{
	"id": "aa2c7d97-0800-4349-a7da-33838676452e",
	"created_at": "2026-04-06T00:09:44.257139Z",
	"updated_at": "2026-04-10T03:20:29.827924Z",
	"deleted_at": null,
	"sha1_hash": "92bddc2b2bc29adaf5a56d15b6be5ef54613b190",
	"title": "Malware Analysis - Lumma Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 233865,
	"plain_text": "Malware Analysis - Lumma Stealer\r\nBy Mandar Naik\r\nPublished: 2024-10-04 · Archived: 2026-04-05 21:13:38 UTC\r\nIn this post, we will analyze malware and reverse engineer a sample called lumma stealer.\r\nA web-based attack vector has a captcha page that asks the users to perform the task for verification.\r\nThe user is presented with a captcha page as shown below,\r\nOn a legitimate page, the user will be asked to select some boxes that contain this or that object, but here the users\r\nare asked to run a PowerShell script for verification that is automatically copied to the system clipboard once\r\nthe user clicks on “I am not a robot” as shown below,\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 1 of 13\n\nWe will use the automatically copied PowerShell script for investigation, the script contains a base64 encoded text\r\nbeing executed with a hidden window.\r\nAfter decoding the base64 text we get the following data, The decoded text contains another PowerShell\r\ncommand to execute the content of a file called a.txt stored at a remote location.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 2 of 13\n\nWe download the a.txt file for further examination.\r\nThe a.txt contains,\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 3 of 13\n\nThe file in turn contains another PowerShell command that downloads the file called malt.zip from a remote\r\nlocation and stores that file with a different name pg1.zip in a temp location, it then extracts the pg1.zip content\r\ninto the folder called file then executes the set-up.exe from that path.\r\nAfter unzipping malt.zip the directory content is,\r\nThe interesting thing to note, the file set-up.exe has a resemblance to the Iobit uninstaller. A normal user would\r\nsee the copyright of the file to be Iobit and might consider the file as Legitimate.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 4 of 13\n\nApart from set-up.exe, we do not find any executable in the directory but after we check the file type of every file\r\nwe can see that most of the files with .bpl extension are executable.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 5 of 13\n\nWe ran floss on madbasic_.bpl, maddisAsm_.bpl, madexcept_.bpl and Set-up.exe,\r\nThe strings inside madbasic_.bpl seems pretty interesting they include text like Encrypt, Decrypt, Encode, and\r\nDecode.\r\nThe file maddisAsm_.bpl has a reference to the previous file madbasic_.bpl.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 6 of 13\n\nThe file madexcept_.bpl contains text like HTTP account, password, SMTP account, password, etc.\r\nAt last, the Set-up.exe contains text like sending mail, sending attachments, etc.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 7 of 13\n\nLet’s do a dynamic analysis to get more insight.\r\nAfter we execute the file we use procom to get the activity performed by Set-up.exe file.\r\nThe file did perform a lot of activity but the most interesting are CreateFile, WriteFile, and CreateProcess.\r\nThe process tree gave us more insight i.e. the Set-up.exe file created a subprocess called more.com which executes\r\nfrom the SYSWOW64 folder in turn creating two subprocesses of conhost.exe and Launcher.exe executing from\r\nthe AppData folder.\r\nWe use x32Dbg for debugging the Set-up.exe file. We set the following breakpoints which we got from the file\r\nactivity in procmon.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 8 of 13\n\nWe hit an interesting CreateFile breakpoint,\r\nIt created a file called pla.dll in the SYSWOW64 folder.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 9 of 13\n\nSimultaneously it also created the Launcher.exe in the AppData folder.\r\nWe hit another breakpoint of CreateProcess, it is creating a process of IUservice from the roaming folder,\r\nUnfortunately, we do not see any executable in that folder, although it copied itself in that folder for persistence.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 10 of 13\n\nAnother breakpoint of CreateProcess was hit, it is creating a process of more.com from the SYSWOW64 folder,\r\nWe can also see more.com in the SYSWOW64 folder.\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 11 of 13\n\nIn parallel we were also monitoring the network connections, The Set-up.exe tried to communicate with the\r\nfollowing URL,\r\nhittybanndwk[.]shop\r\nracedsuitreow[.]shop\r\ndefenddsouneuw[.]shop\r\ndeallyharvenw[.]shop\r\npriooozekw[.]shop\r\npumpkinkwquo[.]shop\r\nabortinoiwiam[.]shop\r\nsurroundeocw[.]shop\r\ncovvercilverow[.]shop\r\nsteamcommunity[.]com\r\nIOCs\r\n1. IPs\r\n 165[.]227[.]121[.]41\r\n2. URLs\r\n downcheck[.]nyc3[.]cdn[.]digitaloceanspaces[.]com\r\n hittybanndwk[.]shop\r\n racedsuitreow[.]shop\r\n defenddsouneuw[.]shop\r\n deallyharvenw[.]shop\r\n priooozekw[.]shop\r\n pumpkinkwquo[.]shop\r\n abortinoiwiam[.]shop\r\n surroundeocw[.]shop\r\n covvercilverow[.]shop\r\n steamcommunity[.]com\r\n3. Hashes\r\n 36a942a4e3308d47dfecbce2cd9c85ed316f877dbb85706f413cddcf04960a56\r\n 36c0dba42123f1bda46e4526af9a6fe2ceca755470703a45e90d5c0515c0044c\r\n 038511fc64801be03d8472a2f7a6ba8a27e0398cf876be1427c1463cf9190c80\r\n 11e3568f497c40331ee4a9e9973967e61b224e19204e09ed7451da3b74bd2ff5\r\n fb64a5954b726d2d0f0bc26113a36dc8a86c469af994ceeaf2e2609743a0a557\r\n 80ae800e8b3a8091249d7e8b25a81788a3fe1ab5ece122bf0bd7ac458bc2f315\r\n 11d0f55c105883d203137a87a610ba793299dc4774fd6d8b3a86666a2c337041\r\n 6b2174db9f76580e59ff9fa91247491ce3da49172afe415ff8deb2a3fc7b97dc\r\n d5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 12 of 13\n\na65d00beae117d1421b28ec9e6fe03893586eb7c96cd2089644901088129e24f\r\n ccccadde7393f1b624cde32b38274e60bbe65b1769d614d129babdaeef9a6715\r\n d4e5b7223d06cd464df898c6cf569ca00743e5e79e64009056602b09927d9bfe\r\n 95c8afbac49a7554453bfe509b11919a4e25742f292a11bac0ac467ec78b517a\r\n 92a918a88da8b8413381acad73ac093162d5237eedb1ef41c7c5aa604d3206ed\r\n c3f6f6f1c310d0d61c2d07950fb2bd23d2b8a979e52d94cb623435aaed30ec60\r\n fe65540f70c1a4c7d9625f8dc8f81fc47bacd0ffb65cb4b147e20b27a7d5d709\r\n c2a583893795478556573db3a020ee607fabe7e37473d094d825f96c4912c43d\r\n 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35\r\nSource: https://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nhttps://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://mandarnaik016.in/blog/2024-10-05-malware-analysis-lumma-stealer/"
	],
	"report_names": [
		"2024-10-05-malware-analysis-lumma-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434184,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/92bddc2b2bc29adaf5a56d15b6be5ef54613b190.pdf",
		"text": "https://archive.orkl.eu/92bddc2b2bc29adaf5a56d15b6be5ef54613b190.txt",
		"img": "https://archive.orkl.eu/92bddc2b2bc29adaf5a56d15b6be5ef54613b190.jpg"
	}
}