{
	"id": "059386f2-eb4c-400a-8924-0180a11c6635",
	"created_at": "2026-04-06T00:13:37.498705Z",
	"updated_at": "2026-04-10T13:11:24.410205Z",
	"deleted_at": null,
	"sha1_hash": "f6d0f56683e0bdd584cf6739deb3034104b61f8b",
	"title": "Malware Analysis - Lumma Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1702300,
	"plain_text": "Malware Analysis - Lumma Stealer\r\nBy Bar Magnezi\r\nPublished: 2024-09-24 · Archived: 2026-04-05 18:11:22 UTC\r\nSample:\r\nhttps://ch3[.]dlvideosfre[.]click/human-verify-system[.]html\r\nBackgroundPermalink\r\nLumma Stealer (aka LummaC2 Stealer) is an information stealer that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. Once the targeted data is obtained,\r\nit is exfiltrated to a C2 server.\r\nStatic Analysis - Stage 1Permalink\r\nThis relatively new phishing technique, known as ‘self-pawn,’ uses social engineering to lure users into executing\r\nmalicious commands by prompting them to click ‘I’m not a robot as shown in Figure 1.\r\nFigure 1: I'm not a robots button\r\nAfter pressing the button, it instructs the user to use the Run feature in Windows.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 1 of 15\n\nFigure 2: After Pressing The Button\r\nAfter further inspection and using F12 to view the page source, I found a script section that contained Powershell\r\ncode, as shown in Figure 2.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 2 of 15\n\nFigure 3: F12 To View Page Source\r\nThen, I took the Base64-encoded string and decoded it using CyberChef. The output was a ‘mshta’ command that\r\npointed to a new URL.\r\nFigure 4: CyberChef Decoding\r\nAs shown in Figure 4, I used curl to download the file it attempts to run.\r\nFigure 5: Curling To The New URL\r\nStatic Analysis - Stage 2Permalink\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 3 of 15\n\nAfter downloading the file, I conducted basic triage and static analysis on it.\r\nFigure 6: Using Detect It Easy\r\nFigure 7: Using PEStudio\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 4 of 15\n\nFigure 8: Using CAPA To Find Capabilities\r\nThis part made me suspicious that there was much more in the executable than I initially noticed. Using the strings\r\ncommand, I found one extremely large string. With a hex editor, I was able to locate it, as shown in Figure 9.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 5 of 15\n\nFigure 9: Using HxD\r\nAs marked in Figure 9, it contained a “script” tag. This script was extracted for further investigation.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 6 of 15\n\nThis script used a relatively simple obfuscation technique that replaced strings with characters and then converted\r\nthem using the fromCharCode function.\r\nFigure 10: Marking The Critical Replacement\r\nFor the next part, I wrote a simple PowerShell script to output what this function executes, without the risk of it\r\nbeing executed.\r\nFigure 11: PS Script To Print The Output\r\nUsing this script, I was able to print the executed code to the console. It appears to be another layer of obfuscated\r\ncode that requires further investigation.\r\nFigure 12: Output Of The PS To The Console\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 7 of 15\n\nFigure 13: Cleaned JS Code\r\nAs marked in Figure 13, this is the function being used for decoding. After understanding the code, I disarmed it\r\nand used WScript.Echo to print the output to the console.\r\nFigure 13: Disarmed Code With Echo\r\nI used CScript to output the contents of the two variables.\r\nFigure 14: Output Using CScript\r\nThe output was copied to Notepad for further investigation and to make sense of the code.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 8 of 15\n\nFigure 15: Cleaned PS Script\r\nAs marked in Figure 15, AES cryptography is applied to the ‘fALRGP’ variable. I used CyberChef to decrypt this\r\nvariable using the provided Key and IV.\r\nFigure 16: CyberChef Recipe\r\nThe output from CyberChef was another obfuscated PowerShell code. The script was modified slightly and\r\ndisarmed to output three key variables.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 9 of 15\n\nFigure 17: Modified PS Code\r\nFigure 18: Output Of The Modified PS Code\r\nStatic Analysis - Stage 3Permalink\r\nUsing the Curl command, I was able to download the two zip files for further inspection.\r\nFigure 19: Using Curl\r\nInside the first zip file, there were five legitimate DLLs, while the second zip file contained a single EXE, which I\r\nfocused on for analysis.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 10 of 15\n\nFigure 20: Using PEStudio\r\nThe output from PeStudio indicates that there may be some form of process injection due to the presence of\r\nVirtualAlloc.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 11 of 15\n\nFigure 21: Using CAPA\r\nDynamic Analysis - Stage 3Permalink\r\nWhile running the malware with ProcMon in the background, it was observed that, as suspected, the malware\r\ninjects itself into ‘BitLockerToGo.exe,’ a legitimate file.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 12 of 15\n\nFigure 22: Process Tree\r\nIn addition, as shown in Figure 23, there was a long sleep period of about 2 minutes after execution before the\r\nmalware began its activity.\r\nFigure 23: ProcMon Long Sleep Period\r\nWhile running the malware in an isolated environment, numerous DNS requests to the attacker’s C2 server were\r\nobserved, as shown in Figure 24.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 13 of 15\n\nFigure 24: Using WireShark To Capture Network Traffic\r\nIOCsPermalink\r\nHash:\r\nfea50d3bb695f6ccc5ca13834cdfe298\r\n83ae58dd03f33d1fae6771e859200be6\r\n7b1f43deed8fc7e35f8394548e12dd81\r\nc39f64a31e9f15338f83411bb9fc0942\r\nb832096cf669ff4d66e04b252cb1a1dc\r\nURL:\r\nhttps://ch3[.]dlvideosfre[.]click/human-verify-system[.]html\r\nhttps://verif[.]dlvideosfre[.]click/2ndhsoru\r\nhttps://verif[.]dlvideosfre[.]click/K1[.]zip\r\nhttps://verif[.]dlvideosfre[.]click/K2[.]zip\r\nhttps://verif[.]dlvideosfre[.]click\r\ncelebratioopz[.]shop\r\nwriterospzm[.]shop\r\ndeallerospfosu[.]shop\r\nbassizcellskz[.]shop\r\nmennyudosirso[.]shop\r\nlanguagedscie[.]shop\r\ncomplaintsipzzx[.]shop\r\nquialitsuzoxm[.]shop\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 14 of 15\n\nSource: https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/"
	],
	"report_names": [
		"LummaStealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434417,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6d0f56683e0bdd584cf6739deb3034104b61f8b.pdf",
		"text": "https://archive.orkl.eu/f6d0f56683e0bdd584cf6739deb3034104b61f8b.txt",
		"img": "https://archive.orkl.eu/f6d0f56683e0bdd584cf6739deb3034104b61f8b.jpg"
	}
}