Lumma detection update

kevoreilly · Mar 11, 2024 · 5c8e4e0 · 5c8e4e0
1 parent edcbf55
commit 5c8e4e0
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/analyzer/windows/data/yara/Lumma.yar b/analyzer/windows/data/yara/Lumma.yar
@@ -19,7 +19,7 @@ rule LummaRemap
  cape_options = "ntdll-remap=0"
  packed = "7972cbf2c143cea3f90f4d8a9ed3d39ac13980adfdcf8ff766b574e2bbcef1b4"
  strings:
- $remap = {C6 44 24 20 00 C7 44 24 1C C2 00 00 90 C7 44 24 18 00 00 FF D2 C7 44 24 14 00 BA 00 00 C7 44 24 10 B8 00 00 00 8B 01 89 44 24 11}
+ $remap = {C6 44 24 20 00 C7 44 24 1C C2 00 00 90 C7 44 24 18 00 00 FF D2 C7 44 24 14 00 BA 00 00 C7 44 24 10 B8 00 00 00 8B ?? 89 44 24 11}
  condition:
  uint16(0) == 0x5a4d and any of them
 }
diff --git a/data/yara/CAPE/Lumma.yar b/data/yara/CAPE/Lumma.yar
@@ -2,13 +2,14 @@ rule Lumma
 {
  meta:
  author = "kevoreilly"
- description = "Lumma config extraction"
+ description = "Lumma Payload"
  cape_type = "Lumma Payload"
  packed = "0ee580f0127b821f4f1e7c032cf76475df9724a9fade2e153a69849f652045f8"
  strings:
  $c2 = {B8 FF FF FF FF 0F 1F 84 00 00 00 00 00 80 7C [2] 00 8D 40 01 75 F6 C7 44 [2] 00 00 00 00 8D}
  $peb = {8B 44 24 04 85 C0 74 13 64 8B 0D 30 00 00 00 50 6A 00 FF 71 18 FF 15}
  $decode = {88 1F 47 0F B6 19 41 84 DB 75 F5 C6 07 00 0F B6 1E 84 DB 74 16 46 66 2E 0F 1F 84 00 00 00 00 00}
+ $remap = {C6 44 24 20 00 C7 44 24 1C C2 00 00 90 C7 44 24 18 00 00 FF D2 C7 44 24 14 00 BA 00 00 C7 44 24 10 B8 00 00 00 8B ?? 89 44 24 11}
  condition:
  uint16(0) == 0x5a4d and any of them
 }