SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lumma (Back to overview)

Lumma Stealer

aka: LummaC2 Stealer

Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the URI "/c2sock" and the user agent "TeslaBrowser/5.5"."

References
2023-09-07eSentireeSentire
@online{esentire:20230907:case:fd86e6b, author = {eSentire}, title = {{The Case of LummaC2 v4.0}}, date = {2023-09-07}, organization = {eSentire}, url = {https://www.esentire.com/blog/the-case-of-lummac2-v4-0}, language = {English}, urldate = {2023-09-12} } The Case of LummaC2 v4.0
Lumma Stealer
2023-09-06DarktraceDarkTrace
@online{darktrace:20230906:rise:496a284, author = {DarkTrace}, title = {{The Rise of the Lumma Info-Stealer}}, date = {2023-09-06}, organization = {Darktrace}, url = {https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer}, language = {English}, urldate = {2023-09-11} } The Rise of the Lumma Info-Stealer
Lumma Stealer
2023-08-31Rapid7 LabsNatalie Zargarov, Thomas Elkins, Evan McCann, Tyler McGraw
@online{zargarov:20230831:fake:4b8ef57, author = {Natalie Zargarov and Thomas Elkins and Evan McCann and Tyler McGraw}, title = {{Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers}}, date = {2023-08-31}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/}, language = {English}, urldate = {2023-09-04} } Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey IDAT Loader Lumma Stealer SectopRAT
2023-04-09@0xToxin
@online{0xtoxin:20230409:lummac2:b5f84e3, author = {@0xToxin}, title = {{LummaC2 BreakDown}}, date = {2023-04-09}, url = {https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx}, language = {English}, urldate = {2023-04-10} } LummaC2 BreakDown
Lumma Stealer
2023-04-05Outpost24Alberto Marín
@online{marn:20230405:everything:44474d9, author = {Alberto Marín}, title = {{Everything you need to know about the LummaC2 Stealer: Leveraging IDA Python and Unicorn to deobfuscate Windows API Hashing}}, date = {2023-04-05}, organization = {Outpost24}, url = {https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer}, language = {English}, urldate = {2023-04-12} } Everything you need to know about the LummaC2 Stealer: Leveraging IDA Python and Unicorn to deobfuscate Windows API Hashing
Lumma Stealer
2023-02-27Medium s2wlabJiho Kim, Lee Sebin
@online{kim:20230227:lumma:9f3f99f, author = {Jiho Kim and Lee Sebin}, title = {{Lumma Stealer targets YouTubers via Spear-phishing Email}}, date = {2023-02-27}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7}, language = {English}, urldate = {2023-03-13} } Lumma Stealer targets YouTubers via Spear-phishing Email
Lumma Stealer
2023-01-13Twitter (@Ishusoka)Ishu
@online{ishu:20230113:tweets:31114ef, author = {Ishu}, title = {{Tweets on updates regarding Lumma Stealer}}, date = {2023-01-13}, organization = {Twitter (@Ishusoka)}, url = {https://twitter.com/Ishusoka/status/1614028229307928582}, language = {English}, urldate = {2023-01-18} } Tweets on updates regarding Lumma Stealer
Lumma Stealer
2023-01-06cybleCyble
@online{cyble:20230106:lummac2:4913d43, author = {Cyble}, title = {{LummaC2 Stealer: A Potent Threat To Crypto Users}}, date = {2023-01-06}, organization = {cyble}, url = {https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/}, language = {English}, urldate = {2023-01-06} } LummaC2 Stealer: A Potent Threat To Crypto Users
Lumma Stealer
2022-09-22Twitter (@sekoia_io)sekoia
@online{sekoia:20220922:tweets:b2e9079, author = {sekoia}, title = {{Tweets on Lumma stealer}}, date = {2022-09-22}, organization = {Twitter (@sekoia_io)}, url = {https://twitter.com/sekoia_io/status/1572889505497223169}, language = {English}, urldate = {2022-10-14} } Tweets on Lumma stealer
Lumma Stealer
2022-08-16Twitter (@fumik0_)fumik0
@online{fumik0:20220816:lumma:76d543a, author = {fumik0}, title = {{Tweet on Lumma Stealer based on Mars Stealer}}, date = {2022-08-16}, organization = {Twitter (@fumik0_)}, url = {https://twitter.com/fumik0_/status/1559474920152875008}, language = {English}, urldate = {2022-08-28} } Tweet on Lumma Stealer based on Mars Stealer
Lumma Stealer
Yara Rules
[TLP:WHITE] win_lumma_auto (20230715 | Detects win.lumma.)
rule win_lumma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.lumma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 53 ff767c ff7678 }
            // n = 4, score = 300
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ff767c               | push                dword ptr [esi + 0x7c]
            //   ff7678               | push                dword ptr [esi + 0x78]

        $sequence_1 = { 53 49 83fc00 75e8 8b4508 49 89ca }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   49                   | dec                 ecx
            //   83fc00               | cmp                 esp, 0
            //   75e8                 | jne                 0xffffffea
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   49                   | dec                 ecx
            //   89ca                 | mov                 edx, ecx

        $sequence_2 = { e8???????? ff7614 e8???????? ff7608 e8???????? 83c414 83c8ff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ff7614               | push                dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   ff7608               | push                dword ptr [esi + 8]
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_3 = { 4d 6be404 49 83ec04 }
            // n = 4, score = 200
            //   4d                   | dec                 ebp
            //   6be404               | imul                esp, esp, 4
            //   49                   | dec                 ecx
            //   83ec04               | sub                 esp, 4

