Lumma Stealer (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.lumma (Back to overview)

Lumma Stealer

aka: LummaC2 Stealer

VTCollection

Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.

References

2024-10-17 ⋅ Loader Insight Agency ⋅ LIA
Correlating Vidar Stealer Build IDs Based on Loader Tasks
Lumma Stealer SmokeLoader Vidar

2024-10-08 ⋅ Trustwave ⋅ Cris Tomboc, King Orande
Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader
Pronsis Loader Latrodectus Lumma Stealer

2024-10-05 ⋅ Mandar Naik
Malware Analysis - Lumma Stealer
Lumma Stealer

2024-09-25 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi
Lumma Stealer - Malware Analysis
Lumma Stealer

2024-09-20 ⋅ McAfee ⋅ Aayush Tyagi, Yashvi Shah
Behind the CAPTCHA: A Clever Gateway of Malware
Emmenhtal Lumma Stealer

2024-09-09 ⋅ Denwp Research ⋅ Tonmoy Jitu
Dissecting Lumma Malware: Analyzing the Fake CAPTCHA and Obfuscation Techniques - Part 2
Lumma Stealer

2024-08-30 ⋅ Denwp Research ⋅ Tonmoy Jitu
Anatomy of a Lumma Stealer Attack via Fake CAPTCHA Pages - Part 1
Lumma Stealer

2024-07-24 ⋅ Check Point Research ⋅ Antonis Terefos
Stargazers Ghost Network
Atlantida Lumma Stealer RedLine Stealer Rhadamanthys RisePro Stargazer Goblin

2024-07-23 ⋅ Fortinet ⋅ Fortinet
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed
ACR Stealer Lumma Stealer Meduza Stealer

2024-07-22 ⋅ Censys ⋅ Censys, Embee_research
A Beginner’s Guide to Hunting Malicious Open Directories
Cobalt Strike Lumma Stealer Vidar

2024-07-11 ⋅ McAfee ⋅ Vignesh Dhatchanamoorthy, Yashvi Shah
ClickFix Deception: A Social Engineering Tactic to Deploy Malware
DarkGate Lumma Stealer

2024-07-02 ⋅ Sekoia ⋅ Quentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar

2024-06-21 ⋅ 0x1c ⋅ 0x1c
[0001] AmberAmethystDaisy -> QuartzBegonia -> LummaStealer
Lumma Stealer

2024-06-17 ⋅ Trellix ⋅ Alejandro Houspanossian
Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion
HijackLoader Lumma Stealer

2024-06-17 ⋅ Proofpoint ⋅ Proofpoint
From Clipboard to Compromise: A PowerShell Self-Pwn
DarkGate HijackLoader Lumma Stealer Matanbuchus NetSupportManager RAT TA571

2024-05-29 ⋅ eSentire ⋅ eSentire
Fake Browser Updates delivering BitRAT and Lumma Stealer
BitRAT Lumma Stealer

2024-03-24 ⋅ Viuleeenz ⋅ Alessandro Strino
Understanding API Hashing and build a rainbow table for LummaStealer
Lumma Stealer

2024-03-07 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2024-03-07 (THURSDAY): LATRODECTUS INFECTION LEADS TO LUMMA STEALER
Latrodectus Lumma Stealer

2024-02-13 ⋅ Palo Alto Networks Unit 42 ⋅ Ofir Ozer, Or Chechik
A Deep Dive Into Malicious Direct Syscall Detection
Lumma Stealer

2024-02-13 ⋅ Gridinsoft ⋅ Gridinsoft Cyber Security
What is Lumma Stealer?
Lumma Stealer

2024-02-04 ⋅ Viuleeenz ⋅ Alessandro Strino
Understanding PEB and LDR Structures using IDA and LummaStealer
Lumma Stealer

2024-01-30 ⋅ ANY.RUN ⋅ Lena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP

2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver

2024-01-08 ⋅ Fortinet ⋅ Cara Lin
Deceptive Cracked Software Spreads Lumma Variant on YouTube
Lumma Stealer

2024-01-08 ⋅ YouTube (Embee Research) ⋅ Embee_research
Malware Analysis - Decoding Obfuscated Powershell and HTA Files (Lumma Stealer)
Lumma Stealer

2023-11-20 ⋅ Outpost24 ⋅ Alberto Marín
Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection
Lumma Stealer

2023-11-16 ⋅ Medium g0njxa ⋅ g0njxa
Approaching stealers devs : a brief interview with LummaC2
Lumma Stealer

2023-10-27 ⋅ Elastic ⋅ Joe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar

2023-10-17 ⋅ Intrinsec ⋅ CTI Intrinsec
Lumma Stealer actively deployed in multiple campaigns
Lumma Stealer

2023-09-07 ⋅ eSentire ⋅ eSentire
The Case of LummaC2 v4.0
Lumma Stealer

2023-09-06 ⋅ Darktrace ⋅ DarkTrace
The Rise of the Lumma Info-Stealer
Lumma Stealer

2023-08-31 ⋅ Rapid7 Labs ⋅ Evan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT

2023-04-09 ⋅ @0xToxin
LummaC2 BreakDown
Lumma Stealer

2023-04-05 ⋅ Outpost24 ⋅ Alberto Marín
Everything you need to know about the LummaC2 Stealer: Leveraging IDA Python and Unicorn to deobfuscate Windows API Hashing
Lumma Stealer

2023-02-27 ⋅ Medium s2wlab ⋅ Jiho Kim, Lee Sebin
Lumma Stealer targets YouTubers via Spear-phishing Email
Lumma Stealer

2023-02-03 ⋅ Cloudsek ⋅ Deepanjli Paulraj, Pavan Karthick M
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
Alfonso Stealer Bandit Stealer Cameleon Fabookie Lumma Stealer Nanocore RAT Panda Stealer RecordBreaker RedLine Stealer Stealc STOP Vidar zgRAT

2023-01-13 ⋅ Twitter (@Ishusoka) ⋅ Ishu
Tweets on updates regarding Lumma Stealer
Lumma Stealer

2023-01-06 ⋅ cyble ⋅ Cyble
LummaC2 Stealer: A Potent Threat To Crypto Users
Lumma Stealer

2022-09-22 ⋅ Twitter (@sekoia_io) ⋅ sekoia
Tweets on Lumma stealer
Lumma Stealer

2022-08-16 ⋅ Twitter (@fumik0_) ⋅ fumik0
Tweet on Lumma Stealer based on Mars Stealer
Lumma Stealer

Yara Rules

[TLP:WHITE] win_lumma_auto (20241030 | Detects win.lumma.)

rule win_lumma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.lumma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 ff767c ff7678 ff7644 }
            // n = 4, score = 1100
            //   53                   | push                ebx
            //   ff767c               | push                dword ptr [esi + 0x7c]
            //   ff7678               | push                dword ptr [esi + 0x78]
            //   ff7644               | push                dword ptr [esi + 0x44]

        $sequence_1 = { ff7608 ff7044 ff503c 83c414 }
            // n = 4, score = 1100
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff7044               | push                dword ptr [eax + 0x44]
            //   ff503c               | call                dword ptr [eax + 0x3c]
            //   83c414               | add                 esp, 0x14

        $sequence_2 = { ff7134 ff5130 83c410 85c0 }
            // n = 4, score = 1100
            //   ff7134               | push                dword ptr [ecx + 0x34]
            //   ff5130               | call                dword ptr [ecx + 0x30]
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax

        $sequence_3 = { e8???????? 833800 740a e8???????? 833822 }
            // n = 5, score = 1000
            //   e8????????           |                     
            //   833800               | cmp                 dword ptr [eax], 0
            //   740a                 | je                  0xc
            //   e8????????           |                     
            //   833822               | cmp                 dword ptr [eax], 0x22

        $sequence_4 = { 894610 8b461c c1e002 50 }
            // n = 4, score = 1000
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax

        $sequence_5 = { ff770c ff37 ff7134 ff5130 }
            // n = 4, score = 1000
            //   ff770c               | push                dword ptr [edi + 0xc]
            //   ff37                 | push                dword ptr [edi]
            //   ff7134               | push                dword ptr [ecx + 0x34]
            //   ff5130               | call                dword ptr [ecx + 0x30]

        $sequence_6 = { 83c410 85c0 7407 8907 }
            // n = 4, score = 1000
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   8907                 | mov                 dword ptr [edi], eax

        $sequence_7 = { ff7678 ff7644 ff563c 83c414 }
            // n = 4, score = 1000
            //   ff7678               | push                dword ptr [esi + 0x78]
            //   ff7644               | push                dword ptr [esi + 0x44]
            //   ff563c               | call                dword ptr [esi + 0x3c]
            //   83c414               | add                 esp, 0x14

        $sequence_8 = { 017e78 83567c00 017e68 83566c00 }
            // n = 4, score = 800
            //   017e78               | add                 dword ptr [esi + 0x78], edi
            //   83567c00             | adc                 dword ptr [esi + 0x7c], 0
            //   017e68               | add                 dword ptr [esi + 0x68], edi
            //   83566c00             | adc                 dword ptr [esi + 0x6c], 0

        $sequence_9 = { 83c40c 6a02 6804010000 e8???????? }
            // n = 4, score = 800
            //   83c40c               | add                 esp, 0xc
            //   6a02                 | push                2
            //   6804010000           | push                0x104
            //   e8????????           |                     

        $sequence_10 = { 8d8672920300 ff7604 57 50 }
            // n = 4, score = 800
            //   8d8672920300         | lea                 eax, [esi + 0x39272]
            //   ff7604               | push                dword ptr [esi + 4]
            //   57                   | push                edi
            //   50                   | push                eax

        $sequence_11 = { ff7034 ff5030 83c410 85c0 }
            // n = 4, score = 800
            //   ff7034               | push                dword ptr [eax + 0x34]
            //   ff5030               | call                dword ptr [eax + 0x30]
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax

        $sequence_12 = { 41 5a cb 55 89e5 }
            // n = 5, score = 700
            //   41                   | inc                 ecx
            //   5a                   | pop                 edx
            //   cb                   | retf                
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp

        $sequence_13 = { e8???????? 83c40c 017e58 297e5c 03be8c000000 }
            // n = 5, score = 700
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   017e58               | add                 dword ptr [esi + 0x58], edi
            //   297e5c               | sub                 dword ptr [esi + 0x5c], edi
            //   03be8c000000         | add                 edi, dword ptr [esi + 0x8c]

        $sequence_14 = { 59 41 58 5a 59 41 5a }
            // n = 7, score = 700
            //   59                   | pop                 ecx
            //   41                   | inc                 ecx
            //   58                   | pop                 eax
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx
            //   41                   | inc                 ecx
            //   5a                   | pop                 edx

        $sequence_15 = { f6460a04 7507 837e3c30 0f92c0 }
            // n = 4, score = 700
            //   f6460a04             | test                byte ptr [esi + 0xa], 4
            //   7507                 | jne                 9
            //   837e3c30             | cmp                 dword ptr [esi + 0x3c], 0x30
            //   0f92c0               | setb                al

        $sequence_16 = { c70000000000 85c9 7406 c70100000000 c7466cfeffffff b8feffffff 5e }
            // n = 7, score = 700
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   85c9                 | test                ecx, ecx
            //   7406                 | je                  8
            //   c70100000000         | mov                 dword ptr [ecx], 0
            //   c7466cfeffffff       | mov                 dword ptr [esi + 0x6c], 0xfffffffe
            //   b8feffffff           | mov                 eax, 0xfffffffe
            //   5e                   | pop                 esi

        $sequence_17 = { e8???????? 83c40c 019e8c000000 39ef }
            // n = 4, score = 700
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   019e8c000000         | add                 dword ptr [esi + 0x8c], ebx
            //   39ef                 | cmp                 edi, ebp

    condition:
        7 of them and filesize < 1115136
}

[TLP:WHITE] win_lumma_w0 (20230118 | detect_Lumma_stealer)

rule win_lumma_w0 {
	meta:
		description = "detect_Lumma_stealer"
		author = "@malgamy12"
		date = "2022-11-3"
		license = "DRL 1.1"
		hunting = "https://www.hybrid-analysis.com/sample/f18d0cd673fd0bd3b071987b53b5f97391a56f6e4f0c309a6c1cee6160f671c0"
		hash1 = "19b937654065f5ee8baee95026f6ea7466ee2322"
        hash2 = "987f93e6fa93c0daa0ef2cf4a781ca53a02b65fe"
        hash3 = "70517a53551269d68b969a9328842cea2e1f975c"
        hash4 = "9b7b72c653d07a611ce49457c73ee56ed4c4756e"
        hash5 = "4992ebda2b069281c924288122f76556ceb5ae02"
        hash6 = "5c67078819246f45ff37d6db81328be12f8fc192"
        hash7 = "87fe98a00e1c3ed433e7ba6a6eedee49eb7a9cf9"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $m1 = "LummaC\\Release\\LummaC.pdb" ascii fullword

        $s1 = "Cookies.txt" ascii
        $s2 = "Autofills.txt" ascii
        $s3 = "ProgramData\\config.txt" ascii
        $s4 = "ProgramData\\softokn3.dll" ascii
        $s5 = "ProgramData\\winrarupd.zip" ascii
        

        $chunk_1 = {C1 E8 ?? 33 C6 69 C8 ?? ?? ?? ?? 5F 5E 8B C1 C1 E8 ??}

    condition:
        $m1 or (4 of ($s*) and $chunk_1 )
}

[TLP:WHITE] win_lumma_w1 (20230918 | No description)

rule win_lumma_w1 {
	meta:
		author = "Matthew @ Embee_Research"
		yarahub_author_twitter = "@embee_research"
		desc = "Detects obfuscation methods observed in Lumma Stealer Payloads"
		sha_256 = "277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf"
		sha_256 = "7f18cf601b818b11068bb8743283ae378f547a1581682ea3cc163186aae7c55d"
		sha_256 = "03796740db48a98a4438c36d7b8c14b0a871bf8c692e787f1bf093b2d584999f"
		date = "2023-09-13"
		source = "https://github.com/embee-research/Yara-detection-rules/blob/main/Rules/win_lumma%20_simple.yar"
        yarahub_uuid = "39c32477-9a80-485b-b17a-4adf05f66cf8"
       	yarahub_license = "CC BY-NC 4.0"
        malpedia_family = "win.lumma"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_version = "20230918"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
	strings:

		$o1 = {57 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 62 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00}
		$o2 = {4f 00 70 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 72 00 61 00 20 00 4e 00 65 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 6e 00}
		$o3 = {4c 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 67 00 69 00 6e 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00}

	condition:
		uint16(0) == 0x5a4d
		and
		filesize < 5000KB
		and
		(all of ($o*))


}

Download all Yara Rules

Lumma Stealer Propose Change

References

Yara Rules

Lumma Stealer