SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lumma (Back to overview)

Lumma Stealer

aka: LummaC2 Stealer
VTCollection    

Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.

References
2024-03-24ViuleeenzAlessandro Strino
Understanding API Hashing and build a rainbow table for LummaStealer
Lumma Stealer
2024-03-07Malware Traffic AnalysisBrad Duncan
2024-03-07 (THURSDAY): LATRODECTUS INFECTION LEADS TO LUMMA STEALER
Lumma Stealer Unidentified 111 (Latrodectus)
2024-02-13Palo Alto Networks Unit 42Ofir Ozer, Or Chechik
A Deep Dive Into Malicious Direct Syscall Detection
Lumma Stealer
2024-02-13GridinsoftGridinsoft Cyber Security
What is Lumma Stealer?
Lumma Stealer
2024-02-04ViuleeenzAlessandro Strino
Understanding PEB and LDR Structures using IDA and LummaStealer
Lumma Stealer
2024-01-30ANY.RUNLena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-08FortinetCara Lin
Deceptive Cracked Software Spreads Lumma Variant on YouTube
Lumma Stealer
2024-01-08YouTube (Embee Research)Embee_research
Malware Analysis - Decoding Obfuscated Powershell and HTA Files (Lumma Stealer)
Lumma Stealer
2023-11-20Outpost24Alberto Marín
Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection
Lumma Stealer
2023-11-16Medium g0njxag0njxa
Approaching stealers devs : a brief interview with LummaC2
Lumma Stealer
2023-10-27ElasticJoe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar
2023-10-17IntrinsecCTI Intrinsec
Lumma Stealer actively deployed in multiple campaigns
Lumma Stealer
2023-09-07eSentireeSentire
The Case of LummaC2 v4.0
Lumma Stealer
2023-09-06DarktraceDarkTrace
The Rise of the Lumma Info-Stealer
Lumma Stealer
2023-08-31Rapid7 LabsEvan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT
2023-04-09@0xToxin
LummaC2 BreakDown
Lumma Stealer
2023-04-05Outpost24Alberto Marín
Everything you need to know about the LummaC2 Stealer: Leveraging IDA Python and Unicorn to deobfuscate Windows API Hashing
Lumma Stealer
2023-02-27Medium s2wlabJiho Kim, Lee Sebin
Lumma Stealer targets YouTubers via Spear-phishing Email
Lumma Stealer
2023-01-13Twitter (@Ishusoka)Ishu
Tweets on updates regarding Lumma Stealer
Lumma Stealer
2023-01-06cybleCyble
LummaC2 Stealer: A Potent Threat To Crypto Users
Lumma Stealer
2022-09-22Twitter (@sekoia_io)sekoia
Tweets on Lumma stealer
Lumma Stealer
2022-08-16Twitter (@fumik0_)fumik0
Tweet on Lumma Stealer based on Mars Stealer
Lumma Stealer
Yara Rules
[TLP:WHITE] win_lumma_auto (20230808 | Detects win.lumma.)
rule win_lumma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.lumma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 53 ff767c ff7678 }
            // n = 4, score = 1100
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ff767c               | push                dword ptr [esi + 0x7c]
            //   ff7678               | push                dword ptr [esi + 0x78]

        $sequence_1 = { ffd0 83c40c 894648 85c0 }
            // n = 4, score = 1000
            //   ffd0                 | call                eax
            //   83c40c               | add                 esp, 0xc
            //   894648               | mov                 dword ptr [esi + 0x48], eax
            //   85c0                 | test                eax, eax

        $sequence_2 = { ff5130 83c410 85c0 7407 }
            // n = 4, score = 1000
            //   ff5130               | call                dword ptr [ecx + 0x30]
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9

        $sequence_3 = { ff7678 ff7644 ff563c 83c414 }
            // n = 4, score = 1000
            //   ff7678               | push                dword ptr [esi + 0x78]
            //   ff7644               | push                dword ptr [esi + 0x44]
            //   ff563c               | call                dword ptr [esi + 0x3c]
            //   83c414               | add                 esp, 0x14

        $sequence_4 = { ff770c ff37 ff7134 ff5130 }
            // n = 4, score = 1000
            //   ff770c               | push                dword ptr [edi + 0xc]
            //   ff37                 | push                dword ptr [edi]
            //   ff7134               | push                dword ptr [ecx + 0x34]
            //   ff5130               | call                dword ptr [ecx + 0x30]

        $sequence_5 = { ff7608 ff7044 ff503c 83c414 }
            // n = 4, score = 1000
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff7044               | push                dword ptr [eax + 0x44]
            //   ff503c               | call                dword ptr [eax + 0x3c]
            //   83c414               | add                 esp, 0x14

        $sequence_6 = { 894610 8b461c c1e002 50 }
            // n = 4, score = 1000
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax

        $sequence_7 = { 833800 740a e8???????? 833822 }
            // n = 4, score = 1000
            //   833800               | cmp                 dword ptr [eax], 0
            //   740a                 | je                  0xc
            //   e8????????           |                     
            //   833822               | cmp                 dword ptr [eax], 0x22

        $sequence_8 = { 83c40c 6a02 6804010000 e8???????? }
            // n = 4, score = 800
            //   83c40c               | add                 esp, 0xc
            //   6a02                 | push                2
            //   6804010000           | push                0x104
            //   e8????????           |                     

        $sequence_9 = { 017e78 83567c00 017e68 83566c00 }
            // n = 4, score = 800
            //   017e78               | add                 dword ptr [esi + 0x78], edi
            //   83567c00             | adc                 dword ptr [esi + 0x7c], 0
            //   017e68               | add                 dword ptr [esi + 0x68], edi
            //   83566c00             | adc                 dword ptr [esi + 0x6c], 0

        $sequence_10 = { 89e5 8b550c 6bd204 89d1 }
            // n = 4, score = 700
            //   89e5                 | mov                 ebp, esp
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   6bd204               | imul                edx, edx, 4
            //   89d1                 | mov                 ecx, edx

        $sequence_11 = { 41 5d 41 5b 41 5c }
            // n = 6, score = 700
            //   41                   | inc                 ecx
            //   5d                   | pop                 ebp
            //   41                   | inc                 ecx
            //   5b                   | pop                 ebx
            //   41                   | inc                 ecx
            //   5c                   | pop                 esp

        $sequence_12 = { 48 83ec28 0f05 48 83c428 49 }
            // n = 6, score = 700
            //   48                   | dec                 eax
            //   83ec28               | sub                 esp, 0x28
            //   0f05                 | syscall             
            //   48                   | dec                 eax
            //   83c428               | add                 esp, 0x28
            //   49                   | dec                 ecx

    condition:
        7 of them and filesize < 1115136
}
[TLP:WHITE] win_lumma_w0   (20230118 | detect_Lumma_stealer)
rule win_lumma_w0 {
	meta:
		description = "detect_Lumma_stealer"
		author = "@malgamy12"
		date = "2022-11-3"
		license = "DRL 1.1"
		hunting = "https://www.hybrid-analysis.com/sample/f18d0cd673fd0bd3b071987b53b5f97391a56f6e4f0c309a6c1cee6160f671c0"
		hash1 = "19b937654065f5ee8baee95026f6ea7466ee2322"
        hash2 = "987f93e6fa93c0daa0ef2cf4a781ca53a02b65fe"
        hash3 = "70517a53551269d68b969a9328842cea2e1f975c"
        hash4 = "9b7b72c653d07a611ce49457c73ee56ed4c4756e"
        hash5 = "4992ebda2b069281c924288122f76556ceb5ae02"
        hash6 = "5c67078819246f45ff37d6db81328be12f8fc192"
        hash7 = "87fe98a00e1c3ed433e7ba6a6eedee49eb7a9cf9"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $m1 = "LummaC\\Release\\LummaC.pdb" ascii fullword

        $s1 = "Cookies.txt" ascii
        $s2 = "Autofills.txt" ascii
        $s3 = "ProgramData\\config.txt" ascii
        $s4 = "ProgramData\\softokn3.dll" ascii
        $s5 = "ProgramData\\winrarupd.zip" ascii
        

        $chunk_1 = {C1 E8 ?? 33 C6 69 C8 ?? ?? ?? ?? 5F 5E 8B C1 C1 E8 ??}

    condition:
        $m1 or (4 of ($s*) and $chunk_1 )
}
[TLP:WHITE] win_lumma_w1   (20230918 | No description)
rule win_lumma_w1 {
	meta:
		author = "Matthew @ Embee_Research"
		yarahub_author_twitter = "@embee_research"
		desc = "Detects obfuscation methods observed in Lumma Stealer Payloads"
		sha_256 = "277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf"
		sha_256 = "7f18cf601b818b11068bb8743283ae378f547a1581682ea3cc163186aae7c55d"
		sha_256 = "03796740db48a98a4438c36d7b8c14b0a871bf8c692e787f1bf093b2d584999f"
		date = "2023-09-13"
		source = "https://github.com/embee-research/Yara-detection-rules/blob/main/Rules/win_lumma%20_simple.yar"
        yarahub_uuid = "39c32477-9a80-485b-b17a-4adf05f66cf8"
       	yarahub_license = "CC BY-NC 4.0"
        malpedia_family = "win.lumma"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_version = "20230918"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
	strings:

		$o1 = {57 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 62 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00}
		$o2 = {4f 00 70 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 72 00 61 00 20 00 4e 00 65 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 6e 00}
		$o3 = {4c 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 67 00 69 00 6e 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00}

	condition:
		uint16(0) == 0x5a4d
		and
		filesize < 5000KB
		and
		(all of ($o*))


}
Download all Yara Rules