        $sequence_4 = { 41 5b 41 5c }
            // n = 4, score = 200
            //   41                   | inc                 ecx
            //   5b                   | pop                 ebx
            //   41                   | inc                 ecx
            //   5c                   | pop                 esp

        $sequence_5 = { c1e002 50 e8???????? 894614 8b461c c1e002 }
            // n = 6, score = 200
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   e8????????           |                     
            //   894614               | mov                 dword ptr [esi + 0x14], eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   c1e002               | shl                 eax, 2

        $sequence_6 = { 0fb64203 83c204 33c1 c1e908 }
            // n = 4, score = 200
            //   0fb64203             | movzx               eax, byte ptr [edx + 3]
            //   83c204               | add                 edx, 4
            //   33c1                 | xor                 eax, ecx
            //   c1e908               | shr                 ecx, 8

        $sequence_7 = { 41 5a cb 55 89e5 8b550c }
            // n = 6, score = 200
            //   41                   | inc                 ecx
            //   5a                   | pop                 edx
            //   cb                   | retf                
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_8 = { 4d 6bdb08 4c 01dc }
            // n = 4, score = 200
            //   4d                   | dec                 ebp
            //   6bdb08               | imul                ebx, ebx, 8
            //   4c                   | dec                 esp
            //   01dc                 | add                 esp, ebx

        $sequence_9 = { 50 e8???????? 894604 8b461c }
            // n = 4, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]

        $sequence_10 = { 41 8b0a 41 8b5204 }
            // n = 4, score = 200
            //   41                   | inc                 ecx
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   41                   | inc                 ecx
            //   8b5204               | mov                 edx, dword ptr [edx + 4]

        $sequence_11 = { 4d 89f3 49 83eb04 }
            // n = 4, score = 200
            //   4d                   | dec                 ebp
            //   89f3                 | mov                 ebx, esi
            //   49                   | dec                 ecx
            //   83eb04               | sub                 ebx, 4

        $sequence_12 = { 57 8bf2 8bd9 6a2e 56 }
            // n = 5, score = 200
            //   57                   | push                edi
            //   8bf2                 | mov                 esi, edx
            //   8bd9                 | mov                 ebx, ecx
            //   6a2e                 | push                0x2e
            //   56                   | push                esi

        $sequence_13 = { 03c0 3bc2 0f47d0 e8???????? 85c0 }
            // n = 5, score = 200
            //   03c0                 | add                 eax, eax
            //   3bc2                 | cmp                 eax, edx
            //   0f47d0               | cmova               edx, eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_14 = { c1e002 50 e8???????? 89460c 8b461c c1e002 }
            // n = 6, score = 200
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   e8????????           |                     
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   c1e002               | shl                 eax, 2

    condition:
        7 of them and filesize < 838656
}
[TLP:WHITE] win_lumma_w0   (20230118 | detect_Lumma_stealer)
rule win_lumma_w0 {
	meta:
		description = "detect_Lumma_stealer"
		author = "@malgamy12"
		date = "2022-11-3"
		license = "DRL 1.1"
		hunting = "https://www.hybrid-analysis.com/sample/f18d0cd673fd0bd3b071987b53b5f97391a56f6e4f0c309a6c1cee6160f671c0"
		hash1 = "19b937654065f5ee8baee95026f6ea7466ee2322"
        hash2 = "987f93e6fa93c0daa0ef2cf4a781ca53a02b65fe"
        hash3 = "70517a53551269d68b969a9328842cea2e1f975c"
        hash4 = "9b7b72c653d07a611ce49457c73ee56ed4c4756e"
        hash5 = "4992ebda2b069281c924288122f76556ceb5ae02"
        hash6 = "5c67078819246f45ff37d6db81328be12f8fc192"
        hash7 = "87fe98a00e1c3ed433e7ba6a6eedee49eb7a9cf9"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $m1 = "LummaC\\Release\\LummaC.pdb" ascii fullword

        $s1 = "Cookies.txt" ascii
        $s2 = "Autofills.txt" ascii
        $s3 = "ProgramData\\config.txt" ascii
        $s4 = "ProgramData\\softokn3.dll" ascii
        $s5 = "ProgramData\\winrarupd.zip" ascii
        

        $chunk_1 = {C1 E8 ?? 33 C6 69 C8 ?? ?? ?? ?? 5F 5E 8B C1 C1 E8 ??}

    condition:
        $m1 or (4 of ($s*) and $chunk_1 )
}
[TLP:WHITE] win_lumma_w1   (20230918 | No description)
rule win_lumma_w1 {
	meta:
		author = "Matthew @ Embee_Research"
		yarahub_author_twitter = "@embee_research"
		desc = "Detects obfuscation methods observed in Lumma Stealer Payloads"
		sha_256 = "277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf"
		sha_256 = "7f18cf601b818b11068bb8743283ae378f547a1581682ea3cc163186aae7c55d"
		sha_256 = "03796740db48a98a4438c36d7b8c14b0a871bf8c692e787f1bf093b2d584999f"
		date = "2023-09-13"
		source = "https://github.com/embee-research/Yara-detection-rules/blob/main/Rules/win_lumma%20_simple.yar"
        yarahub_uuid = "39c32477-9a80-485b-b17a-4adf05f66cf8"
       	yarahub_license = "CC BY-NC 4.0"
        malpedia_family = "win.lumma"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_version = "20230918"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
	strings:

		$o1 = {57 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 62 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00}
		$o2 = {4f 00 70 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 72 00 61 00 20 00 4e 00 65 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 6e 00}
		$o3 = {4c 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 67 00 69 00 6e 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00}

	condition:
		uint16(0) == 0x5a4d
		and
		filesize < 5000KB
		and
		(all of ($o*))


}
Download all Yara Rules