Lumma Stealer Analysis

Malware Analysis
1

Hi, for this weekends analysis I decided to analyze the infamous Lumma Stealer malware. This analysis was quite fun and a little challenging and times but I think I did a half decent job of getting an understanding of how it works. The developers of this malware are big trolls haha, they left a lot of funny strings and comments within the binaries of their executable which was quite fun to find. Honestly it’s to bad these guys develop malware since with their humor it seems like we’d be friends haha. Anyways lets get into the analysis.

From reading other blog post’s about this malware it seems like it is a command and control piece of software that targets mainly browser passwords, crypto wallets and etc.

Download(At your own risk!):

https://bazaar.abuse.ch/download/59389ead2fa31decb31a25cfbe8d9859d831ef50bc21f9cde1aeb3c074b6d568/

Static Analysis:

Started off by of course getting a good high level view of the binary, it’s an x64 executable that wasn’t packed so that was quite nice of them since I didn’t have to go through a bunch of extra steps trying to unpack the binary.

We can see that this is definitely a x64 binary that was written in C/C++. It’s quite small only being 2.97 MiB’s.

DLL’s contained with the main binary:

Hashes of the binary:

As you can see the binary contains a section that is obfuscated called “m4lw43”, whoever wrote this is definitely a joker which made this analysis much more enjoyable.

Entropy of the file:

Timestamp:

Seems like this binary was compiled quite recently, but considering this can always be edited we can take that as a definite clue of when it was compiled.

One of my favorite parts about opening this binary in a hex editor revealed that they took the time to ensure that the first hexadecimal letters of the binary spelt out the word “hentai” lol. It almost seemed like a joke at this point of the analysis but it absolutely made this much more enjoyable to analyze.

Running a quick virus total scan also revealed that this is absolutely Lumma Stealer.

Some of the interesting imports from this binary include, registry key manipulation, process creation, dynamic loading of libraries, file manipulation, memory manipulation, privilege(token) manipulation, anti debugger functions, and some cryptographic imports which I found quite interesting. Assuming their using the cryptographic imports for more obfuscation or as a more secure way to transfer their stolen information back to their command and control.

Interesting Imports:

  • OpenProcessToken | Access Token Manipulation,implicit,-,ADVAPI32.dll
  • AdjustTokenPrivileges | Access Token Manipulation,implicit,-,ADVAPI32.dll
  • RegSetValueExW | Modify Registry,implicit,-,ADVAPI32.dll
  • CreateProcessW | Execution through API,implicit,-,KERNEL32.dll
  • LoadLibraryExW | Execution through API,implicit,-,KERNEL32.dll
  • CopyFileExW | Remote File Copy,implicit,-,KERNEL32.dll
  • IsDebuggerPresent | System Information Discovery,implicit,-,KERNEL32.dll
  • VirtualAllocEx | Process Injection,implicit,-,KERNEL32.dll
  • WriteProcessMemory | Process Injection,implicit,-,KERNEL32.dll
  • BCryptGenerateSymmetricKey | Obfuscated Files or Information,implicit,-,bcrypt.dll

Making a presumable guess off the import my mind immediately went to thinking that I am looking at some form of process injection just like last weeks analysis. One quite strange thing though was that this PE file had a “DotNetRuntimeDebugHeader” export within it, making me think that there is some form of embedded .NET file within the binary.

Running it through hybrid analysis also gave some clues on to what the binary does. While hybrid analysis was mostly right about the execution of this binary it misses some thing that we will see later in the analysis, but for now we can see that it creates a process known as “ilasm.exe” to inject into.

Next step was to use Ghidra to gain a more in depth understanding of how the binary operates. First thing I saw was some dynamic resolving of libraries and function as well as some debugger evasion techniques here:

We can also see that the binary creates a process in a suspended state, and then hollows it out using VirtualAlloc and writes its malicious code to that process. Lumma Stealer definitely uses process hollow injection which I was quite happy about since I’ve seen it a lot in my previous analyses.

