Query Details
Lumma Stealer Using Tesla Browser Useragent
Query
# Detect lumma stealer using TeslaBrowser user agent ## Description Recently seen in the wild rising further, Lumma stealer has been observed to perform HTTP GET method, while using “TeslaBrowser/5.5” user agent. ### References - https://app.any.run/tasks/7e7728b7-9fa6-4978-99f9-b5789aa31a0a/ - https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer ### Microsoft 365 Defender & Microsoft Sentinel ``` DeviceNetworkEvents | where ActionType == "HttpConnectionInspected" | extend json = todynamic(AdditionalFields) | extend direction = tostring(json.direction), method = tostring(json.method), user_agent = tostring(json.user_agent) | where direction == "Out" | where method == "GET" | where user_agent contains @"TeslaBrowser" | project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl | sort by Timestamp desc ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 26/09/2023 | Initial publish |
Explanation
The query is looking for instances of the Lumma stealer malware that uses the "TeslaBrowser/5.5" user agent. It filters for HTTP GET requests and checks if the user agent contains "TeslaBrowser". The query retrieves the timestamp, device name, remote IP, remote port, and remote URL for these events, sorting them by timestamp in descending order.
Details
Michalis Michalos
Released: September 26, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,ActionType,HttpConnectionInspected,AdditionalFields,direction,method,user_agent,Out,GET,TeslaBrowser,Timestamp,DeviceName,RemoteIP,RemotePort,RemoteUrl
Operators
whereextendtostringcontainsprojectsort by