SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lumma (Back to overview)

Lumma Stealer

aka: LummaC2 Stealer

Actor(s): Angry Likho

VTCollection    

Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.

References
2025-10-16TrendmicroJunestherry Dela Cruz
Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing
Lumma Stealer
2025-10-01SpyCloudJames
Bifrost Burned: Dissecting Asgard Protector’s Defenses
Lumma Stealer
2025-09-30SynthientSynthient
GhostSocks: From Initial Access to Residential Proxy
GhostSocks Lumma Stealer
2025-07-27Cyber Intelligence InsightsVasilis Orlof
Bulletproof Hosting Hunt: Connecting the dots from Lumma to Qwins Ltd (ASN 213702)
Lumma Stealer
2025-07-27Medium RaghavtiResearchBeGoodToAll
Lumma Stealer — A Proliferating Threat in the Cybercrime Landscape
Lumma Stealer
2025-06-24BridewellBridewell
2025 Cyber Threat Intelligence Report
AsyncRAT Brute Ratel C4 Cobalt Strike Fog Ghost RAT Lumma Stealer Meduza Stealer Quasar RAT RedLine Stealer Sliver
2025-06-24CertegoFederico Fantini
Malware Analysis - Inside Lumma Stealer
Lumma Stealer
2025-06-18ElasticSalim Bitam
A Wretch Client: From ClickFix deception to information stealer deployment
HijackLoader Lumma Stealer SectopRAT
2025-05-21MicrosoftSteven Masada
Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
Lumma Stealer
2025-05-20EuropolEuropol
Europol and Microsoft disrupt world’s largest infostealer Lumma
Lumma Stealer
2025-05-09Sophos X-OpsAndrew Petrus, Ben Goldberg, Haigh Minassian, Imane Ismail, Sushmita Shetty
Lumma Stealer, coming and going
Lumma Stealer
2025-04-30Google Cloud CommunityPraveeth DSouza
Finding Malware: Unveiling LUMMAC.V2 with Google Security Operations
Lumma Stealer
2025-04-21TrellixMohideen Abdul Khader
Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation
Lumma Stealer
2025-04-16SekoiaSekoia TDR
Interlock ransomware evolving under the radar
Interlock Berserk Stealer Interlock Lumma Stealer Supper
2025-04-15Orange CyberdefenseAndré Henschel, Friedl Holzner
CyberSOC Insights: Analysis of a Black Basta Attack Campaign
Black Basta DarkGate Lumma Stealer
2025-03-22Trend MicroJunestherry Dela Cruz
Back to Business: Lumma Stealer Returns with Stealthier Methods
Lumma Stealer
2025-03-14VitalDigitalForensicsv4ensics
Lumma Stealer – A tale that starts with a fake Captcha
Lumma Stealer
2025-03-14Twitter (@CERTCyberdef)Alexandre Matousek, Marine PICHON
Tweet on Emmenhtal v3
Emmenhtal Lumma Stealer Rhadamanthys
2025-03-13Group-IBGroup-IB
ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims
Emmenhtal Lumma Stealer
2025-03-12Red CanaryRed Canary
2025 Threat Detection Report
HijackLoader Lumma Stealer NetSupportManager RAT
2025-03-11Trend MicroCj Arsley Mateo, Darrel Tristan Virtusio, Jacob Santos, Junestherry Dela Cruz, Paul John Bardon
AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution
Lumma Stealer SmartLoader
2025-02-21Kaspersky LabsKaspersky
Angry Likho: Old beasts in a new forest
Lumma Stealer Angry Likho
2025-02-20InfrawatchInfrawatch Research Team
GhostSocks - Lumma's Partner In Proxy
GhostSocks Lumma Stealer
2025-02-18VaristKervin Alintanahin
Malvertisements, Fake Captchas and Infostealers
Lumma Stealer
2025-02-18ProofpointProofpoint Threat Research Team
An Update on Fake Updates: Two New Actors, and New Mac Malware
Marcher FAKEUPDATES FrigidStealer Lumma Stealer
2025-01-30RevEng.AIRevEng.AI
One ClickFix and LummaStealer reCAPTCHA’s Our Attention - Part 1
Lumma Stealer
2025-01-27Youtube (MalwareAnalysisForHedgehogs)Karsten Hahn
Malware Analysis - Binary Refinery URL extraction of Multi-Layered PoshLoader for LummaStealer
Lumma Stealer
2025-01-23NetskopeLeandro Froes
Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection
Lumma Stealer
2025-01-13Cert-AgIDCert-AgID
Analisi di una campagna Lumma Stealer con falso CAPTCHA condotta attraverso domino italiano compromesso
Lumma Stealer
2024-12-30IntrinsecCTI Intrinsec
CryptBot: Hunting for initial access vectors
CryptBot Lumma Stealer PrivateLoader
2024-12-28Medium s.lontzetidisEfstratios Lontzetidis
Lumma 2024: Dominating the Info-Stealer Market
Lumma Stealer
2024-12-20Ryan WeilRyan Weil
Deobfuscation of Lumma Stealer
Lumma Stealer
2024-12-19SpyCloudJames
LummaC2 Revisited: What’s Making this Stealer Stealthier and More Lethal
GhostSocks Lumma Stealer
2024-12-17CybereasonElena Odier, Gal Romano, Hema Loganathan, Ralph Villanueva
Your Data Is Under New Lummanagement: The Rise of LummaStealer
Lumma Stealer
2024-12-16Guardio LabsNati Tal
“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising
Lumma Stealer
2024-11-18ProofpointProofpoint Threat Research Team, Selena Larson, Tommy Madjar
Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape
AsyncRAT Brute Ratel C4 DanaBot DarkGate Latrodectus Lumma Stealer NetSupportManager RAT XWorm
2024-11-12KrollGeorge Glass, Ryan Hicks
LUMMASTEALER Delivered Via PowerShell Social Engineering
Lumma Stealer
2024-10-17Loader Insight AgencyLIA
Correlating Vidar Stealer Build IDs Based on Loader Tasks
Lumma Stealer SmokeLoader Vidar
2024-10-08TrustwaveCris Tomboc, King Orande
Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader
Pronsis Loader Latrodectus Lumma Stealer
2024-10-05Mandar Naik
Malware Analysis - Lumma Stealer
Lumma Stealer
2024-09-25Medium b.magnezi0xMrMagnezi
Lumma Stealer - Malware Analysis
Lumma Stealer
2024-09-20McAfeeAayush Tyagi, Yashvi Shah
Behind the CAPTCHA: A Clever Gateway of Malware
Emmenhtal Lumma Stealer
2024-09-09Denwp ResearchTonmoy Jitu
Dissecting Lumma Malware: Analyzing the Fake CAPTCHA and Obfuscation Techniques - Part 2
Lumma Stealer
2024-08-30Denwp ResearchTonmoy Jitu
Anatomy of a Lumma Stealer Attack via Fake CAPTCHA Pages - Part 1
Lumma Stealer
2024-08-22MandiantAaron Lee, Praveeth DSouza
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware
CryptBot Emmenhtal HijackLoader Lumma Stealer
2024-08-12Rapid7Tyler McGraw
Ongoing Social Engineering Campaign Refreshes Payloads
Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC
2024-07-24Check Point ResearchAntonis Terefos
Stargazers Ghost Network
Atlantida Lumma Stealer RedLine Stealer Rhadamanthys RisePro Stargazer Goblin
2024-07-23FortinetFortinet
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed
ACR Stealer Lumma Stealer Meduza Stealer
2024-07-22CensysCensys, Embee_research
A Beginner’s Guide to Hunting Malicious Open Directories
Cobalt Strike Lumma Stealer Vidar
2024-07-11McAfeeVignesh Dhatchanamoorthy, Yashvi Shah
ClickFix Deception: A Social Engineering Tactic to Deploy Malware
DarkGate Lumma Stealer
2024-07-02SekoiaQuentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar
2024-06-210x1c0x1c
[0001] AmberAmethystDaisy -> QuartzBegonia -> LummaStealer
Lumma Stealer
2024-06-17TrellixAlejandro Houspanossian
Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion
HijackLoader Lumma Stealer
2024-06-17ProofpointProofpoint
From Clipboard to Compromise: A PowerShell Self-Pwn
DarkGate HijackLoader Lumma Stealer Matanbuchus NetSupportManager RAT TA571
2024-06-10MandiantMandiant
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Lumma Stealer MetaStealer Raccoon RedLine Stealer RisePro Vidar UNC5537
2024-05-29eSentireeSentire
Fake Browser Updates delivering BitRAT and Lumma Stealer
BitRAT Lumma Stealer
2024-03-24ViuleeenzAlessandro Strino
Understanding API Hashing and build a rainbow table for LummaStealer
Lumma Stealer
2024-03-07Malware Traffic AnalysisBrad Duncan
2024-03-07 (THURSDAY): LATRODECTUS INFECTION LEADS TO LUMMA STEALER
Latrodectus Lumma Stealer
2024-02-13Palo Alto Networks Unit 42Ofir Ozer, Or Chechik
A Deep Dive Into Malicious Direct Syscall Detection
Lumma Stealer
2024-02-13GridinsoftGridinsoft Cyber Security
What is Lumma Stealer?
Lumma Stealer
2024-02-04ViuleeenzAlessandro Strino
Understanding PEB and LDR Structures using IDA and LummaStealer
Lumma Stealer
2024-01-30ANY.RUNLena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-08FortinetCara Lin
Deceptive Cracked Software Spreads Lumma Variant on YouTube
Lumma Stealer
2024-01-08YouTube (Embee Research)Embee_research
Malware Analysis - Decoding Obfuscated Powershell and HTA Files (Lumma Stealer)
Lumma Stealer
2023-11-20Outpost24Alberto Marín
Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection
Lumma Stealer
2023-11-16Medium g0njxag0njxa
Approaching stealers devs : a brief interview with LummaC2
Lumma Stealer
2023-10-27ElasticJoe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar
2023-10-25MicrosoftMicrosoft Incident Response, Microsoft Threat Intelligence
Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction
BlackCat BlackCat Lumma Stealer
2023-10-17IntrinsecCTI Intrinsec
Lumma Stealer actively deployed in multiple campaigns
Lumma Stealer
2023-09-07eSentireeSentire
The Case of LummaC2 v4.0
Lumma Stealer
2023-09-06DarktraceDarkTrace
The Rise of the Lumma Info-Stealer
Lumma Stealer
2023-08-31Rapid7 LabsEvan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT
2023-04-09@0xToxin
LummaC2 BreakDown
Lumma Stealer
2023-04-05Outpost24Alberto Marín
Everything you need to know about the LummaC2 Stealer: Leveraging IDA Python and Unicorn to deobfuscate Windows API Hashing
Lumma Stealer
2023-02-27Medium s2wlabJiho Kim, Lee Sebin
Lumma Stealer targets YouTubers via Spear-phishing Email
Lumma Stealer
2023-02-03CloudsekDeepanjli Paulraj, Pavan Karthick M
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
Alfonso Stealer Bandit Stealer Cameleon Fabookie Lumma Stealer Nanocore RAT Panda Stealer RecordBreaker RedLine Stealer Stealc STOP Vidar zgRAT
2023-01-13Twitter (@Ishusoka)Ishu
Tweets on updates regarding Lumma Stealer
Lumma Stealer
2023-01-06cybleCyble
LummaC2 Stealer: A Potent Threat To Crypto Users
Lumma Stealer
2022-09-22Twitter (@sekoia_io)sekoia
Tweets on Lumma stealer
Lumma Stealer
2022-08-16Twitter (@fumik0_)fumik0
Tweet on Lumma Stealer based on Mars Stealer
Lumma Stealer
Yara Rules
[TLP:WHITE] win_lumma_auto (20251219 | Detects win.lumma.)
rule win_lumma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.lumma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 ff767c ff7678 ff7644 }
            // n = 4, score = 1100
            //   53                   | push                ebx
            //   ff767c               | push                dword ptr [esi + 0x7c]
            //   ff7678               | push                dword ptr [esi + 0x78]
            //   ff7644               | push                dword ptr [esi + 0x44]

