MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02ab409a3fa69005878bcd00d41f32330073e5606d60b7635fd970e92acdead0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02ab409a3fa69005878bcd00d41f32330073e5606d60b7635fd970e92acdead0
SHA3-384 hash: 36ec0fc0eaba5eb02e054dc6be6ceb0e4bd06a956867565c784afdbce3572afada05310aa1a4710aa5141d148f53c243
SHA1 hash: 4c2dee1f184842944ad18cc361f4299ba3eaae25
MD5 hash: c05e1fe3e6a317c0572dffb6fb373b2c
humanhash: magazine-asparagus-dakota-seven
File name:tjigfd64.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:14'042'778 bytes
First seen:2024-09-02 23:05:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bae3d3e8262d7ce7e9ee69cc1b630d3a (5 x Akira, 2 x DCRat, 1 x CrealStealer)
ssdeep 393216:bCAIEkZQVBl80iqeCEDLJ83a10KqXdwWwsLCtszK0rC:WAIhQVj80i7CEDtEaqtwjPsX
TLSH T109E633421A8225B6E972B23F5821C9228531FC761B64E39F1BB4962F7F5B2D0493DF43
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter adm1n_usa32
Tags:64 exe LummaStealer Python


Avatar
adm1n_usa32
infected version of atom browser

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tjigfd64.exe
Verdict:
Malicious activity
Analysis date:
2024-09-02 23:02:04 UTC
Tags:
stealer python
Link:
https://app.any.run/tasks/08de29aa-db27-49ad-b19e-8363680e26df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.17044.30586.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d644df8e12b8124ac906dc
Tags:
Execution Generic Infostealer Network Other Stealth Trojan Agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Running batch commands
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a window
Sending a custom TCP request
Changing a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd expand lolbin lolbin microsoft_visual_cc overlay packed packed pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/66d64a09ff3a24f7d3fa092a/reports/efd37958-c00f-4d57-8b80-964312eb9497/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/02ab409a3fa69005878bcd00d41f32330073e5606d60b7635fd970e92acdead0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/50b5b47c-2d5d-4dd5-97bb-27b51b2e96cf
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1503147
Signature
AI detected suspicious sample
Found pyInstaller with non standard icon
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1503147 Sample: tjigfd64.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 92 101 Multi AV Scanner detection for submitted file 2->101 103 Yara detected LummaC Stealer 2->103 105 Machine Learning detection for sample 2->105 107 4 other signatures 2->107 14 tjigfd64.exe 98 2->14         started        18 eventer.exe 2->18         started        process3 file4 73 C:\Users\user\AppData\Local\...\shell.pyd, PE32+ 14->73 dropped 75 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 14->75 dropped 77 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 14->77 dropped 79 70 other files (none is malicious) 14->79 dropped 115 Found pyInstaller with non standard icon 14->115 20 tjigfd64.exe 5 14->20         started        24 conhost.exe 14->24         started        117 Tries to harvest and steal browser information (history, passwords, etc) 18->117 signatures5 process6 file7 65 420cb16399ade8b538...259c0542c576c49.exe, PE32 20->65 dropped 111 Tries to harvest and steal browser information (history, passwords, etc) 20->111 26 cmd.exe 1 20->26         started        28 cmd.exe 1 20->28         started        signatures8 process9 process10 30 cmd.exe 1 26->30         started        process11 32 420cb16399ade8b53834b8275069ff940641f0eb2379c17c2259c0542c576c49.exe 2 30->32         started        36 conhost.exe 30->36         started        file12 61 C:\Users\user\AppData\Local\...\loader.exe, PE32 32->61 dropped 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->99 38 420cb16399ade8b53834b8275069ff940641f0eb2379c17c2259c0542c576c49.exe 1 39 32->38         started        signatures13 process14 dnsIp15 91 95.163.50.150 NIVAL-ASRU Russian Federation 38->91 93 5.181.61.0 MAILRU-ASMailRuRU Russian Federation 38->93 95 142.250.181.238 GOOGLEUS United States 38->95 67 C:\Users\user\AppData\Local\...\lrunner0.exe, PE32+ 38->67 dropped 113 Query firmware table information (likely to detect VMs) 38->113 43 lrunner0.exe 2 4 38->43         started        file16 signatures17 process18 file19 69 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 43->69 dropped 71 C:\Users\user\AppData\...\CHROME.PACKED.7Z, 7-zip 43->71 dropped 46 setup.exe 85 130 43->46         started        process20 dnsIp21 97 5.61.236.211 MAILRU-ASMailRuRU Russian Federation 46->97 81 C:\Users\user\AppData\Local\...\chrome.dll, PE32+ 46->81 dropped 83 C:\Users\user\AppData\Local\...\vk.ico (copy), PE32+ 46->83 dropped 50 atom.exe 46->50         started        55 setup.exe 46->55         started        57 setup.exe 46->57         started        file22 process23 dnsIp24 85 2.16.202.123 AKAMAI-ASUS European Union 50->85 87 192.168.2.22 unknown unknown 50->87 89 2 other IPs or domains 50->89 63 C:\Users\user\AppData\Local\...\History, SQLite 50->63 dropped 109 Tries to harvest and steal browser information (history, passwords, etc) 50->109 59 setup.exe 55->59         started        file25 signatures26 process27
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/02ab409a3fa69005878bcd00d41f32330073e5606d60b7635fd970e92acdead0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02ab409a3fa69005878bcd00d41f32330073e5606d60b7635fd970e92acdead0/
Threat name:
Win64.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2024-09-01 17:22:17 UTC
File Type:
PE+ (Exe)
Extracted files:
1838
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akvubgr7u2ialb4lzuanihzsgmahhzlanvqloy273fyoskwn5lia._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation pyinstaller spyware stealer
Link:
https://tria.ge/reports/240902-23dxqa1cpg/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
System Location Discovery: System Language Discovery
Checks system information in the registry
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3bfe10cc-75fd-44c9-b833-8be54746603d
Unpacked files
SH256 hash:
02ab409a3fa69005878bcd00d41f32330073e5606d60b7635fd970e92acdead0
MD5 hash:
c05e1fe3e6a317c0572dffb6fb373b2c
SHA1 hash:
4c2dee1f184842944ad18cc361f4299ba3eaae25
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/192dca10-17bd-4360-9998-bf653dfc45d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02ab409a3fa69005878bcd00d41f32330073e5606d60b7635fd970e92acdead0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/08de29aa-db27-49ad-b19e-8363680e26df

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW

Comments