SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lumma (Back to overview)

Lumma Stealer

aka: LummaC2 Stealer

Lumma is an information stealer written in C, sold as a Malware-as-a-Service by LummaC on Russian-speaking underground forums and Telegram since at least August 2022. Lumma's capabilities are those of a classic stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.

References
2023-02-27Medium s2wlabJiho Kim, Lee Sebin
@online{kim:20230227:lumma:9f3f99f, author = {Jiho Kim and Lee Sebin}, title = {{Lumma Stealer targets YouTubers via Spear-phishing Email}}, date = {2023-02-27}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7}, language = {English}, urldate = {2023-03-13} } Lumma Stealer targets YouTubers via Spear-phishing Email
Lumma Stealer
2023-01-13Twitter (@Ishusoka)Ishu
@online{ishu:20230113:tweets:31114ef, author = {Ishu}, title = {{Tweets on updates regarding Lumma Stealer}}, date = {2023-01-13}, organization = {Twitter (@Ishusoka)}, url = {https://twitter.com/Ishusoka/status/1614028229307928582}, language = {English}, urldate = {2023-01-18} } Tweets on updates regarding Lumma Stealer
Lumma Stealer
2023-01-06cybleCyble
@online{cyble:20230106:lummac2:4913d43, author = {Cyble}, title = {{LummaC2 Stealer: A Potent Threat To Crypto Users}}, date = {2023-01-06}, organization = {cyble}, url = {https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/}, language = {English}, urldate = {2023-01-06} } LummaC2 Stealer: A Potent Threat To Crypto Users
Lumma Stealer
2022-09-22Twitter (@sekoia_io)sekoia
@online{sekoia:20220922:tweets:b2e9079, author = {sekoia}, title = {{Tweets on Lumma stealer}}, date = {2022-09-22}, organization = {Twitter (@sekoia_io)}, url = {https://twitter.com/sekoia_io/status/1572889505497223169}, language = {English}, urldate = {2022-10-14} } Tweets on Lumma stealer
Lumma Stealer
2022-08-16Twitter (@fumik0_)fumik0
@online{fumik0:20220816:lumma:76d543a, author = {fumik0}, title = {{Tweet on Lumma Stealer based on Mars Stealer}}, date = {2022-08-16}, organization = {Twitter (@fumik0_)}, url = {https://twitter.com/fumik0_/status/1559474920152875008}, language = {English}, urldate = {2022-08-28} } Tweet on Lumma Stealer based on Mars Stealer
Lumma Stealer
Yara Rules
[TLP:WHITE] win_lumma_auto (20230125 | Detects win.lumma.)
rule win_lumma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.lumma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? e8???????? 8bc8 e8???????? 85c0 7403 8b00 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_1 = { a3???????? b97222872b e8???????? 8bd6 }
            // n = 4, score = 100
            //   a3????????           |                     
            //   b97222872b           | mov                 ecx, 0x2b872272
            //   e8????????           |                     
            //   8bd6                 | mov                 edx, esi

        $sequence_2 = { c3 51 81793cab804000 8b4148 56 8b31 57 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   51                   | push                ecx
            //   81793cab804000       | cmp                 dword ptr [ecx + 0x3c], 0x4080ab
            //   8b4148               | mov                 eax, dword ptr [ecx + 0x48]
            //   56                   | push                esi
            //   8b31                 | mov                 esi, dword ptr [ecx]
            //   57                   | push                edi

        $sequence_3 = { b9???????? 55 56 53 e8???????? 83c40c 55 }
            // n = 7, score = 100
            //   b9????????           |                     
            //   55                   | push                ebp
            //   56                   | push                esi
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   55                   | push                ebp

        $sequence_4 = { 50 e8???????? 83f83c 0f858ffeffff 85d2 0f8587feffff 8b03 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83f83c               | cmp                 eax, 0x3c
            //   0f858ffeffff         | jne                 0xfffffe95
            //   85d2                 | test                edx, edx
            //   0f8587feffff         | jne                 0xfffffe8d
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_5 = { c6010c eb45 83e86e 7435 83e804 742b 48 }
            // n = 7, score = 100
            //   c6010c               | mov                 byte ptr [ecx], 0xc
            //   eb45                 | jmp                 0x47
            //   83e86e               | sub                 eax, 0x6e
            //   7435                 | je                  0x37
            //   83e804               | sub                 eax, 4
            //   742b                 | je                  0x2d
            //   48                   | dec                 eax

        $sequence_6 = { 8b11 42 8911 8a02 3c22 75e3 }
            // n = 6, score = 100
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   42                   | inc                 edx
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8a02                 | mov                 al, byte ptr [edx]
            //   3c22                 | cmp                 al, 0x22
            //   75e3                 | jne                 0xffffffe5

        $sequence_7 = { 59 8b4c2414 8bd5 e8???????? 8bcd }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8bd5                 | mov                 edx, ebp
            //   e8????????           |                     
            //   8bcd                 | mov                 ecx, ebp

        $sequence_8 = { 56 56 56 68???????? 8bd8 68???????? 53 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   68????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   68????????           |                     
            //   53                   | push                ebx

        $sequence_9 = { e8???????? 57 e8???????? 83c40c eb09 8bd3 8bce }
            // n = 7, score = 100
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb09                 | jmp                 0xb
            //   8bd3                 | mov                 edx, ebx
            //   8bce                 | mov                 ecx, esi

    condition:
        7 of them and filesize < 397312
}
[TLP:WHITE] win_lumma_w0   (20230118 | detect_Lumma_stealer)
rule win_lumma_w0 {
	meta:
		description = "detect_Lumma_stealer"
		author = "@malgamy12"
		date = "2022-11-3"
		license = "DRL 1.1"
		hunting = "https://www.hybrid-analysis.com/sample/f18d0cd673fd0bd3b071987b53b5f97391a56f6e4f0c309a6c1cee6160f671c0"
		hash1 = "19b937654065f5ee8baee95026f6ea7466ee2322"
        hash2 = "987f93e6fa93c0daa0ef2cf4a781ca53a02b65fe"
        hash3 = "70517a53551269d68b969a9328842cea2e1f975c"
        hash4 = "9b7b72c653d07a611ce49457c73ee56ed4c4756e"
        hash5 = "4992ebda2b069281c924288122f76556ceb5ae02"
        hash6 = "5c67078819246f45ff37d6db81328be12f8fc192"
        hash7 = "87fe98a00e1c3ed433e7ba6a6eedee49eb7a9cf9"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $m1 = "LummaC\\Release\\LummaC.pdb" ascii fullword

        $s1 = "Cookies.txt" ascii
        $s2 = "Autofills.txt" ascii
        $s3 = "ProgramData\\config.txt" ascii
        $s4 = "ProgramData\\softokn3.dll" ascii
        $s5 = "ProgramData\\winrarupd.zip" ascii
        

        $chunk_1 = {C1 E8 ?? 33 C6 69 C8 ?? ?? ?? ?? 5F 5E 8B C1 C1 E8 ??}

    condition:
        $m1 or (4 of ($s*) and $chunk_1 )
}
Download all Yara Rules