The detection identifies potential Lumma Stealer activity through known IOCs associated with this ransomware family, indicating possible data exfiltration or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats before significant data loss or network compromise occurs.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 20 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | afejoed.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | analipr.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | brorgma.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | coneogz.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | driplin.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | famiszp.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | elgccyx.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | genuoei.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | leypuuq.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | obnusho.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | plitofa.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | thuqxer.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | tramoqj.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | vidtihe.cyou | botnet_cc | 2026-04-24 | 75% |
| domain | jugbphm.click | botnet_cc | 2026-04-24 | 75% |
| domain | longmbx.click | botnet_cc | 2026-04-24 | 75% |
| domain | decrnoj.club | botnet_cc | 2026-04-24 | 75% |
| domain | tangmwp.club | botnet_cc | 2026-04-24 | 75% |
| domain | strikql.shop | botnet_cc | 2026-04-24 | 75% |
| domain | ulmudhw.shop | botnet_cc | 2026-04-24 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumma Stealer
let malicious_domains = dynamic(["afejoed.cyou", "analipr.cyou", "brorgma.cyou", "coneogz.cyou", "driplin.cyou", "famiszp.cyou", "elgccyx.cyou", "genuoei.cyou", "leypuuq.cyou", "obnusho.cyou", "plitofa.cyou", "thuqxer.cyou", "tramoqj.cyou", "vidtihe.cyou", "jugbphm.click", "longmbx.click", "decrnoj.club", "tangmwp.club", "strikql.shop", "ulmudhw.shop"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for system cleanup using Sysinternals Process Explorer
Filter/Exclusion: Exclude processes named process.explorer.exe or paths containing C:\Program Files\sysinternals\
Scenario: Admin task to update Microsoft Endpoint Protection definitions via scheduled task
Filter/Exclusion: Exclude processes with mpengine.exe or paths containing C:\Windows\System32\mpengine.exe
Scenario: Use of PowerShell to generate reports for system performance monitoring
Filter/Exclusion: Exclude PowerShell scripts executed from C:\Windows\System32\ or with powershell.exe in the command line
Scenario: Legitimate use of Windows Task Scheduler to run PowerShell scripts for log management
Filter/Exclusion: Exclude tasks scheduled under Task Scheduler with powershell.exe and paths containing C:\Windows\System32\WindowsPowerShell\v1.0\
Scenario: Use of Wireshark for network traffic analysis in the security operations center
Filter/Exclusion: Exclude processes named wireshark.exe or paths containing C:\Program Files\Wireshark\