title: Lumma carrier disguised as MultiUpdate.exe
id: c1ae2a8e-93be-4e1c-9bc2-3f73a7fae8b2
status: experimental
description: |
  Detects an MFC executable masquerading as MultiCommander's MultiUpdate.exe
  but unsigned and beaconing to .shop / steamcommunity.com — the LummaC2
  carrier described in https://versus.security/blog/lumma-stealer-reloc-trick.html
references:
  - https://versus.security/blog/lumma-stealer-reloc-trick.html
  - https://bazaar.abuse.ch/sample/eff51f995cd6463cd9b3a2ea4a14cc85e3cc5c1b5b71db6d90765b3df175abba
author: CSIRT Versus Security (B. Schmid)
date: 2025/02/14
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '\MultiUpdate.exe'
      - '\AutoUpdate.exe'
    OriginalFileName: 'MultiUpdate.exe'
  filter_signed:
    SignatureStatus: Valid
    Signature|contains: 'Mathias Svensson'   # Genuine MultiCommander publisher
  condition: selection and not filter_signed
falsepositives:
  - Genuine MultiCommander update — must be Authenticode-signed by Mathias Svensson
level: high
tags:
  - attack.defense_evasion
  - attack.t1036.005
  - attack.execution
  - attack.t1204.002