Suspended Process Creation:

Process Hollow Injection:

The malware also performs privilege escalation but that could’ve been easily guessed just looking off the executable imports. It does this by first locking the pages of it’s memory to physical memory to prevent it from being written to this disk allowing it to stay within high speed RAM. At which point it assigns its token privilege to “SeDebugPrivilege” which allow it to escalate the processes privileges exploiting a tool used by Microsoft for system-level debugging.

It also uses bcrypt.dll’s functions to generate symmetric keys for obfuscation or secure communication with it’s command and control servers.

By also running it through x64dbg I found one of the PE files it writes to memory, though it was highly obfuscated it did contain a funny string that I found enjoyable to find haha. It was quite easy to dump from memory but sadly didn’t come up with much info about this malicious executable.

PE File In Memory:

Funny String Found In PE file Static Analysis:

As I said these dudes are definitely having fun with this, as the binary seems to keep popping up with more jokes, anyways it was at this point I opted to skip to the dynamic analysis of the binary.

Dynamic Analysis:

During the dynamic analysis the malwares executable seems to hollow out and inject into random processes it finds but it also consistently injects itself into “svchost.exe”, “aspnet_wp.exe”, and “lsass.exe”. I assume it injects itself into these Microsoft binaries to maintain stealthiness and attempt to edit registry keys and manipulate files without seeming to suspicious.

Using Procmon we definitely see the malicious binary create 2 processes “svchost.exe” and “aspnet_wp.exe” as well as read system files, it searches for things such as browser passwords and etc to steal. There was so many of them so I opted to only show 3 of the main ones.

  • ReadFile – C:\$Directory
  • Process Create – C:\Windows\System32\svchost.exe
  • Process Create – C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

Using Regshot we can see that the malware deletes a ton of registry keys mainly “HKLM\DRIVERS\DriverDatabase” keys, and adds 31 of its own keys to the systems registry.

Some of the most notable keys added are:

  • HKLM\SOFTWARE\Microsoft\IdentityCRL\ThrottleCache\S-1-5-21-769274696-41944572-4139179709-1001_S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757 // Allowing them to bypass security mechanisms by impersonating legitimate users
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\TiRunning // Allows them to manipulate system components, install/uninstall programs and modify system configs silently
  • HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\2700
  • HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\5100 // Suppresses error reporting for the system
  • HKLM\SYSTEM\CurrentControlSet\Control\CI\Aggregation // Manipulates coding signing inforcement on the system allowing execution of unsigned code
  • HKU\S-1-5-21-769274696-41944572-4139179709-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\QuietHours // Suppresses notifications that could potentially alert the user of the malwares presence within the system

Using Sysinternal I didn’t see much added but they did add this WinDivert 1.3 to the drivers services, I am assuming they are using this as persistence for the malware.

One thing that helped us confirm that they inject into Svchost.exe was finding the control server addresses within the running memory of the executable.

Approaching the end of this the last thing to analyze was the fake network I setup to catch the command and control server addresses the binary attempts to reach out to. Using the executables the malware injects into they all attempt to reach out to the C&C servers and the binary will refuse to run unless it receives a response from them. Here is a list of them:

  • sweetsquarediaslw.shop
  • acceptabledcooeprs.shop
  • obsceneclassyjuwks.shop
  • zippyfinickysofwps.shop
  • miniaturefinerninewjs.shop
  • plaintediousidowsko.shop
  • sweetsquarediaslw.shop
  • holicisticscrarws.shop
  • boredimperissvieos.shop

The malicious executable reaches out using DNS queries and random ports on the system ranging from 50000 and up. We can see this in more detail within the Wireshark capture of the malicious binary.

This was the end of the analysis, we can see that Lumma Stealer uses process hollow injection to inject into the three processes of “svchost”, “aspnet_wp” and “lsass”, it looks for browser data and stored passwords and connects back to its long list of command and control servers. We can also see that using registry manipulation the malware hides itself as a windows unsigned driver for persistence and it uses registry key manipulation to avoid detection and hinder any notification of the malwares presence to the user. This was definitely a enjoyable analysis and if you have any questions or see any errors within the post please contact my email in the About section of the website. Thanks for reading!

Article Link: Lumma Stealer Analysis – CyberForensics