MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
SHA3-384 hash: c6c36c4ee8376c9e900de7134d179e9116b3f5c216498586cb5d72745a0e342bae032b624145deed57f936c078124c48
SHA1 hash: 1bb241c228dad2e4482c5e935082630d37b427e9
MD5 hash: bfea28bd0963bc50c788309d1e1db49a
humanhash: north-river-fish-william
File name:f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
Download: download sample
Signature LummaStealer
Create hunting rule
File size:7'974'370 bytes
First seen:2024-10-30 12:28:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 49152:t7dD7tFJ/a0OJAgfnzUtakH5TCvj4IJmGxHWn861Plr18j5rGm/JdY+RKM1GcJke:tFWJ3nzEaOTsc2Ll886Jlr1pVs+/G
Threatray 13 similar samples on MalwareBazaar
TLSH T183861A313BA2C53FF5A156B1293DEA6E142D79210774A4CBD2844D1EE8B4AC34E36F27
TrID 42.6% (.EXE) Win32 Executable (generic) (4504/4/1)
19.4% (.ICL) Windows Icons Library (generic) (2059/9)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 0194969696969669 (1 x LummaStealer)
Reporter JAMESWT_WT
Tags:exe LummaStealer Pincoo Network Technology Co Ltd

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
Verdict:
Malicious activity
Analysis date:
2024-10-30 12:34:25 UTC
Tags:
jeefo lumma stealer
Link:
https://app.any.run/tasks/b5823e92-9849-4dc7-8f31-3547fcbe53e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672226958d23d9049131f2f1
Tags:
trojware exploit dropper swisyn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lolbin obfuscated overlay packed packer_detected remote shell32 stealer visual_basic
Link:
https://www.filescan.io/uploads/67222691b9dd804e948cde3a/reports/b37efc7b-4b8e-489d-bab5-774d6ffeb3f1/overview
Verdict:
Malicious
Labled as:
Gosys.B
Link:
https://www.hybrid-analysis.com/sample/f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/316018a7-ead3-4f3b-b53c-28b49e508341
Result
Threat name:
LummaC, CryptOne, LummaC Stealer, Mofksy
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1545350
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545350 Sample: byamPER0Gx.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 58 thumbystriw.store 2->58 60 presticitpo.store 2->60 62 7 other IPs or domains 2->62 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 12 other signatures 2->78 11 byamPER0Gx.exe 1 3 2->11         started        15 svchost.exe 2->15 injected 17 explorer.exe 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 file5 54 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 11->54 dropped 56 C:\Users\user\Desktop\byamper0gx.exe, PE32 11->56 dropped 118 Drops executables to the windows directory (C:\Windows) and starts them 11->118 21 icsys.icn.exe 3 11->21         started        25 byamper0gx.exe 11->25         started        120 Injects code into the Windows Explorer (explorer.exe) 15->120 28 consent.exe 2 15->28         started        30 explorer.exe 1 15->30         started        32 svchost.exe 1 15->32         started        signatures6 process7 dnsIp8 50 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 21->50 dropped 88 Antivirus detection for dropped file 21->88 90 Machine Learning detection for dropped file 21->90 92 Drops PE files with benign system names 21->92 34 explorer.exe 15 21->34         started        70 necklacedmny.store 188.114.97.3, 443, 49774, 49781 CLOUDFLARENETUS European Union 25->70 94 Query firmware table information (likely to detect VMs) 25->94 96 Found many strings related to Crypto-Wallets (likely being stolen) 25->96 98 Tries to harvest and steal browser information (history, passwords, etc) 25->98 102 2 other signatures 25->102 100 Writes to foreign memory regions 28->100 file9 signatures10 process11 dnsIp12 64 142.250.110.82, 49824, 49866, 49908 GOOGLEUS United States 34->64 66 googlecode.l.googleusercontent.com 142.251.173.82, 49805, 49850, 49893 GOOGLEUS United States 34->66 68 74.125.133.82, 49838, 49881, 49920 GOOGLEUS United States 34->68 48 C:\Windows\Resources\spoolsv.exe, MS-DOS 34->48 dropped 80 Antivirus detection for dropped file 34->80 82 System process connects to network (likely due to code injection or exploit) 34->82 84 Machine Learning detection for dropped file 34->84 86 Drops PE files with benign system names 34->86 39 spoolsv.exe 3 34->39         started        file13 signatures14 process15 file16 52 C:\Windows\Resources\svchost.exe, MS-DOS 39->52 dropped 104 Antivirus detection for dropped file 39->104 106 Machine Learning detection for dropped file 39->106 108 Drops PE files with benign system names 39->108 43 svchost.exe 2 2 39->43         started        signatures17 process18 signatures19 110 Antivirus detection for dropped file 43->110 112 Detected CryptOne packer 43->112 114 Machine Learning detection for dropped file 43->114 116 Drops executables to the windows directory (C:\Windows) and starts them 43->116 46 spoolsv.exe 1 43->46         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2024-10-27 04:05:30 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=64is6i3otoxc7iokoipodf45kxctbfconx5efpcywjihf4x2casq._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
1707efe35749f4477db431f041481a46dd48d22431e6846f4e13bff760dc4033
LummaStealer
52de83987941b92875cecdd1661cc2757eae4f02ef564fd2e147d06eb9d8ab44
LummaStealer
575901f83294547395d2a53d741ecc756906c62a0d7e942890a23c833e0593de
LummaStealer
b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
LummaStealer
b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
LummaStealer
b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290
LummaStealer
caaf3aa8cf4db7b12a8d55186c30227c290a45a4c039c625ba0299a8b4db22d4
LummaStealer
d4771dbf9066fec456aba9736643c4f5b9578fdecb4a475e6aff737323e37fe4
LummaStealer
error
LummaStealer
f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
LummaStealer
+ 3 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion persistence stealer
Link:
https://tria.ge/reports/241030-pnw4jaskaz/
Behaviour
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Lumma Stealer, LummaC
Lumma family
Modifies visiblity of hidden/system files in Explorer
Malware Config
C2 Extraction:
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
Verdict:
Suspicious
Tags:
trojan
YARA:
Windows_Generic_Threat_7526f106 Windows_Generic_Threat_cbe3313a
Link:
https://app.threat.zone/submission/beb0d0c9-6a5c-435c-b752-40eb43180440
Unpacked files
SH256 hash:
a975c5675f764d52a8393972f7420e6b1c81c77b2bc3e496e82e2ffd205633b2
MD5 hash:
6c8e662d1930f8e326626bd75cc63728
SHA1 hash:
023b9a2c63aa9d7a6353bbfdecd882edf2e2ea4d
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/3ba7e295-f9a4-426e-b6f8-ce342030662d/
Parent samples :
f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
caaf3aa8cf4db7b12a8d55186c30227c290a45a4c039c625ba0299a8b4db22d4
SH256 hash:
530c726b7263b764c0b7a8257097858a15de1dc3ecf7d3c0f27a0dc505dc37a4
MD5 hash:
d904b79abbb2bb4b86594ef32d968230
SHA1 hash:
fac272f56b71a110b9ea6d07afc83dc393bf9d31
Link:
https://www.unpac.me/results/3ba7e295-f9a4-426e-b6f8-ce342030662d/
SH256 hash:
f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
MD5 hash:
bfea28bd0963bc50c788309d1e1db49a
SHA1 hash:
1bb241c228dad2e4482c5e935082630d37b427e9
Link:
https://www.unpac.me/results/3ba7e295-f9a4-426e-b6f8-ce342030662d/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f7112f236e9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Windows_Generic_Threat_7526f106
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_cbe3313a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments