Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Lumma

8
Global rank
3
Month rank
5 infographic chevron week
Week rank
0
IOCs

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Stealer
Type
ex-USSR
Origin
1 August, 2022
First seen
4 October, 2025
Last seen
Also known as
Lumma Stealer
LummaC2 Stealer

How to analyze Lumma with ANY.RUN

Type
ex-USSR
Origin
1 August, 2022
First seen
4 October, 2025
Last seen

IOCs

IP addresses
94.158.244.69
77.73.134.68
195.123.227.138
195.123.226.91
195.123.226.167
45.9.74.78
82.118.23.50
82.117.255.80
144.76.173.247
82.117.255.127
185.99.133.246
217.12.206.230
Hashes
9eb3236d8299927a2d714a54dcde090928ea5a9ef86cf04163b05bf2acb5d13e
c8eaa77c17c91d5d9c9cb2601fde4b2cfff8124113c755e3abc70dc2dde418b8
03eccfa5dea23fc185bcca277520d7ef473ff752649aac485ac055dd4111b2c1
dc5fc48cbd764acf7dd28c385279cf8b4296fb2d1e7b9aca3bc2352893194c94
1e92acabf037a60e7fbb97c0ba73e997bb4b602ad51333871423b778cae4f0b1
014db9057094603d58b0a9a917e3643220bcdb594be28437fcb26fb3d5c39de9
68c4b56a3aeac907d39a09ec6b53c252393cc68b69ffe9c553be893b2e7bd2a8
b6aa024e2681961c93d29f8600baa935b545e274db48eb832de1f3dea17db546
ad1d476e0f07d67f1fd670ba4a7227794f436c1fa01f08a2cdcd57f2f7d1be51
7ac90091d7037384ca3dc9a7a0459e3875e976496b3afd9a6a81ad6ace0ba002
821ca194a12d0085b5ea043efc6417e53227244da585af0bcc8995e1946cbebd
a1d9659e8f9df7dbcfebec0faafadeec8b43e0e5d0818aab0d63d0815490bce5
c42b0d200c2022fba3332dd1078cf1412ba37eb52bd74acf7edb4672b1d0f330
65e1a8e550df1000eb91a7b679cf586efab0f24385b810f50349d50eb80ae806
b1b8ea15e6bbfc7c38eb394d7e81a99a93689464faf991d77e28722e5b0e4681
194b8a204fa49ebeb6788ff2d3296251a0083331a4495e154c0c6012bcaa6cd7
bdabfcabcd75d8450c7982310542bbb78df553cee98fdfe56919fdaa2b10af84
e69961d10df9e57bc9bd9a230903c52b020eed6cda03ff17127a556c6e07f0a9
82cb239612d74eab70b12a0ca448bd82b3c5b418b8f05213d75ddddbbf0b4a5d
a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5
Domains
gservice-node.io
gstatic-node.io
colomndead.xyz
cloudsaled.xyz
exitlife.xyz
programmbox.xyz
coolworks.xyz
fisholl.xyz
doorblu.xyz
woodcat.xyz
polandgames.xyz
costexcise.xyz
balancelag.xyz
gapi-node.io
coursenote.xyz
quotamoney.xyz
singlesfree.xyz
gitarlessonfinger.xyz
buyerbrand.xyz
droppicches.xyz
URLs
http://185.99.133.246/c2sock
http://195.123.227.138/c2sock
http://82.117.255.80/c2sock
http://195.123.226.91/c2sock
http://195.123.226.167/c2sock
http://217.12.206.230/c2sock
http://gservice-node.io/c2sock
http://flowers-my.xyz/c2sock
http://agustfreeday-my.xyz/c2sock
http://2flowers-my.xyz/c2sock
http://vipcloud-my.xyz/c2sock
http://gstatic-node.io/c2sock
http://clonecloud-my.xyz/c2sock
http://solopodvip-my.xyz/c2sock
http://speedtestip.xyz/c2sock
http://crazypictures.xyz/c2sock
http://many-verses.xyz/c2sock
http://worldofpoetry.xyz/c2sock
http://winhttp.dll/c2sock
http://aloowforest.xyz/c2sock
Last Seen at
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 803
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 2600
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 2495
comments 0

What is Lumma Stealer malware?

Lumma is a widely accessible malware stealer that is sold openly across Dark Web forums and Telegram channels. Although not as popular as other stealers, such as RedLine and Formbook, it has gained considerable traction among cybercriminals that focus on exfiltrating sensitive information from unsuspecting victims. Operated by a group believed to originate from former USSR countries, LummaC2 Stealer has been actively evolving since its initial emergence in 2022, getting substantial updates that enhance its capabilities.

