Trojan:Win32/LummaStealer - Windows Defender Threat Analysis

Trojan:Win32/LummaStealer is a high-impact information-stealing malware designed to harvest sensitive data from compromised systems. It targets credentials from web browsers, cryptocurrency wallets, system information, and other personal files, exfiltrating the stolen data to attacker-controlled servers. The detection is concrete and corroborated by external threat intelligence, indicating an active and dangerous threat.

No specific strings found for this threat

rule Trojan_Win32_LummaStealerClick_A_2147931073_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/LummaStealerClick.A!MTB"
        threat_id = "2147931073"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "LummaStealerClick"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_CMDHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "powershell" wide //weight: 1
        $x_1_2 = "-split ($" wide //weight: 1
        $x_1_3 = ".CreateDecryptor(" wide //weight: 1
        $x_1_4 = "-replace" wide //weight: 1
        $x_1_5 = ".Substring(" wide //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected endpoint from the network to prevent further data exfiltration or lateral movement. Run a full antivirus scan to remove all malicious components. Since this is an information stealer, reset all passwords and invalidate session tokens for any accounts accessed from the compromised machine, and closely monitor for fraudulent activity.