Lumma Stealer Configuration

Jane0sint · June 22, 2023, 10:22pm

Hey, I recently noticed the activity of the stealer to load the configuration.
0x20 bytes xor key
AC B7 67 69 C8 D3 1A 3A E9 C4 FB 55 87 6D 49 D9 B7 73 94 69 ED E1 DE A0 0A 51 0E 4F FF CA C5 A9
The analysis was carried out by an analyst from any.run in the sandbox at the following link:

For better coverage, I would like to share the following rule:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt";flow: established, to_server; http.method; content: "POST"; http.uri; content: "/c2conf"; isdataat: !1, relative; http.request_body; content: "lid="; depth: 4;content: "&ver="; distance: 0; isdataat: !5, relative; classtype: command-and-control; reference:md5,9153ac5b623681a7fa845cb4e4f59209; reference:url,app.any.run/tasks/bd11c4e0-0942-4880-bc43-03a6440d25d5; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family lumma,  created_at 2023_06_21; sid: 8000476; rev: 1;)

Best regards, Jane <3

ishaughnessy · June 23, 2023, 4:18pm

Thanks @Jane0sint! We’ll get this in today’s release

ishaughnessy · June 23, 2023, 9:22pm

 2046637 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt

Jane0sint · September 15, 2023, 12:58am

Hi, we have updated Lumma http post and wrote new rules

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In";flow: established, to_server; http.method;content: "POST"; http.request_body;content: "act="; depth: 4;content: "&lid="; distance: 0;content: "&j="; distance: 0;content: "&ver="; distance: 0; isdataat: !5, relative; classtype: command-and-control;  reference: md5,884478741e7046e6d0788b63c09df89f;  reference: url, app.any.run/tasks/409f5138-3853-4910-80d4-3c380b969274; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lumma,  created_at 2023_09_15; sid: 1; rev: 1;)

This is the general rule for check-in. Now I’ll write for exfiltration

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration";flow: established, to_server; http.method;content: "POST"; http.request_body;content: "Content-Disposition: form-data|3b 20|name=|22|act|22 0d 0a 0d 0a|send_message|0d 0a|--"; content: "Content-Disposition: form-data|3b 20|name=|22|hwid|22 0d 0a 0d 0a|"; content: "Content-Disposition: form-data|3b 20|name=|22|lid|22 0d 0a 0d 0a|"; content: "Content-Disposition: form-data|3b 20|name=|22|file|22 3b|"; threshold:type limit, seconds 30, count 1, track by_dst; classtype: command-and-control;reference: md5,884478741e7046e6d0788b63c09df89f;reference: url,app.any.run/tasks/409f5138-3853-4910-80d4-3c380b969274;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lumma,  created_at 2023_09_15;sid: 2; rev: 1;)

I didn’t write any extra rules, We’ll keep an eye on further changes. Thanks @g0njxa!
Best regards, Jane

Jane0sint · September 15, 2023, 1:19am

Is it okay that I didn’t start a new topic? @ishaughnessy

ishaughnessy · September 15, 2023, 2:56pm

yep, no problem! I’m taking a look now

ishaughnessy · September 15, 2023, 9:55pm

Here are the sids for these, have a great weekend!

2048093 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
2048094 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration