ThreatFox: Lumma Stealer IOCs

Hunt Hypothesis

The detection identifies potential Lumma Stealer activity through known IOCs associated with data exfiltration and credential theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.

IOC Summary

Malware Family: Lumma Stealer Total IOCs: 11 IOC Types: domain

Type	Value	Threat Type	First Seen	Confidence
domain	`bahaisda.cyou`	botnet_cc	2026-05-10	100%
domain	`privahtc.cyou`	botnet_cc	2026-05-10	100%
domain	`brakyfaw.cyou`	botnet_cc	2026-05-10	100%
domain	`fourdigs.cyou`	botnet_cc	2026-05-10	100%
domain	`straigxo.cyou`	botnet_cc	2026-05-10	100%
domain	`honceybl.cyou`	botnet_cc	2026-05-10	50%
domain	`mexzicaj.cyou`	botnet_cc	2026-05-10	50%
domain	`carytui.vu`	botnet_cc	2026-05-10	50%
domain	`genxetia.cyou`	botnet_cc	2026-05-10	50%
domain	`heavywbp.cyou`	botnet_cc	2026-05-10	50%
domain	`pomflgf.vu`	botnet_cc	2026-05-10	50%

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumma Stealer
let malicious_domains = dynamic(["bahaisda.cyou", "privahtc.cyou", "brakyfaw.cyou", "fourdigs.cyou", "straigxo.cyou", "honceybl.cyou", "mexzicaj.cyou", "carytui.vu", "genxetia.cyou", "heavywbp.cyou", "pomflgf.vu"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`DnsEvents`	Ensure this data connector is enabled

References

ThreatFox — Lumma Stealer

False Positive Guidance

Scenario: Legitimate Scheduled Job Running Lumma Stealer’s Hash
Description: A scheduled job runs a script that hashes files as part of a legitimate data integrity check, and the hash matches known Lumma Stealer hashes.
Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.command_line contains "integrity_check"
Scenario: System Update or Patching Tool Using Lumma Stealer Hash
Description: A patching tool or system update utility uses a hash that coincidentally matches a known Lumma Stealer hash during a legitimate update process.
Filter/Exclusion: process.name contains "WindowsUpdate" or process.name contains "patching_tool"
Scenario: Admin Task Involving File Hashing for Forensic Purposes
Description: A system administrator hashes files as part of a forensic investigation or incident response, and the hash matches a Lumma Stealer IOC.
Filter/Exclusion: user.name contains "admin" and process.command_line contains "forensic" or "incident_response"
Scenario: Legitimate Log Management Tool Using Lumma Stealer Hash
Description: A log management tool (e.g., Splunk, ELK Stack) processes logs and generates a hash that matches a Lumma Stealer IOC.
Filter/Exclusion: process.name contains "splunkd" or process.name contains "logstash"
Scenario: Malware Analysis Environment with Known Lumma Stealer Hashes
Description: A sandbox or malware analysis environment contains known Lumma Stealer hashes as part of testing or analysis.
Filter/Exclusion: process.parent_process_name contains "sandbox" or "analysis" or process.command_line contains "malware_analysis"