Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family LummaStealer
Trojan:Win32/LummaStealer.RH!MTB is a concrete detection for a variant of the Lumma Stealer malware, confirmed by machine learning behavioral analysis. This sophisticated info-stealer leverages advanced techniques like API hooking, LOLBIN abuse (mshta, regsvr32, rundll32, PowerShell), BITS jobs, and scheduled tasks for persistence, evasion, and ultimately, exfiltration of sensitive user data.
Relevant strings associated with this threat: - B.imports (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Trojan_Win32_LummaStealer_RH_2147848410_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win32/LummaStealer.RH!MTB"
threat_id = "2147848410"
type = "Trojan"
platform = "Win32: Windows 32-bit platform"
family = "LummaStealer"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "8"
strings_accuracy = "Low"
strings:
$x_1_1 = {40 00 00 42 2e 69 6d 70 6f 72 74 73 00 10 00 00 00 10 06 00 00 10 00 00 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60} //weight: 1, accuracy: High
$x_2_2 = {50 45 00 00 4c 01 05 00 fe 3b 2b 68 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 00 00 de 04 00 00 92 00 00 00 00 00 00 40 77 02 00 00 10} //weight: 2, accuracy: High
$x_5_3 = {55 89 e5 53 57 56 81 ec 24 08 00 00 8b 4d 08 8d 05 44 23 ?? ?? 89 85 d4 fa ff ff 0f b7 01 89 85 08 fe ff ff 8a 8d b8 fe ff ff 88 8d b4 fe ff ff c6 45 c4 8d c6 45 c5 9b c6 45 c6 42 c6 45 c7 43 31 c9 83 f9 04 73 4c} //weight: 5, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}c3972dc848367b7bb2d88efcf016585c055c744872b8373c18f71971d64ad2f8Immediately isolate the affected system to prevent further compromise and data exfiltration. Conduct a thorough full system scan with an updated antivirus/EDR, ensure all detected malicious files are removed, and meticulously review system logs for indicators of compromise. All potentially compromised credentials, especially for online services, banking, and cryptocurrency wallets, must be reset immediately.