Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Lumma

16
Global rank
1
Month rank
1 infographic chevron week
Week rank
0
IOCs

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Stealer
Type
ex-USSR
Origin
1 August, 2022
First seen
14 March, 2025
Last seen
Also known as
Lumma Stealer
LummaC2 Stealer

How to analyze Lumma with ANY.RUN

Type
ex-USSR
Origin
1 August, 2022
First seen
14 March, 2025
Last seen

IOCs

IP addresses
195.123.226.91
94.158.244.69
185.99.133.246
144.76.173.247
195.123.226.167
195.123.227.138
82.117.255.80
77.73.134.68
217.12.206.230
82.118.23.50
45.9.74.78
Domains
gservice-node.io
millyscroqwp.shop
caffegclasiqwp.shop
locatedblsoqp.shop
evoliutwoqm.shop
condedqpwqm.shop
traineiwnqo.shop
votteryloeq.shop
stamppreewntnq.shop
stagedchheiqwo.shop
pushjellysingeywus.shop
mealplayerpreceodsju.shop
suitcaseacanehalk.shop
entitlementappwo.shop
democraticseekysiwo.shop
economicscreateojsu.shop
absentconvicsjawun.shop
bordersoarmanusjuw.shop
wifeplasterbakewis.shop
deicedosmzj.shop
URLs
http://185.99.133.246/c2sock
http://195.123.226.91/c2sock
http://gstatic-node.io/c2sock
http://winhttp.dll/c2sock
http://82.117.255.80/c2sock
http://aloowforest.xyz/c2sock
http://speedtestip.xyz/c2sock
http://stoppublick.xyz/c2sock
http://many-verses.xyz/c2sock
http://worldofpoetry.xyz/c2sock
http://crazypictures.xyz/c2sock
http://skicloud-my.xyz/c2sock
http://solopodvip-my.xyz/c2sock
http://clonecloud-my.xyz/c2sock
http://2flowers-my.xyz/c2sock
http://vipcloud-my.xyz/c2sock
http://agustfreeday-my.xyz/c2sock
http://gservice-node.io/c2sock
http://195.123.227.138/c2sock
http://flowers-my.xyz/c2sock
Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 268
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 365
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 515
comments 0

What is Lumma Stealer malware?

Lumma is a widely accessible malware stealer that is sold openly across Dark Web forums and Telegram channels. Although not as popular as other stealers, such as RedLine and Formbook, it has gained considerable traction among cybercriminals that focus on exfiltrating sensitive information from unsuspecting victims. Operated by a group believed to originate from former USSR countries, LummaC2 Stealer has been actively evolving since its initial emergence in 2022, getting substantial updates that enhance its capabilities.

Lumma Stealer poses a significant threat to a wide range of computer systems, targeting devices running Windows operating systems from Windows 7 up to Windows 11. This broad compatibility allows the malware to infiltrate a vast network of systems, increasing its potential reach and impact.

Since it operates under a malware-as-a-service model, Lumma Stealer is accessible to anyone with the financial means to purchase a subscription. This accessibility has contributed to the malware's widespread adoption. There are three subscription plans, each providing a varying range of features to users, including access to a command-and-control (C2) panel, which allows criminals to monitor and manage the malware's activities on compromised machines.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the Lumma Stealer malicious software

Lumma enables criminals to engage in a variety of illicit activities and a has a long list of capabilities, including:

  • Data exfiltration: The malware effectively gathers sensitive information from targeted applications, including login credentials, financial data, and personal details.
  • Regular updates: LummaC2 Stealer receives automatic updates on a regular basis.
  • Data log collection: Lumma Stealer collects detailed data logs from compromised endpoints, including information extracted from browsers and cryptocurrency wallets.
  • Loader capability: The stealer can drop additional malware onto compromised machines, expanding its malicious capabilities and potential impact.

Lumma malware analysis shows a vast range of features that make it a versatile tool for cybercriminals. For instance, all data transmitted by the stealer is decrypted on the server side, which makes it more difficult to analyze the malware’s traffic during the exfiltration process.

Another notable capability of the malware is its neighbor detection, which notifies operators about other instances of the malware running on the same system. The malware supports ARM, x86, and x64 architectures, demonstrating its cross-platform compatibility and ability to target a wide range of devices.

The stealer can also be configured to be used via a Telegram bot.

Execution process of Lumma Stealer

ANY.RUN lets us expose the malicious activities of Lumma Stealer and collect IOCs by uploading its sample to the sandbox.

Since stealers are trying their best to hide their activities, the execution chain of malware Lumma is kept as simple as possible. Therefore, there are not a lot of processes, and no usage of system tools occurs inside the infected OS. After the payload makes its way into the infected system, it immediately starts execution.

Lumma graph shown in ANY.RUN The process graph of Lumma Stealer demonstrated by the ANY.RUN sandbox

The only process of the malware is responsible for carrying out all malicious activities, including data theft, C&C server communication, etc. If there is no connection with the C&C, Lumma stops its execution.

Gathering threat intelligence on Lumma malware

To collect up-to-date intelligence for Lumma stealer malware analysis and better understand what is Lumma malware, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Lumma Stealer.

Lumma ANY.RUN Search results for Lumma Stealer in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"Lumma" AND domain:"" will generate a list of files, events, domain names, and other data extracted from Lumma samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of the Lumma Stealer malware

Lumma malware is utilized by numerous threat actors, both individuals and groups, who employ a variety of ways to deliver the payload to the target system.

  • Fake Software: One of the most prevalent methods used to distribute Lumma Stealer is through fake software. When unsuspecting users download and install these fake applications, they introduce the malware onto their systems.
  • Phishing Emails: Phishing emails remain a widely used attack vector for malware distribution, including Lumma Stealer. Cybercriminals craft emails that appear to be from legitimate sources, such as banks, e-commerce platforms, or social media networks.
  • Discord Messages: In some cases, Lumma Stealer operators have taken to targeting users through direct messaging on Discord, a popular chat platform. These actors engage with victims, attempting to build trust and persuade them to download infected executables under false pretenses.

Conclusion

The growing threat of LummaC2 Stealer calls for a proactive approach to cybersecurity. As this malware becomes more common, individuals and organizations must be aware of its diverse delivery methods and take steps to protect themselves. Malware analysis sandboxes, such as ANY.RUN are a valuable tool for identifying and analyzing Lumma Stealer.

ANY.RUN is an advanced tool that provides a unique way to study malware. You can interact with infected systems in a safe cloud environment to observe how the malware behaves. It goes beyond simple observation by generating a detailed report that includes IOCs and malware configuration information, enabling you to take action against malware threats.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More