BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Lumma

34
Global rank
28 infographic chevron month
Month rank
22 infographic chevron week
Week rank
546
IOCs

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Stealer
Type
ex-USSR
Origin
1 August, 2022
First seen
21 April, 2024
Last seen
Also known as
Lumma Stealer
LummaC2 Stealer

How to analyze Lumma with ANY.RUN

Type
ex-USSR
Origin
1 August, 2022
First seen
21 April, 2024
Last seen

IOCs

IP addresses
185.99.133.246
82.117.255.80
195.123.227.138
77.73.134.68
195.123.226.91
217.12.206.230
82.118.23.50
45.9.74.78
Hashes
03eccfa5dea23fc185bcca277520d7ef473ff752649aac485ac055dd4111b2c1
ad1d476e0f07d67f1fd670ba4a7227794f436c1fa01f08a2cdcd57f2f7d1be51
cb387bae0f6159b3a7b95e80df34c2d9480cd52d15e3b606a9bdb7072a759883
c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
65f59b33867862480eb3765dbbe8666cd038770daf6d22761cf0a5f50613221f
d856a66ea554538d421abceb2d304200537f5a268cbfde8f52f41a0c048edfdc
134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0
81b2dcbb79c2896141772043e55e5a6c667c16f4fa3e387ac308268c192f9c8a
b39157f7bbbfd61397419f6363229e6c3c546d7119e0c1da7c7c018c6ab2bb10
00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49
f09a014d0585a020f9caacb1b31a410fc83feda3aa3ce13b8764c8715b9e5d6a
d17c03b595fd35d296ccb56be6ded2c9d458695577eaa4b66bc42a99f08061e0
55e9b1c3ec5c6d634dcfd03b8456c14b39743f3c2330605c650d22065a0a381b
e1bcdf91cd3dde7393303b56dd43c6607534951371ad8704d44ce72b21fbc4f4
748beb41fd1efde44f7f71dbbb82d0a91a985bc5005743449dd640c189117f12
d5df840c5011f30ec58eedfedadcbac88c61c63b024404f3d36dfe35cc638809
fa17e210411f573776d09f0147e6f02e242fc14b838277b40050948c56885d61
e46ea44a8cf96ae1551de4db98496001d9236e7e47cf71d494023b2084b48d08
680983a0cdb8a1458cebc758c98d58c5e8c06e68a19bc85d991597b2c0bd878b
7158440878f84164f9136301f6f408c9900fc715cbc701ef03c9b01980682a62
Domains
gstatic-node.io
wifeplasterbakewis.shop
carstirgapcheatdeposwte.pw
recessionconceptjetwe.pw
playerweighmailydailew.pw
evokenumberpottruckere.fun
goddirtybrilliancece.fun
blastechohackopeower.pw
methodgreenglassdatw.shop
pillowbrocccolipe.shop
hunterstrawmersp.homes
baketransparentadw.pics
legislationdictater.mom
bleednumberrottern.homes
mercyaloofprincipleo.pics
brakesummitfiightre.pics
lawwormroleveinn.mom
developmentalveiop.homes
culturesketchfinanciall.shop
liabilityarrangemenyit.shop
URLs
http://195.123.226.91/c2sock
http://gstatic-node.io/c2sock
http://winhttp.dll/c2sock
http://82.117.255.80/c2sock
http://185.99.133.246/c2sock
http://aloowforest.xyz/c2sock
http://speedtestip.xyz/c2sock
http://stoppublick.xyz/c2sock
http://many-verses.xyz/c2sock
http://worldofpoetry.xyz/c2sock
http://crazypictures.xyz/c2sock
http://skicloud-my.xyz/c2sock
http://solopodvip-my.xyz/c2sock
http://clonecloud-my.xyz/c2sock
http://2flowers-my.xyz/c2sock
http://vipcloud-my.xyz/c2sock
http://agustfreeday-my.xyz/c2sock
http://gservice-node.io/c2sock
http://195.123.227.138/c2sock
http://flowers-my.xyz/c2sock
Last Seen at

Recent blog posts

post image
New PowerShell Script Tracer: Analyze PowerSh...
watchers 456
comments 0
post image
Dmitry Marinov: ANY.RUN’s CTO on TI Lookup, S...
watchers 277
comments 0
post image
Malware Trends Report: Q1, 2024
watchers 1835
comments 0

What is Lumma Stealer malware?

Lumma is a widely accessible malware stealer that is sold openly across Dark Web forums and Telegram channels. Although not as popular as other stealers, such as RedLine and Formbook, it has gained considerable traction among cybercriminals that focus on exfiltrating sensitive information from unsuspecting victims. Operated by a group believed to originate from former USSR countries, LummaC2 Stealer has been actively evolving since its initial emergence in 2022, getting substantial updates that enhance its capabilities.

Lumma Stealer poses a significant threat to a wide range of computer systems, targeting devices running Windows operating systems from Windows 7 up to Windows 11. This broad compatibility allows the malware to infiltrate a vast network of systems, increasing its potential reach and impact.

Since it operates under a malware-as-a-service model, Lumma Stealer is accessible to anyone with the financial means to purchase a subscription. This accessibility has contributed to the malware's widespread adoption. There are three subscription plans, each providing a varying range of features to users, including access to a command-and-control (C2) panel, which allows criminals to monitor and manage the malware's activities on compromised machines.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Lumma Stealer malicious software

Lumma enables criminals to engage in a variety of illicit activities and a has a long list of capabilities, including:

  • Data exfiltration: The malware effectively gathers sensitive information from targeted applications, including login credentials, financial data, and personal details.
  • Regular updates: LummaC2 Stealer receives automatic updates on a regular basis.
  • Data log collection: Lumma Stealer collects detailed data logs from compromised endpoints, including information extracted from browsers and cryptocurrency wallets.
  • Loader capability: The stealer can drop additional malware onto compromised machines, expanding its malicious capabilities and potential impact.

Lumma Stealer has a vast range of features that make it a versatile tool for cybercriminals. For instance, all data transmitted by the stealer is decrypted on the server side, which makes it more difficult to analyze the malware’s traffic during the exfiltration process.

Another notable capability of the malware is its neighbor detection, which notifies operators about other instances of the malware running on the same system. The malware supports ARM, x86, and x64 architectures, demonstrating its cross-platform compatibility and ability to target a wide range of devices.

The stealer can also be configured to be used via a Telegram bot.

Execution process of Lumma Stealer

ANY.RUN lets us expose the malicious activities of Lumma Stealer and collect IOCs by uploading its sample to the sandbox.

Since stealers are trying their best to hide their activities, the execution chain of LummaC2 Stealer is kept as simple as possible. Therefore, there are not a lot of processes, and no usage of system tools occurs inside the infected OS. After the payload makes its way into the infected system, it immediately starts execution. The only process of the malware is responsible for carrying out all malicious activities, including data theft, C&C server communication, etc. If there is no connection with the C&C, Lumma stops its execution.

Analyze Lumma for free in a fully interactive cloud sandbox – request a demo.

Lumma graph shown in ANY.RUN The process graph of Lumma Stealer demonstrated by the ANY.RUN sandbox

Distribution methods of the Lumma Stealer malware

Lumma is utilized by numerous threat actors, both individuals and groups, who employ a variety of ways to deliver the payload to the target system.

  • Fake Software: One of the most prevalent methods used to distribute Lumma Stealer is through fake software. When unsuspecting users download and install these fake applications, they introduce the malware onto their systems.
  • Phishing Emails: Phishing emails remain a widely used attack vector for malware distribution, including Lumma Stealer. Cybercriminals craft emails that appear to be from legitimate sources, such as banks, e-commerce platforms, or social media networks.
  • Discord Messages: In some cases, Lumma Stealer operators have taken to targeting users through direct messaging on Discord, a popular chat platform. These actors engage with victims, attempting to build trust and persuade them to download infected executables under false pretenses.

Conclusion

The growing threat of LummaC2 Stealer calls for a proactive approach to cybersecurity. As this malware becomes more common, individuals and organizations must be aware of its diverse delivery methods and take steps to protect themselves. Malware analysis sandboxes, such as ANY.RUN are a valuable tool for identifying and analyzing Lumma Stealer.

ANY.RUN is an advanced tool that provides a unique way to study malware. You can interact with infected systems in a safe cloud environment to observe how the malware behaves. It goes beyond simple observation by generating a detailed report that includes IOCs and malware configuration information, enabling you to take action against malware threats.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy