BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Lumma

39
Global rank
5
Month rank
5
Week rank
439
IOCs

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Stealer
Type
ex-USSR
Origin
1 August, 2022
First seen
2 December, 2023
Last seen
Also known as
Lumma Stealer
LummaC2 Stealer

How to analyze Lumma with ANY.RUN

Type
ex-USSR
Origin
1 August, 2022
First seen
2 December, 2023
Last seen

IOCs

IP addresses
77.73.134.68
195.123.227.138
185.99.133.246
195.123.226.91
217.12.206.230
82.118.23.50
45.9.74.78
Hashes
9eb3236d8299927a2d714a54dcde090928ea5a9ef86cf04163b05bf2acb5d13e
e69961d10df9e57bc9bd9a230903c52b020eed6cda03ff17127a556c6e07f0a9
0721f8fb7d8e0e4b4b555bab919de5df237b4bb9750a74c8b886ce8d9797a8b4
a58b87f315fd77116edce2744e443d0ce6bab9e087a2ead50626e986314f949e
d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077
2961e254970e8e350c4dfd4c3628e7ada6ae884e3d8da04ea6de94f1e0618af4
8617f7c08e56a17b770ec3c7aaef46ae121092b5ef5c55b8ff1c6f1123f9691a
fae5e404590827170d2a4bb417184544f59f749baa850f53328048d7ab3b17d5
9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9
95b42d7c055cab6fe8dcaef5d72ef190e300a80e158fb8300345558bd6f78aca
83ffeee1f0d4690e83edc9c4ad75b0d158cfbe4d8208a30a6fb75fa576b8f529
44d775feeb97f7dd148f6e7360b0a13bda2bec2339f09b873d739832d59568fc
8ed9e37207651dd545e5f55f201b1de202fd40eadc028937d5ab725071bf9810
20dfc84b3bde824fe41e4adc3539804cebcc9fd994c982b6f49646d0aa4a2af2
afdd6986f3bee6a1c2587925e051cac4090a3e2987634c04539756ac8f3f3dca
ec1320c986d85c99cf2663b7621154ec3302b5129e9ff88e2190089ffc8410a6
23ef0b3ae5efdf0397221eb2d2ffc08919f61f90c4e64c56b05d7030e447cfd8
d36d3e3be73c9a4ef91dc2377ad84bbb26f158680a46c2512b212e8181984dee
edb254fe10995bdad871d3b9def3f06533a0e18fe934a3e1069cdca5f41bfd8b
52221efcbf9aad19b294c323267f8bd6b2557fdd8fa167f030d2f03e858e6518
Domains
superyupp.fun
curtainjors.fun
gogobad.fun
glovesslave.fun
buggubucks.fun
castomarmor.xyz
gapi-node.io
bearboll.fun
funnycox.fun
valleydod.fun
mrcrubsaf.fun
formiklass.fun
comperssw.fun
kowersize.fun
builaos.fun
senpaireek.fun
suprafox.fun
gstatic-node.io
coolworks.xyz
magaway.fun
URLs
http://195.123.226.91/c2sock
http://gstatic-node.io/c2sock
http://winhttp.dll/c2sock
http://82.117.255.80/c2sock
http://185.99.133.246/c2sock
http://aloowforest.xyz/c2sock
http://speedtestip.xyz/c2sock
http://stoppublick.xyz/c2sock
http://many-verses.xyz/c2sock
http://worldofpoetry.xyz/c2sock
http://crazypictures.xyz/c2sock
http://skicloud-my.xyz/c2sock
http://solopodvip-my.xyz/c2sock
http://clonecloud-my.xyz/c2sock
http://2flowers-my.xyz/c2sock
http://vipcloud-my.xyz/c2sock
http://agustfreeday-my.xyz/c2sock
http://gservice-node.io/c2sock
http://195.123.227.138/c2sock
http://flowers-my.xyz/c2sock
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 142
comments 0
5 malware threats we discovered in the wild i...
watchers 345
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2314
comments 0

What is Lumma Stealer malware?

Lumma is a widely accessible malware stealer that is sold openly across Dark Web forums and Telegram channels. Although not as popular as other stealers, such as RedLine and Formbook, it has gained considerable traction among cybercriminals that focus on exfiltrating sensitive information from unsuspecting victims. Operated by a group believed to originate from former USSR countries, LummaC2 Stealer has been actively evolving since its initial emergence in 2022, getting substantial updates that enhance its capabilities.

Lumma Stealer poses a significant threat to a wide range of computer systems, targeting devices running Windows operating systems from Windows 7 up to Windows 11. This broad compatibility allows the malware to infiltrate a vast network of systems, increasing its potential reach and impact.

Since it operates under a malware-as-a-service model, Lumma Stealer is accessible to anyone with the financial means to purchase a subscription. This accessibility has contributed to the malware's widespread adoption. There are three subscription plans, each providing a varying range of features to users, including access to a command-and-control (C2) panel, which allows criminals to monitor and manage the malware's activities on compromised machines.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Lumma Stealer malicious software

Lumma enables criminals to engage in a variety of illicit activities and a has a long list of capabilities, including:

  • Data exfiltration: The malware effectively gathers sensitive information from targeted applications, including login credentials, financial data, and personal details.
  • Regular updates: LummaC2 Stealer receives automatic updates on a regular basis.
  • Data log collection: Lumma Stealer collects detailed data logs from compromised endpoints, including information extracted from browsers and cryptocurrency wallets.
  • Loader capability: The stealer can drop additional malware onto compromised machines, expanding its malicious capabilities and potential impact.

Lumma Stealer has a vast range of features that make it a versatile tool for cybercriminals. For instance, all data transmitted by the stealer is decrypted on the server side, which makes it more difficult to analyze the malware’s traffic during the exfiltration process.

Another notable capability of the malware is its neighbor detection, which notifies operators about other instances of the malware running on the same system. The malware supports ARM, x86, and x64 architectures, demonstrating its cross-platform compatibility and ability to target a wide range of devices.

The stealer can also be configured to be used via a Telegram bot.

Execution process of Lumma Stealer

ANY.RUN lets us expose the malicious activities of Lumma Stealer and collect IOCs by uploading its sample to the sandbox.

Since stealers are trying their best to hide their activities, the execution chain of LummaC2 Stealer is kept as simple as possible. Therefore, there are not a lot of processes, and no usage of system tools occurs inside the infected OS. After the payload makes its way into the infected system, it immediately starts execution. The only process of the malware is responsible for carrying out all malicious activities, including data theft, C&C server communication, etc. If there is no connection with the C&C, Lumma stops its execution.

Analyze Lumma for free in a fully interactive cloud sandbox – request a demo.

Lumma graph shown in ANY.RUN The process graph of Lumma Stealer demonstrated by the ANY.RUN sandbox

Distribution methods of the Lumma Stealer malware

Lumma is utilized by numerous threat actors, both individuals and groups, who employ a variety of ways to deliver the payload to the target system.

  • Fake Software: One of the most prevalent methods used to distribute Lumma Stealer is through fake software. When unsuspecting users download and install these fake applications, they introduce the malware onto their systems.
  • Phishing Emails: Phishing emails remain a widely used attack vector for malware distribution, including Lumma Stealer. Cybercriminals craft emails that appear to be from legitimate sources, such as banks, e-commerce platforms, or social media networks.
  • Discord Messages: In some cases, Lumma Stealer operators have taken to targeting users through direct messaging on Discord, a popular chat platform. These actors engage with victims, attempting to build trust and persuade them to download infected executables under false pretenses.

Conclusion

The growing threat of LummaC2 Stealer calls for a proactive approach to cybersecurity. As this malware becomes more common, individuals and organizations must be aware of its diverse delivery methods and take steps to protect themselves. Malware analysis sandboxes, such as ANY.RUN are a valuable tool for identifying and analyzing Lumma Stealer.

ANY.RUN is an advanced tool that provides a unique way to study malware. You can interact with infected systems in a safe cloud environment to observe how the malware behaves. It goes beyond simple observation by generating a detailed report that includes IOCs and malware configuration information, enabling you to take action against malware threats.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy