Summary: 2025/04/29 04:48
First reported date: 2015/03/18
Inquiry period : 2025/04/28 04:48 ~ 2025/04/29 04:48 (1 days), 1 search results
지난 7일 기간대비 -100% 낮은 트렌드를 보이고 있습니다.
지난 7일 기간대비 상승한 Top5 연관 키워드는 Tofsee XWorm AsyncRAT neconyd snake 입니다.
Lumma is an information stealer written in C, sold as a Malware-as-a-Service by LummaC on Russian-speaking underground forums and Telegram since at least August 2022. Lumma's capabilities are those of a classic stealer, with a focus on cryptocurrency wallets, and file grabber capabilities. - malpedia
참고로 동일한 그룹의 악성코드 타입은 FormBook QakBot RedLine 등 101개 종이 확인됩니다.
Trend graph by period
Related keyword cloud
Top 100| # | Trend | Count | Comparison |
|---|---|---|---|
| 1 | Lumma | 1 | ▼ -1 (-100%) |
| 2 | Tofsee | 1 | ▲ 1 (100%) |
| 3 | XWorm | 1 | ▲ 1 (100%) |
| 4 | AsyncRAT | 1 | ▲ 1 (100%) |
| 5 | neconyd | 1 | ▲ 1 (100%) |
| 6 | snake | 1 | ▲ 1 (100%) |
| 7 | Remcos | 1 | ▲ 1 (100%) |
| 8 | Amadey | 1 | ▲ 1 (100%) |
| 9 | FormBook | 1 | ▲ 1 (100%) |
| 10 | AgentTesla | 1 | ▲ 1 (100%) |
| 11 | Top | 1 | ▲ 1 (100%) |
| 12 | last | 1 | ▲ 1 (100%) |
| 13 | NetWireRC | 1 | ▲ 1 (100%) |
| 14 | Advertising | 1 | ▲ 1 (100%) |
Special keyword group
Top 5
Attacker & Actors
The status of the attacker or attack group being issued.
No data.
Technique
This is an attack technique that is becoming an issue.
No data.
Country & Company
This is a country or company that is an issue.
No data.
Malware Family
Top 5
A malware family is a group of applications with similar attack techniques.
In this trend, it is classified into Ransomware, Stealer, RAT or Backdoor, Loader, Botnet, Cryptocurrency Miner.
Threat info
Last 5SNS
(Total : 1)
Total keyword
Lumma XWorm AsyncRAT Remcos Amadey FormBook AgentTesla NetWireRC Advertising
News
(Total : 0)No data.
Additional information
| No | Title | Date |
|---|---|---|
| 1 | FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023 - Malware.News | 2025.04.29 |
| 2 | US intensifies Salt Typhoon crackdown with public info request - Malware.News | 2025.04.29 |
| 3 | Trump moves threaten US cyber defenses, says former CISA director Easterly - Malware.News | 2025.04.29 |
| 4 | Escalating attacks against Ivanti VPN appliances expected - Malware.News | 2025.04.29 |
| 5 | Critical Planet Technology switch vulnerabilities pose total takeover risk - Malware.News | 2025.04.29 |
| View only the last 5 | ||
| No | Title | Date |
|---|---|---|
| 1 | Private: Stealing the Future: Infostealers Power Cybercrime in 2025 - Malware.News | 2025.04.23 |
| 2 | Private: Stealing the Future: Infostealers Power Cybercrime in 2025 - Malware.News | 2025.04.23 |
| 3 | Private: Stealing the Future: Infostealers Power Cybercrime in 2025 - Malware.News | 2025.04.23 |
| 4 | Private: Stealing the Future: Infostealers Power Cybercrime in 2025 - Malware.News | 2025.04.23 |
| 5 | Lumma Stealer – Tracking distribution channels - Malware.News | 2025.04.21 |
| View only the last 5 | ||
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to create or modify system certificates |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the CPU name from registry |
| watch | Checks the version of Bios |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Detects VMWare through the in instruction feature |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the processes axplong.exe |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
| Network | ET DNS Query to a *.top domain - Likely Hostile |
| Network | ET DROP Spamhaus DROP Listed Traffic Inbound group 33 |
| Network | ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity |
| Network | ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity |
| Network | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
| Network | ET INFO Dotted Quad Host DLL Request |
| Network | ET INFO EXE - Served Attached HTTP |
| Network | ET INFO Executable Download from dotted-quad Host |
| Network | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
| Network | ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) |
| Network | ET INFO HTTP Request to a *.top domain |
| Network | ET INFO Packed Executable Download |
| Network | ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in |
| Network | ET MALWARE Possible Kelihos.F EXE Download Common Structure |
| Network | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 |
| Network | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 |
| Network | ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 |
| Network | ET MALWARE Win32/Stealc Requesting browsers Config from C2 |
| Network | ET MALWARE Win32/Stealc Requesting plugins Config from C2 |
| Network | ET MALWARE Win32/Stealc Submitting System Information to C2 |
| Network | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 |
| Network | ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io) |
| Network | ET POLICY PE EXE or DLL Windows file download HTTP |
| Network | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
| No | Category | URL | CC | ASN Co | Date |
|---|---|---|---|---|---|
| 1 | c2 | https://steamcommunity.com/profiles/76561199822375128 | US  | AKAMAI-AS | 2025.03.31 |
| 2 | c2 | https://lunoxorn.top/gkELsop | US | CLOUDFLARENET | 2025.03.31 |
| 3 | c2 | http://49.13.143.126/ | DE  | Hetzner Online GmbH | 2025.03.31 |
| 4 | c2 | https://65.21.246.249/ | US | 2025.03.31 | |
| 5 | c2 | https://zefnecho.cyou/api | 2025.02.19 | ||
| View only the last 5 | |||||
| No | URL | CC | ASN Co | Reporter | Date |
|---|---|---|---|---|---|
| 1 | https://undo.sg/file.exe Lumma lummac LummaStealer stealer | UA  | anonymous | 2025.04.25 | |
| 2 | https://www.dropbox.com/scl/fi/xfme3jj5rgt6u5ig7he70/CapCut-Pro.rar?rlkey=ndad0985or8n5rokxmb0pz5k0&... Lumma LummaStealer stealer | US | DROPBOX | iLikeMalware | 2025.04.13 |
| 3 | https://sites.google.com/view/robloxfree2025/roblox-free-hack Lumma LummaStealer stealer | US | iLikeMalware | 2025.04.13 | |
| 4 | https://drive.google.com/file/d/11SRBeq-5b2C7gf5Z24SzNiSxCTSHONLJ/view Lumma LummaStealer stealer | US | iLikeMalware | 2025.04.13 | |
| 5 | https://github.com/Fortnite-Wallhacks-2025/.github/releases/tag/files Lumma LummaStealer stealer | US | MICROSOFT-CORP-MSN-AS-BLOCK | iLikeMalware | 2025.04.13 |
| View only the last 5 | |||||
Beta Service, If you select keyword, you can check detailed information.