Malware-Traffic-Analysis.net - 2025-08-13: Lumma Stealer infection

2025-08-13 (WEDNESDAY): LUMMA STEALER INFECTION

NOTES:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2025-08-13-IOCs-from-Lumma-Stealer-infection.txt.zip 2.2 kB (2,194 bytes)
2025-08-13-Lumma-Stealer-infection.pcap.zip 1.9 MB (1,850,415 bytes)
2025-08-13-malware-and-artifacts-from-Lumma-Stealer-infection.zip 58.2 MB (58,248,940 bytes)

IMAGES

Shown above: Web pages leading to download of password-protected 7-zip archive.

Shown above: Extracting the malicious EXE from the password-protected 7-zip archive.

Shown above: Traffic from the Lumma Stealer infection after running the malicious EXE.

Shown above: Files from an infected Windows host.

2025-08-13 (WEDNESDAY): LUMMA STEALER INFECTION

NOTES:

- This is an example of Lumma Stealer distributed to people searching for cracked software.
- This infection chain misuses the AutoIt scripting language to conceal malicious activity.
- Obfuscated batch script, a .cab file, and misleading file extensions also help evade detection.
- This type of Lumma Stealer first came to my attention in May 2025:
  -- https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/
     blob/main/2025-05-19-IOCs-for-CypherIT-and-AutoIt-used-in-distribution-of-Lumma-Stealer.txt

PATH TO INITIAL ZIP ARCHIVE DOWNLOAD:

- hxxps[:]//www.facebook[.]com/media/set/?set=a.192788880512417
- hxxps[:]//urluss[.]com/2wnKHc
- hxxps[:]//media.cloud8323v4[.]cyou/NCH+Debut+Video+Capture+Software+Pro+11.2+Beta+Crack+full+version.zip
- hxxps[:]//arch.verif743[.]sbs/e/get/Ud3Dxwv2JxBQ9V3ipwWMyRIU/
  NCH%20Debut%20Video%20Capture%20Software%20Pro%2011.2%20Beta%20Crack%20full%20version.zip

DOWNLOADED MALWARE AND EXTRACTED FILE:

- SHA256 hash: 0f48376ac481e8e036d1739ae1d1de682df7291240278096ca3f20cb10a6d189
- File size: 17,311,955 bytes
- File name: NCH Debut Video Capture Software Pro 11.2 Beta Crack full version.7z
- File type: 7-zip archive data, version 0.4
- File description: downloaded, password-protected 7-Zip archive
- Password: 7986
 
- SHA256 hash: 44bd1565a75b38ee09ef5d31b411923feb4e3327293db031b0742e19d14c81fd
- File size: 954,400,813 bytes
- File name: nch debut video capture software pro 11.2 beta crack full version.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows
- File description: Extracted from the above archive, EXE file to install Lumma Stealer

- SHA256 hash: 7a7d6cc69cd9421817a37aa929b921bceaa35719330320c53461e1f92a31b358
- File size: 31,656,045 bytes
- File type: PE32 executable (GUI) Intel 80386, for MS Windows
- File description: Above EXE with most of the null-byte padding removed
- Sandbox analysis: https://tria.ge/250813-2msqyaal9w/

LIST OF FILES FROM AN INFECTION:

- C:\Users\[username]\AppData\Local\Temp\Dallas.midi
- C:\Users\[username]\AppData\Local\Temp\Greetings.midi
- C:\Users\[username]\AppData\Local\Temp\Interview.midi
- C:\Users\[username]\AppData\Local\Temp\Model.midi
- C:\Users\[username]\AppData\Local\Temp\Tongue.midi
- C:\Users\[username]\AppData\Local\Temp\Against
- C:\Users\[username]\AppData\Local\Temp\Au
- C:\Users\[username]\AppData\Local\Temp\Bg
- C:\Users\[username]\AppData\Local\Temp\Economy
- C:\Users\[username]\AppData\Local\Temp\Ix
- C:\Users\[username]\AppData\Local\Temp\Looks
- C:\Users\[username]\AppData\Local\Temp\Nobody
- C:\Users\[username]\AppData\Local\Temp\Participated
- C:\Users\[username]\AppData\Local\Temp\Referrals
- C:\Users\[username]\AppData\Local\Temp\Scotland
- C:\Users\[username]\AppData\Local\Temp\Themes
- C:\Users\[username]\AppData\Local\Temp\65812\Branches.pif

FILES FROM AN INFECTION:

- SHA256 hash: d9c0097195c85dcc686a0a8d1b2e201ad213545e21b520ca334f23ffd517190e
- File size: 30,448 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\Interview.midi
- File type: ASCII text, with very long lines (1480), with CRLF line terminators
- File description: Obfuscated script to create copy of AutoIt3.exe and .a3x file for Lumma Stealer

- SHA256 hash: 20fa414053775d01e641d5bed306107ff8094369d1e3de77cf4269f965560f3d
- File size: 505,851 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\Greetings.midi
- File type: data
- File description: .cab file with content used to create copy of AutoIt3.exe 

- SHA256 hash: 3ec9740bedc683021cc3e94e4a33b3a9d3d6f9b9e96b1f04cc6534f551dd58c1
- File size: 980,064 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\65812\Branches.pif
- File type: PE32 executable (GUI) Intel 80386, for MS Windows
- File description: Copy of AutoIt3.exe created from above .cab file content

- SHA256 hash: 987ca00c76fa1cb13ac07dd212540e18f384a88a60340ea4c7fcfad0c9ff3a0e
- File size: 518,439 bytes
- File type: data
- File description: .a3x file for Lumma Stealer created by the installer
- Sandbox analysis: https://app.any.run/tasks/bcbc6e2a-0881-4ede-ac48-a028aadd89fb

LUMMA STEALER C2 CONFIGURATION FROM TRIA.GE ANALYSIS:

- hxxps[:]//secrequ[.]top/tieq
- hxxps[:]//mastwin[.]in/qsaz/api
- hxxps[:]//ordinarniyvrach[.]ru/xiur/api
- hxxps[:]//yamakrug[.]ru/lzka/api
- hxxps[:]//vishneviyjazz[.]ru/neco/api
- hxxps[:]//yrokistorii[.]ru/uqya/api
- hxxps[:]//stolewnica[.]ru/xjuf/api
- hxxps[:]//visokiywkaf[.]ru/mmtn/api
- hxxps[:]//kletkamozga[.]ru/iwyq/api

Click here to return to the main page.