Trojan:Win64/LummaStealer.ARR!MTB - Windows Defender Threat Analysis

This detection identifies LummaStealer, a potent information-stealing trojan designed to exfiltrate sensitive data from compromised systems. It targets browser credentials, system information, and cryptocurrency wallets. The '!MTB' suffix indicates this was identified through machine learning-based behavioral analysis, which has a low false positive risk.

No specific strings found for this threat

rule Trojan_Win64_LummaStealer_ARR_2147957815_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/LummaStealer.ARR!MTB"
        threat_id = "2147957815"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "LummaStealer"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "50"
        strings_accuracy = "Low"
    strings:
        $x_50_1 = {f3 41 0f 6f 02 49 83 c2 ?? 66 0f fc c1 41 0f 11 42 f0 49 39 c2 75}  //weight: 50, accuracy: Low
        $x_20_2 = {f3 0f 6f 0a 48 83 c2 ?? 66 0f 6f c1 66 0f 71 f0}  //weight: 20, accuracy: Low
        $x_30_3 = {41 f6 20 49 83 c0 ?? 41 88 40 ff 49 39 c8 75}  //weight: 30, accuracy: Low
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_30_*) and 1 of ($x_20_*))) or
            ((1 of ($x_50_*))) or
            (all of ($x*))
        )
}

Immediately isolate the affected system from the network. Perform a full scan with an updated antivirus solution to remove the threat. Change all passwords for any accounts accessed from the machine and monitor them for suspicious activity.