The detection identifies potential Lumma Stealer activity through known IOCs associated with this ransomware family, indicating possible data exfiltration or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromises before significant damage occurs.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 8 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://2flowers-my.xyz/c2sock | botnet_cc | 2026-06-06 | 100% |
| url | hxxp://vipcloud-my.xyz/c2sock | botnet_cc | 2026-06-06 | 100% |
| url | hxxp://gstatic-node.io/c2sock | botnet_cc | 2026-06-06 | 100% |
| url | hxxp://solopodvip-my.xyz/c2sock | botnet_cc | 2026-06-06 | 100% |
| url | hxxp://winhttp.dll/c2sock | botnet_cc | 2026-06-06 | 100% |
| url | hxxp://82[.]117[.]255[.]80/c2sock | botnet_cc | 2026-06-06 | 100% |
| url | hxxp://195[.]123[.]226[.]91/c2sock | botnet_cc | 2026-06-06 | 100% |
| url | hxxp://195[.]123[.]226[.]167/c2sock | botnet_cc | 2026-06-06 | 100% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Lumma Stealer
let malicious_urls = dynamic(["http://2flowers-my.xyz/c2sock", "http://vipcloud-my.xyz/c2sock", "http://gstatic-node.io/c2sock", "http://solopodvip-my.xyz/c2sock", "http://winhttp.dll/c2sock", "http://82.117.255.80/c2sock", "http://195.123.226.91/c2sock", "http://195.123.226.167/c2sock"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Windows Update
Description: A system update from Microsoft’s Windows Update service may include binaries or components that match the IOCs due to shared code or naming similarities.
Filter/Exclusion: Check the process.name field for svchost.exe or wuauserv.exe, and verify the process.parent.name is services.exe or explorer.exe.
Scenario: Scheduled Job for Log Management (e.g., Splunk, ELK Stack)
Description: A scheduled job running a log parsing or aggregation tool (e.g., splunkd, logstash) may execute scripts or binaries that match the IOCs due to similar file names or execution patterns.
Filter/Exclusion: Filter by process.name for splunkd.exe, logstash.jar, or elasticsearch.exe, and check the process.command_line for known log management tool arguments.
Scenario: Admin Task – PowerShell Script for Patch Management
Description: An admin may run a PowerShell script (e.g., PSConfig, PatchManager.exe) that uses similar command-line arguments or file paths as the malicious IOCs.
Filter/Exclusion: Filter by process.name for powershell.exe and check the process.command_line for known admin tools or patch management keywords like -Patch or -Update.
Scenario: Legitimate Antivirus or EDR Tool (e.g., CrowdStrike, SentinelOne)
Description: A legitimate endpoint detection and response (EDR) or antivirus tool may have components that match the IOCs due to shared libraries or similar behavior.
Filter/Exclusion: Filter by process.name for CrowdStrike.exe, SentinelOne.exe, or McAfeeVSE.exe, and check the `