Hey, I recently noticed the activity of the stealer to load the configuration.
0x20 bytes xor key
AC B7 67 69 C8 D3 1A 3A E9 C4 FB 55 87 6D 49 D9 B7 73 94 69 ED E1 DE A0 0A 51 0E 4F FF CA C5 A9
The analysis was carried out by an analyst from any.run in the sandbox at the following link:
For better coverage, I would like to share the following rule:
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt";flow: established, to_server; http.method; content: "POST"; http.uri; content: "/c2conf"; isdataat: !1, relative; http.request_body; content: "lid="; depth: 4;content: "&ver="; distance: 0; isdataat: !5, relative; classtype: command-and-control; reference:md5,9153ac5b623681a7fa845cb4e4f59209; reference:url,app.any.run/tasks/bd11c4e0-0942-4880-bc43-03a6440d25d5; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family lumma, created_at 2023_06_21; sid: 8000476; rev: 1;)
Best regards, Jane <3
1 Like
Thanks @Jane0sint! We’ll get this in today’s release
1 Like
2046637 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
1 Like
Hi, we have updated Lumma http post and wrote new rules
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In";flow: established, to_server; http.method;content: "POST"; http.request_body;content: "act="; depth: 4;content: "&lid="; distance: 0;content: "&j="; distance: 0;content: "&ver="; distance: 0; isdataat: !5, relative; classtype: command-and-control; reference: md5,884478741e7046e6d0788b63c09df89f; reference: url, app.any.run/tasks/409f5138-3853-4910-80d4-3c380b969274; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lumma, created_at 2023_09_15; sid: 1; rev: 1;)
This is the general rule for check-in. Now I’ll write for exfiltration
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration";flow: established, to_server; http.method;content: "POST"; http.request_body;content: "Content-Disposition: form-data|3b 20|name=|22|act|22 0d 0a 0d 0a|send_message|0d 0a|--"; content: "Content-Disposition: form-data|3b 20|name=|22|hwid|22 0d 0a 0d 0a|"; content: "Content-Disposition: form-data|3b 20|name=|22|lid|22 0d 0a 0d 0a|"; content: "Content-Disposition: form-data|3b 20|name=|22|file|22 3b|"; threshold:type limit, seconds 30, count 1, track by_dst; classtype: command-and-control;reference: md5,884478741e7046e6d0788b63c09df89f;reference: url,app.any.run/tasks/409f5138-3853-4910-80d4-3c380b969274;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Lumma, created_at 2023_09_15;sid: 2; rev: 1;)
I didn’t write any extra rules, We’ll keep an eye on further changes. Thanks @g0njxa!
Best regards, Jane
1 Like
Is it okay that I didn’t start a new topic? @ishaughnessy
1 Like
yep, no problem! I’m taking a look now 
2 Likes
Here are the sids for these, have a great weekend!
2048093 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
2048094 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
2 Likes