        $sequence_1 = { ffd0 83c40c 894648 85c0 }
            // n = 4, score = 1000
            //   ffd0                 | call                eax
            //   83c40c               | add                 esp, 0xc
            //   894648               | mov                 dword ptr [esi + 0x48], eax
            //   85c0                 | test                eax, eax

        $sequence_2 = { 894604 8b461c c1e002 50 }
            // n = 4, score = 1000
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax

        $sequence_3 = { ff7678 ff7644 ff563c 83c414 }
            // n = 4, score = 1000
            //   ff7678               | push                dword ptr [esi + 0x78]
            //   ff7644               | push                dword ptr [esi + 0x44]
            //   ff563c               | call                dword ptr [esi + 0x3c]
            //   83c414               | add                 esp, 0x14

        $sequence_4 = { 833800 740a e8???????? 833822 }
            // n = 4, score = 1000
            //   833800               | cmp                 dword ptr [eax], 0
            //   740a                 | je                  0xc
            //   e8????????           |                     
            //   833822               | cmp                 dword ptr [eax], 0x22

        $sequence_5 = { 66894316 0fb7560e 0fb74e0c e8???????? }
            // n = 4, score = 900
            //   66894316             | mov                 word ptr [ebx + 0x16], ax
            //   0fb7560e             | movzx               edx, word ptr [esi + 0xe]
            //   0fb74e0c             | movzx               ecx, word ptr [esi + 0xc]
            //   e8????????           |                     

        $sequence_6 = { 66894338 8b4626 89433c 8b462a }
            // n = 4, score = 900
            //   66894338             | mov                 word ptr [ebx + 0x38], ax
            //   8b4626               | mov                 eax, dword ptr [esi + 0x26]
            //   89433c               | mov                 dword ptr [ebx + 0x3c], eax
            //   8b462a               | mov                 eax, dword ptr [esi + 0x2a]

        $sequence_7 = { 8b4610 894320 8b4614 894328 }
            // n = 4, score = 900
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   894320               | mov                 dword ptr [ebx + 0x20], eax
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   894328               | mov                 dword ptr [ebx + 0x28], eax

        $sequence_8 = { e8???????? 83c40c 6a02 6804010000 e8???????? }
            // n = 5, score = 800
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6a02                 | push                2
            //   6804010000           | push                0x104
            //   e8????????           |                     

        $sequence_9 = { 017e78 83567c00 017e68 83566c00 }
            // n = 4, score = 800
            //   017e78               | add                 dword ptr [esi + 0x78], edi
            //   83567c00             | adc                 dword ptr [esi + 0x7c], 0
            //   017e68               | add                 dword ptr [esi + 0x68], edi
            //   83566c00             | adc                 dword ptr [esi + 0x6c], 0

        $sequence_10 = { 83f900 75f1 83ec04 8b4508 e8???????? 89ec 5d }
            // n = 7, score = 700
            //   83f900               | cmp                 ecx, 0
            //   75f1                 | jne                 0xfffffff3
            //   83ec04               | sub                 esp, 4
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   89ec                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_11 = { 31c0 837e3808 0f94c0 294628 }
            // n = 4, score = 700
            //   31c0                 | xor                 eax, eax
            //   837e3808             | cmp                 dword ptr [esi + 0x38], 8
            //   0f94c0               | sete                al
            //   294628               | sub                 dword ptr [esi + 0x28], eax

        $sequence_12 = { 0f94c3 89d5 09cd 0f95c7 }
            // n = 4, score = 700
            //   0f94c3               | sete                bl
            //   89d5                 | mov                 ebp, edx
            //   09cd                 | or                  ebp, ecx
            //   0f95c7               | setne               bh

        $sequence_13 = { 0f95c7 30df 7514 837e6c00 }
            // n = 4, score = 700
            //   0f95c7               | setne               bh
            //   30df                 | xor                 bh, bl
            //   7514                 | jne                 0x16
            //   837e6c00             | cmp                 dword ptr [esi + 0x6c], 0

        $sequence_14 = { 8b5204 45 8b4208 45 8b4a0c 49 83fe04 }
            // n = 7, score = 700
            //   8b5204               | mov                 edx, dword ptr [edx + 4]
            //   45                   | inc                 ebp
            //   8b4208               | mov                 eax, dword ptr [edx + 8]
            //   45                   | inc                 ebp
            //   8b4a0c               | mov                 ecx, dword ptr [edx + 0xc]
            //   49                   | dec                 ecx
            //   83fe04               | cmp                 esi, 4

        $sequence_15 = { 01e8 56 ff742424 50 }
            // n = 4, score = 700
            //   01e8                 | add                 eax, ebp
            //   56                   | push                esi
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   50                   | push                eax

        $sequence_16 = { 50 57 ff7618 e8???????? 83c40c 894618 }
            // n = 6, score = 700
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff7618               | push                dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   894618               | mov                 dword ptr [esi + 0x18], eax

        $sequence_17 = { 01c9 39dd ba00000000 19c2 72f1 }
            // n = 5, score = 700
            //   01c9                 | add                 ecx, ecx
            //   39dd                 | cmp                 ebp, ebx
            //   ba00000000           | mov                 edx, 0
            //   19c2                 | sbb                 edx, eax
            //   72f1                 | jb                  0xfffffff3

        $sequence_18 = { 234608 7418 8b8684000000 29f8 }
            // n = 4, score = 700
            //   234608               | and                 eax, dword ptr [esi + 8]
            //   7418                 | je                  0x1a
            //   8b8684000000         | mov                 eax, dword ptr [esi + 0x84]
            //   29f8                 | sub                 eax, edi

        $sequence_19 = { 31ed 89ae88000000 c7868c00000000000000 899e80000000 833e00 }
            // n = 5, score = 700
            //   31ed                 | xor                 ebp, ebp
            //   89ae88000000         | mov                 dword ptr [esi + 0x88], ebp
            //   c7868c00000000000000     | mov    dword ptr [esi + 0x8c], 0
            //   899e80000000         | mov                 dword ptr [esi + 0x80], ebx
            //   833e00               | cmp                 dword ptr [esi], 0

        $sequence_20 = { 8b550c 6bd204 89d1 83e904 8b5510 8b1c0a }
            // n = 6, score = 700
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   6bd204               | imul                edx, edx, 4
            //   89d1                 | mov                 ecx, edx
            //   83e904               | sub                 ecx, 4
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8b1c0a               | mov                 ebx, dword ptr [edx + ecx]

    condition:
        7 of them and filesize < 1115136
}
[TLP:WHITE] win_lumma_w0   (20230118 | detect_Lumma_stealer)
rule win_lumma_w0 {
	meta:
		description = "detect_Lumma_stealer"
		author = "@malgamy12"
		date = "2022-11-3"
		license = "DRL 1.1"
		hunting = "https://www.hybrid-analysis.com/sample/f18d0cd673fd0bd3b071987b53b5f97391a56f6e4f0c309a6c1cee6160f671c0"
		hash1 = "19b937654065f5ee8baee95026f6ea7466ee2322"
        hash2 = "987f93e6fa93c0daa0ef2cf4a781ca53a02b65fe"
        hash3 = "70517a53551269d68b969a9328842cea2e1f975c"
        hash4 = "9b7b72c653d07a611ce49457c73ee56ed4c4756e"
        hash5 = "4992ebda2b069281c924288122f76556ceb5ae02"
        hash6 = "5c67078819246f45ff37d6db81328be12f8fc192"
        hash7 = "87fe98a00e1c3ed433e7ba6a6eedee49eb7a9cf9"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $m1 = "LummaC\\Release\\LummaC.pdb" ascii fullword

        $s1 = "Cookies.txt" ascii
        $s2 = "Autofills.txt" ascii
        $s3 = "ProgramData\\config.txt" ascii
        $s4 = "ProgramData\\softokn3.dll" ascii
        $s5 = "ProgramData\\winrarupd.zip" ascii
        

        $chunk_1 = {C1 E8 ?? 33 C6 69 C8 ?? ?? ?? ?? 5F 5E 8B C1 C1 E8 ??}

    condition:
        $m1 or (4 of ($s*) and $chunk_1 )
}
[TLP:WHITE] win_lumma_w1   (20230918 | No description)
rule win_lumma_w1 {
	meta:
		author = "Matthew @ Embee_Research"
		yarahub_author_twitter = "@embee_research"
		desc = "Detects obfuscation methods observed in Lumma Stealer Payloads"
		sha_256 = "277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf"
		sha_256 = "7f18cf601b818b11068bb8743283ae378f547a1581682ea3cc163186aae7c55d"
		sha_256 = "03796740db48a98a4438c36d7b8c14b0a871bf8c692e787f1bf093b2d584999f"
		date = "2023-09-13"
		source = "https://github.com/embee-research/Yara-detection-rules/blob/main/Rules/win_lumma%20_simple.yar"
        yarahub_uuid = "39c32477-9a80-485b-b17a-4adf05f66cf8"
       	yarahub_license = "CC BY-NC 4.0"
        malpedia_family = "win.lumma"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma"
        malpedia_version = "20230918"
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
	strings:

		$o1 = {57 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 62 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00}
		$o2 = {4f 00 70 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 65 00 72 00 61 00 20 00 4e 00 65 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 6e 00}
		$o3 = {4c 00 6f 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 67 00 69 00 6e 00 20 00 44 00 61 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 74 00 61 00}

	condition:
		uint16(0) == 0x5a4d
		and
		filesize < 5000KB
		and
		(all of ($o*))


}
Download all Yara Rules