BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Lumma

33
Global rank
7 infographic chevron month
Month rank
5 infographic chevron week
Week rank
761
IOCs

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Stealer
Type
ex-USSR
Origin
1 August, 2022
First seen
17 July, 2024
Last seen
Also known as
Lumma Stealer
LummaC2 Stealer

How to analyze Lumma with ANY.RUN

Type
ex-USSR
Origin
1 August, 2022
First seen
17 July, 2024
Last seen

IOCs

IP addresses
185.99.133.246
82.117.255.80
195.123.227.138
77.73.134.68
195.123.226.91
217.12.206.230
82.118.23.50
45.9.74.78
Hashes
eeb80e95dc59793eecc2dc980c31879238db0703ecef2e4901a302c0713341c8
d0e7a341fe199dbabb5f0798dba0564e9b60e4736a405c46eafc7232cc10dc40
575d4d61e043f68fbc070d178284a2cacfb2ecaa0e352df98382e0fde7495f5f
8a80210b1f6382cdbff2afc0c9a30092fc13687a33f293e36a9dbc0263a45101
a90294b602b51fff7b04e72deeb3e88fb200272321c939f00e13bde1d49ff1a3
caef56e10966a7754ce9ce15fc721c16ecfa498bf256fd31062591dfc55e459b
257bcb2bac99fe5e876857ec4511cada759e7f515de629e43cbb0f839575e7fc
78785ab759dd61f4a9fb561faef90234fb0a78696523d1df53312c7a3eff99fe
0fd84e29cc46596c5dd309ac7b40a590365a49a7b115351c2788d9a57f84dda0
13abf6d3fb96441b6375658759ad25a585f64a4a9b18cc95dfc382e054d9ad14
a4ea760306249b07d5af054b5fc82d5fd9dcab5e5cb6eab3c8e8eb9132ebf882
d932ee10f02ea5bb60ed867d9687a906f1b8472f01fc5543b06f9ab22059b264
7ae17d6ab6fa79af574fad70d163649b8a75aa10cb89d6da4ade87d6e2a785f0
ce00c5433fb2481534577e90b23e61b164654ad41c5a0f14ba59735ed637e326
81c7fdd43f9eac8792a97d59d62dc24ce9d693ae0f8d0ea6f25b5cde510c4680
2560f4997ab679d7b72bf27f367dca4bac80c9bfd5f0f37d8af5428c7d3e1817
924e96e559d9598189e2297ce76f2f503ef54c05a2e89909251ae7d3996b8914
a4e189e07f1db1b4826c5d539f024eb0f949a4c678ac34c71a76c0dd9e01c684
77460056386f07d96908455241b15091c3edecd9fd55fbf6ce7f3a061c7ac5cd
9e0f1ff73f6022528985bf3cf88ecac10e0de30d786611f2c34a4923cad8fe14
Domains
conformfucdioz.shop
applyzxcksdia.shop
instructionpxjc.shop
replacedoxcjzp.shop
declaredczxi.shop
arriveoxpzxo.shop
contemplateodszsv.shop
catchddkxozvp.shop
bindceasdiwozx.shop
ellaboratepwsz.xyz
foodypannyjsud.shop
potterryisiw.shop
towerxxuytwi.xyz
pedestriankodwu.xyz
extorteauhhwigw.shop
penetratedpoopp.xyz
swellfrrgwwos.xyz
contintnetksows.shop
spackledzpxs.shop
whangeeeerodpz.shop
URLs
http://195.123.226.91/c2sock
http://gstatic-node.io/c2sock
http://winhttp.dll/c2sock
http://82.117.255.80/c2sock
http://185.99.133.246/c2sock
http://aloowforest.xyz/c2sock
http://speedtestip.xyz/c2sock
http://stoppublick.xyz/c2sock
http://many-verses.xyz/c2sock
http://worldofpoetry.xyz/c2sock
http://crazypictures.xyz/c2sock
http://skicloud-my.xyz/c2sock
http://solopodvip-my.xyz/c2sock
http://clonecloud-my.xyz/c2sock
http://2flowers-my.xyz/c2sock
http://vipcloud-my.xyz/c2sock
http://agustfreeday-my.xyz/c2sock
http://gservice-node.io/c2sock
http://195.123.227.138/c2sock
http://flowers-my.xyz/c2sock
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 148
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 158
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1628
comments 0

What is Lumma Stealer malware?

Lumma is a widely accessible malware stealer that is sold openly across Dark Web forums and Telegram channels. Although not as popular as other stealers, such as RedLine and Formbook, it has gained considerable traction among cybercriminals that focus on exfiltrating sensitive information from unsuspecting victims. Operated by a group believed to originate from former USSR countries, LummaC2 Stealer has been actively evolving since its initial emergence in 2022, getting substantial updates that enhance its capabilities.

Lumma Stealer poses a significant threat to a wide range of computer systems, targeting devices running Windows operating systems from Windows 7 up to Windows 11. This broad compatibility allows the malware to infiltrate a vast network of systems, increasing its potential reach and impact.

Since it operates under a malware-as-a-service model, Lumma Stealer is accessible to anyone with the financial means to purchase a subscription. This accessibility has contributed to the malware's widespread adoption. There are three subscription plans, each providing a varying range of features to users, including access to a command-and-control (C2) panel, which allows criminals to monitor and manage the malware's activities on compromised machines.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Lumma Stealer malicious software

Lumma enables criminals to engage in a variety of illicit activities and a has a long list of capabilities, including:

  • Data exfiltration: The malware effectively gathers sensitive information from targeted applications, including login credentials, financial data, and personal details.
  • Regular updates: LummaC2 Stealer receives automatic updates on a regular basis.
  • Data log collection: Lumma Stealer collects detailed data logs from compromised endpoints, including information extracted from browsers and cryptocurrency wallets.
  • Loader capability: The stealer can drop additional malware onto compromised machines, expanding its malicious capabilities and potential impact.

Lumma Stealer has a vast range of features that make it a versatile tool for cybercriminals. For instance, all data transmitted by the stealer is decrypted on the server side, which makes it more difficult to analyze the malware’s traffic during the exfiltration process.

Another notable capability of the malware is its neighbor detection, which notifies operators about other instances of the malware running on the same system. The malware supports ARM, x86, and x64 architectures, demonstrating its cross-platform compatibility and ability to target a wide range of devices.

The stealer can also be configured to be used via a Telegram bot.

Execution process of Lumma Stealer

ANY.RUN lets us expose the malicious activities of Lumma Stealer and collect IOCs by uploading its sample to the sandbox.

Since stealers are trying their best to hide their activities, the execution chain of LummaC2 Stealer is kept as simple as possible. Therefore, there are not a lot of processes, and no usage of system tools occurs inside the infected OS. After the payload makes its way into the infected system, it immediately starts execution. The only process of the malware is responsible for carrying out all malicious activities, including data theft, C&C server communication, etc. If there is no connection with the C&C, Lumma stops its execution.

Analyze Lumma for free in a fully interactive cloud sandbox – request a demo.

Lumma graph shown in ANY.RUN The process graph of Lumma Stealer demonstrated by the ANY.RUN sandbox

Distribution methods of the Lumma Stealer malware

Lumma is utilized by numerous threat actors, both individuals and groups, who employ a variety of ways to deliver the payload to the target system.

  • Fake Software: One of the most prevalent methods used to distribute Lumma Stealer is through fake software. When unsuspecting users download and install these fake applications, they introduce the malware onto their systems.
  • Phishing Emails: Phishing emails remain a widely used attack vector for malware distribution, including Lumma Stealer. Cybercriminals craft emails that appear to be from legitimate sources, such as banks, e-commerce platforms, or social media networks.
  • Discord Messages: In some cases, Lumma Stealer operators have taken to targeting users through direct messaging on Discord, a popular chat platform. These actors engage with victims, attempting to build trust and persuade them to download infected executables under false pretenses.

Conclusion

The growing threat of LummaC2 Stealer calls for a proactive approach to cybersecurity. As this malware becomes more common, individuals and organizations must be aware of its diverse delivery methods and take steps to protect themselves. Malware analysis sandboxes, such as ANY.RUN are a valuable tool for identifying and analyzing Lumma Stealer.

ANY.RUN is an advanced tool that provides a unique way to study malware. You can interact with infected systems in a safe cloud environment to observe how the malware behaves. It goes beyond simple observation by generating a detailed report that includes IOCs and malware configuration information, enabling you to take action against malware threats.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy