individuals and organizations must be aware of its diverse delivery methods and take steps to protect themselves. Malware analysis sandboxes, such as ANY.RUN are a valuable tool for identifying and analyzing Lumma Stealer.

ANY.RUN is an advanced tool that provides a unique way to study malware. You can interact with infected systems in a safe cloud environment to observe how the malware behaves. It goes beyond simple observation by generating a detailed report that includes IOCs and malware configuration information, enabling you to take action against malware threats.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

INC Ransomware screenshot
INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More