Lumma Stealer poses a significant threat to a wide range of computer systems, targeting devices running Windows operating systems from Windows 7 up to Windows 11. This broad compatibility allows the malware to infiltrate a vast network of systems, increasing its potential reach and impact.

Since it operates under a malware-as-a-service model, Lumma Stealer is accessible to anyone with the financial means to purchase a subscription. This accessibility has contributed to the malware's widespread adoption. There are three subscription plans, each providing a varying range of features to users, including access to a command-and-control (C2) panel, which allows criminals to monitor and manage the malware's activities on compromised machines.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the Lumma Stealer malicious software

Lumma enables criminals to engage in a variety of illicit activities and a has a long list of capabilities, including:

  • Data exfiltration: The malware effectively gathers sensitive information from targeted applications, including login credentials, financial data, and personal details.
  • Regular updates: LummaC2 Stealer receives automatic updates on a regular basis.
  • Data log collection: Lumma Stealer collects detailed data logs from compromised endpoints, including information extracted from browsers and cryptocurrency wallets.
  • Loader capability: The stealer can drop additional malware onto compromised machines, expanding its malicious capabilities and potential impact.

Lumma malware analysis shows a vast range of features that make it a versatile tool for cybercriminals. For instance, all data transmitted by the stealer is decrypted on the server side, which makes it more difficult to analyze the malware’s traffic during the exfiltration process.

Another notable capability of the malware is its neighbor detection, which notifies operators about other instances of the malware running on the same system. The malware supports ARM, x86, and x64 architectures, demonstrating its cross-platform compatibility and ability to target a wide range of devices.

The stealer can also be configured to be used via a Telegram bot.

Execution process of Lumma Stealer

ANY.RUN lets us expose the malicious activities of Lumma Stealer and collect IOCs by uploading its sample to the sandbox.

Since stealers are trying their best to hide their activities, the execution chain of malware Lumma is kept as simple as possible. Therefore, there are not a lot of processes, and no usage of system tools occurs inside the infected OS. After the payload makes its way into the infected system, it immediately starts execution.

Lumma graph shown in ANY.RUN The process graph of Lumma Stealer demonstrated by the ANY.RUN sandbox

The only process of the malware is responsible for carrying out all malicious activities, including data theft, C&C server communication, etc. If there is no connection with the C&C, Lumma stops its execution.

Gathering threat intelligence on Lumma malware

To collect up-to-date intelligence for Lumma stealer malware analysis and better understand what is Lumma malware, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Lumma Stealer.

Lumma ANY.RUN Search results for Lumma Stealer in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"Lumma" AND domain:"" will generate a list of files, events, domain names, and other data extracted from Lumma samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of the Lumma Stealer malware

Lumma malware is utilized by numerous threat actors, both individuals and groups, who employ a variety of ways to deliver the payload to the target system.

  • Fake Software: One of the most prevalent methods used to distribute Lumma Stealer is through fake software. When unsuspecting users download and install these fake applications, they introduce the malware onto their systems.
  • Phishing Emails: Phishing emails remain a widely used attack vector for malware distribution, including Lumma Stealer. Cybercriminals craft emails that appear to be from legitimate sources, such as banks, e-commerce platforms, or social media networks.
  • Discord Messages: In some cases, Lumma Stealer operators have taken to targeting users through direct messaging on Discord, a popular chat platform. These actors engage with victims, attempting to build trust and persuade them to download infected executables under false pretenses.

Conclusion

The growing threat of LummaC2 Stealer calls for a proactive approach to cybersecurity. As this malware becomes more common, individuals and organizations must be aware of its diverse delivery methods and take steps to protect themselves. Malware analysis sandboxes, such as ANY.RUN are a valuable tool for identifying and analyzing Lumma Stealer.

ANY.RUN is an advanced tool that provides a unique way to study malware. You can interact with infected systems in a safe cloud environment to observe how the malware behaves. It goes beyond simple observation by generating a detailed report that includes IOCs and malware configuration information, enabling you to take action against malware threats.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
Crypto malware screenshot
Crypto malware
miner xmrig jsminer
Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Phishing kit screenshot
Phishing kit
tycoon evilproxy sneaky2fa
Phishing kits are pre-packaged sets of malicious tools designed to make it easy for cybercriminals to launch phishing attacks. These kits replicate legitimate websites, steal credentials, and often include backend infrastructure for managing stolen data.
Read More
Qilin Ransomware screenshot
Qilin ransomware (predecessor known as “Agenda”) is a rapidly evolving ransomware-as-a-service (RaaS) operation targeting organizations worldwide. Known for double extortion tactics (encrypting files while also threatening to leak stolen data) Qilin has quickly gained notoriety for its customization, flexibility, and impact on critical infrastructure.
Read More