Malware Analysis: LummaC2 Stealer

By SOCRadar Research

In our article about Stealer-as-a-Service, as the SOCRadar Research team, we looked at Lumma Stealer, a relatively new and unknown malware. During our research, we didn’t find much information, so we did threat hunting by monitoring hacker forums with our dark web team. We added the resulting data to our platform and started our analysis.

LummaC2 is the name of a malicious program classified as a stealer. It operates by stealing sensitive information from infected devices and installing applications. After our dark web team discovered LummaC2, we found that it was being sold on underground forums. Due to its distribution on the web, it can be related to multiple cybercriminals. According to the promotional material, the LummaC2 is approximately 150-200 KB and can affect operating systems from Windows 7 to Windows 11.

Executive Summary

The LummaC2 stealer begins its operations by obtaining relevant device data, such as OS version and architecture, hardware ID, CPU, RAM, screen resolution, system language, etc. This malware can exfiltrate files and extract data from specific applications. Browsers targeted by LummaC2: Chrome, Chromium, Mozilla Firefox, Microsoft Edge, Brave, Kometa, Opera GX Stable, Opera Neon, Opera Stable, Vivaldi, and others. This stealer may acquire browsing histories, Internet cookies, usernames/passwords, personally identifiable details, credit card numbers, and other highly sensitive information from browsers. LummaC2 also targets multiple cryptocurrencies (e.g., Binance, Electrum, Ethereum, etc.). In summary, software like LummaC2 on devices can result in severe privacy issues, significant financial losses, and identity theft.

Lumma Stealer Composition

With the Lumma Stealer malware hash in hand, we visited Malware Bazaar and Triage, where malware samples can be downloaded. We searched for the hash value and finally downloaded the malware from the Triage site, completing the first step of our analysis. Since the sample we obtained is a PE file, when we run it after the appropriate environment is prepared and watch its mobility, it continues to run under the name “tmp.exe” by unpacking itself to the “C:\Users\admin\AppData\Local\Temp\” file path.

Behavior Activities: tmp.exe

Infostealers often target stored browser data, which can include saved credentials etc.

Registry Key Sets:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
• HKU\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
• HKU\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
• 1

• HKU\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
• %HTTP_PROXY%:8080

Reads browser cookies and saves this path:

• C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ymgarh1v.defaul t\cookies.sqlite

Connects to the server without a hostname.

• hxxp[:]//195[.]123[.]226[.]91/c2sock

After the connection to the address is established, it transmits information as a zip file. Details are given in other stages.

Static Analysis

Overview

When Lumma is analyzed in various tools, the outputs of the tools are as follows:

• It is written in C++ programming language. 
• Detect It Easy tool’s output is the total ‘6.51920’ entropy value, which turns out 81%.

PEStudio tool’s output is total ‘6.519‘ entropy value.

In addition to the entropy value, we can view all functions and imported addresses when we examine them with IDA. At this stage, we decide that it is not packed, and when we finally check with the “exeinfope,” the result is “not packed.”

Strings have been searched, but since there is too much obfuscated information, no tangible results have been found. One remarkable result we achieved using PEStudio was that it uses ASLR. We will continue the analysis by changing the ASLR ‘true‘ parameter to ‘false‘ and saving it.

Anti-Debugger control is provided with “IsDebuggerPresent” API. If the EAX register takes 1 as a value, the program will close itself, and it is impossible to debug with the analysis tools; that’s why changing it to 0 to run the program without closing. The anti-debugger bypass technique will be done during dynamic analysis.

The beginning of obfuscated strings and the field where browser cookie information is collected. The stealer also targets crypto wallets such as Binance, Electrum, and Ethereum and collects sensitive information from the victim’s machine. The below figure shows the code snippet of stealers targeting crypto wallets. (0040772c)

Here are the obfuscated collections.

Crypto Wallets: Deobfuscated strings come after.

Web Browsers: Deobfuscated strings come after.

The stealer has many obfuscated strings that are being covered by a random string, “edx765“, to evade detection. Upon execution, the stealer passes the obfuscated string to a function that strips the arbitrary string and delivers the original string. The results obtained by decoding strings are compared below.

Dynamic Analysis

We have started with the first findings we detected while running LummaC2 Stealer in the “behavior” section. Now, let’s move on to the detailed dynamic analysis stage, verify what we found in the “static analysis” section, and check if we can change the request to the C2 address.

IsDebuggerPresent

By changing the return value for IsDebuggerPresent, one of the most critical APIs we put in breakpoint, we perform the anti-debugging bypass operation.

LummaC2 stealer sends this information to its C2 server, as shown below.

Type: multipart/form-data; boundary=оaj195iak20ka99441aj1″

We observed the IP address in Debugger, and via IDA, we found that the exact IP address is also referred to in the .rdata section.

Host: 195[.]123[.]226[.]91/c2sock

One of the parts that will complicate the analysis processes that will perform the termination process has appeared again. If we try to skip this part directly, the process will terminate.

Network Activity

When LummaC2 is run, the address it sends the POST request to and the C2 addresses are different. We found the C2 address by researching VirusTotal. We ran the LummaC2 instance directly in the virtual environment and monitored its activity. As a result, network activity was observed. Making a ‘POST’ request, tmp.exe is trying to pass information.

The POST request is performed as follows.

Host: 195[.]123[.]226[.]91

You can find Shodan results about the host address here.

When we examine the packet’s content captured with WireShark, we see a “PK” header. This means that the C2 is transmitted as a zip file during the POST request. Let’s examine the stolen information by dumping the zip file.

When we examine the contents of the zip file viewed from the PCAP file, it collects information, primarily system information. It targets the browsers we have seen in the static analysis codes. The collected data is transferred to the C2 server as a zip file. Since Microsoft Edge and Mozilla Firefox are installed in our analysis environment, Lumma Stealer only collects data from these browsers.

We have obtained different zip files because Lumma Stealer sent multiple POST requests to the “c2/sock” address. When we begin examining from the lowest to the highest in size, we find only the “System.txt” file in the lowest size file. Its contents are specified in the following image.

When we examine the file named Mozilla Firefox, when we view the .db file called cookies, we can see that it collects the following cookie information.

The content of the .db file named web data is shown in the image below.

There is not much data for the Edge browser, so when we add the cookie information collected for Mozilla, we can see clearly in the following image that it has collected cookie information for many account details.

In conclusion, Lumma Stealer collects cookie information, search histories, and key inputs from browsers and transfers them to the C2 address. The list of all the information it tries to collect inside of the “Web Data” SQLite file is given in the last image.

We used the VirusTotal graphical interface for Threat Research at this research stage with the IP address sending the POST request. As seen in the screenshot below, the results of “collections,” “communicating files,” and “referer files” are displayed.

After that, we opened the link information, and many malicious files and IP addresses were displayed. We noticed a large number of open ports when we searched through Shodan, where 144[.]76[.]173[.]247 IP addresses in Germany caught our attention. We accessed C2 while visiting port 80.

In the next step, when we visit port 80, the login page can be displayed. C2 Login Page is shown in the screenshot below.

C2:144[.]76[.]173[.]247/login

Analyst Note: The IP address 144[.]76[.]173[.]247 was not encountered during the analysis.

Shodan Result

LummaC2 behaves like other stealer-type malware, which can take away system and sensitive data from the victim’s machine. These dangerous programs can usually steal information from web browsers and target crypto wallets.

The additional information stored on web browsers, such as login credentials, PII, and financial information, can be further leveraged to conduct fraud activities.

Threat actors can use the stolen data to steal cryptocurrencies from the victim’s accounts or sell this data to other threat actors for financial gain.

Indicators of Compromise

You can find the full list of IOCs in the SOCRadar Platform.

Rules & Signatures

MITRE ATT&CK Matrix