Lumma Stealer IOC Discovery

By /

Listen to this Post

I identified an active Lumma Stealer sample, exposing its download URL, hashes, and C2.

Download URLs:

  • hxxp[://]176[.]113[.]115[.]7/files/5526411762/Gidqgok[.]exe
  • hxxp[://]176[.]113[.]115[.]7/files/5265591378/JqGBbm7[.]exe
  • hxxp[://]176[.]113[.]115[.]7/files/1763292343/jrKsxjw[.]exe

File Hashes:

  • SHA256: `21ee78d53bb58bd367455543d21f0b17a174083218054db1be84e82d30f225ce`
  • SHA256: `71c6c3d85390b9182145a4855e66d0b62be5f67146949898a779efe9133a980e`
  • SHA256: `81440082e61e6583a57b8d123011348c148f1249b6bdef619cc87ffdd397b2dc`

C2 (Command and Control):

  • hxxps[://]hardswarehub[.]today/api
  • hxxps[://]steamcommunity[.]com/profiles/76561199822375128

Practice Verified Codes and Commands:

1. YARA Rule to Detect Lumma Stealer:

[yara]
rule Lumma_Stealer {
meta:
description = “Detects Lumma Stealer samples”
author = “Your Name”
date = “2023-10-01”
strings:
$s1 = “Lumma Stealer” nocase
$s2 = “C2” nocase
$s3 = “hxxps://hardswarehub.today/api” nocase
condition:
any of them
}
[/yara]

2. Linux Command to Check File Hashes:

sha256sum <filename>

3. Windows Command to Check File Hashes:

Get-FileHash -Algorithm SHA256 <filename>

4. Blocking C2 Domains via Firewall (Linux):

sudo iptables -A OUTPUT -p tcp --dport 443 -d hardswarehub.today -j DROP
sudo iptables -A OUTPUT -p tcp --dport 443 -d steamcommunity.com -j DROP

5. Analyzing Network Traffic with tcpdump:

sudo tcpdump -i eth0 host hardswarehub.today or host steamcommunity.com

What Undercode Say:

The Lumma Stealer is a potent malware strain designed to exfiltrate sensitive data from infected systems. Its use of dynamic C2 infrastructure and multiple download URLs makes it a persistent threat. To mitigate such threats, it is crucial to employ robust detection mechanisms like YARA rules and monitor network traffic for suspicious activities. Regularly updating firewall rules and using tools like `tcpdump` can help in identifying and blocking malicious connections. Additionally, verifying file hashes using commands like `sha256sum` on Linux or `Get-FileHash` on Windows can ensure the integrity of files. For further reading on malware analysis and threat intelligence, refer to resources like MITRE ATT&CK and Malwarebytes Labs. Always stay vigilant and keep your systems updated to defend against evolving cyber threats.

References:

initially reported by: https://www.linkedin.com/posts/apophis133_lumma-lummaabrstealer-iocs-activity-7302033834785562625-HyoV – Hackers Feeds
Extra Hub:
Undercode AIFeatured Image

Related Posts: