The detection identifies potential Lumma Stealer activity through known IOCs, indicating an adversary may be exfiltrating data or establishing persistence. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage compromises in their Azure Sentinel environment.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 2 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | modedapk.net | botnet_cc | 2026-05-05 | 50% |
| ip:port | 205[.]196[.]123[.]189:443 | botnet_cc | 2026-05-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Lumma Stealer
let malicious_ips = dynamic(["205.196.123.189"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["205.196.123.189"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Lumma Stealer
let malicious_domains = dynamic(["modedapk.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Software Update via SCCM
Description: A system administrator uses Microsoft System Center Configuration Manager (SCCM) to deploy a legitimate software update that includes a file matching a Lumma Stealer IOC.
Filter/Exclusion: Exclude files signed by Microsoft or associated with SCCM update packages using the file field and signer or process.name containing “SCCM”.
Scenario: Scheduled Backup Job Using Veeam
Description: A scheduled backup job using Veeam Backup & Replication generates a temporary file that matches a Lumma Stealer IOC due to similar naming conventions.
Filter/Exclusion: Exclude files with the .vmb or .vbk extensions, or filter by process.name containing “Veeam” or “backup”.
Scenario: Admin Task Using PowerShell for System Monitoring
Description: A system administrator runs a PowerShell script using PowerShell.exe to monitor system performance, which inadvertently creates a file matching a Lumma Stealer IOC.
Filter/Exclusion: Exclude processes with process.name equal to “PowerShell.exe” and user field matching the admin account (e.g., “Administrator”).
Scenario: Legitimate File from a Trusted Repository
Description: A file from a trusted repository (e.g., GitHub, GitLab) is downloaded via wget or curl and matches a Lumma Stealer IOC due to similar hash values.
Filter/Exclusion: Exclude files with a source field indicating a trusted repository or process.name containing “wget” or “curl”.
Scenario: Temporary File Created by a Legitimate Application
Description: A legitimate application (e.g., Adobe Acrobat) creates a temporary file that matches a Lumma Stealer IOC due to similar file structure or naming.