MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02c7411fd491368727387ac793e3bb3fcd9b792f1a18cec7c0da5cd65cbccc72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02c7411fd491368727387ac793e3bb3fcd9b792f1a18cec7c0da5cd65cbccc72
SHA3-384 hash: 1a294464b5a5e2df81484e76b0051d268d39eb58d0897419c695902093cc040314ced5624bda7e5b6ff578ba15eb8815
SHA1 hash: b35c19eb80c62bfae9ed4561165729bf96d3ea99
MD5 hash: 0be97a686bb58f470d1d096a12097fa8
humanhash: kansas-green-asparagus-solar
File name:0be97a686bb58f470d1d096a12097fa8.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'857'024 bytes
First seen:2024-12-31 14:39:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:43BI7l6Ud0AOYP2m5DzS0ygKY6BFM6STj8MoI0U5Qhy2i6m0xInx48Ta3U+YpSw7:43BQ6JmZ+0yS6HnGo2uY6m0Kx48vSw
TLSH T1CF8533A12C6171E3C8A04A75E2AF91CB7FFDD6D5C4046BBA8F09682D6463F16507BCE0
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
0be97a686bb58f470d1d096a12097fa8.exe
Verdict:
Malicious activity
Analysis date:
2024-12-31 14:40:55 UTC
Tags:
lumma stealer loader themida stealc amadey botnet auto github gcleaner
Link:
https://app.any.run/tasks/bdd701b0-4f24-4329-b2f3-97392150a3a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6774024b1ada70779824e247
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/6774024907ed521288f309b4/reports/a07b0aa2-2dc2-4a65-85f8-44a9540d70b9/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/02c7411fd491368727387ac793e3bb3fcd9b792f1a18cec7c0da5cd65cbccc72
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2ed779d0-5268-4096-a5c7-8e18a1e9cc34
Result
Threat name:
LummaC, Amadey, Babadeda, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582828
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious MSHTA Child Process
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582828 Sample: EdYEXasNiR.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 233 Found malware configuration 2->233 235 Malicious sample detected (through community Yara rule) 2->235 237 Antivirus detection for URL or domain 2->237 239 27 other signatures 2->239 13 skotes.exe 2->13         started        18 EdYEXasNiR.exe 2 2->18         started        20 f3d6f9fcfe.exe 2->20         started        22 3 other processes 2->22 process3 dnsIp4 197 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 13->197 199 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 13->199 167 C:\Users\user\AppData\...\4c4716526e.exe, PE32+ 13->167 dropped 169 C:\Users\user\AppData\...\ad25d67005.exe, PE32 13->169 dropped 171 C:\Users\user\AppData\...\0bf9323d7e.exe, PE32 13->171 dropped 177 31 other malicious files 13->177 dropped 293 Creates multiple autostart registry keys 13->293 295 Hides threads from debuggers 13->295 297 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->297 24 0fb12e043c.exe 13->24         started        28 cbfb8a9c89.exe 13->28         started        31 696689ce6d.exe 13->31         started        41 3 other processes 13->41 201 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 18->201 203 104.21.32.1 CLOUDFLARENETUS United States 18->203 173 C:\Users\user\...\DX0TGIT2LZWIIEDZ8Y3A15R.exe, PE32 18->173 dropped 175 C:\Users\...\456YTTQ213T2RO9QAEYSNNZDL.exe, PE32 18->175 dropped 299 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->299 301 Query firmware table information (likely to detect VMs) 18->301 303 Found many strings related to Crypto-Wallets (likely being stolen) 18->303 307 4 other signatures 18->307 33 DX0TGIT2LZWIIEDZ8Y3A15R.exe 36 18->33         started        35 456YTTQ213T2RO9QAEYSNNZDL.exe 4 18->35         started        37 cmd.exe 20->37         started        39 conhost.exe 20->39         started        305 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 22->305 43 3 other processes 22->43 file5 signatures6 process7 dnsIp8 149 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32 24->149 dropped 151 C:\Users\user\AppData\...\win32trace.pyd, PE32 24->151 dropped 153 C:\Users\user\AppData\...\win32process.pyd, PE32 24->153 dropped 161 24 other files (17 malicious) 24->161 dropped 243 Found pyInstaller with non standard icon 24->243 185 140.82.121.3 GITHUBUS United States 28->185 187 185.199.110.133 FASTLYUS Netherlands 28->187 155 C:\wOXcVegx\jyidkjkfhjawd.exe, PE32 28->155 dropped 245 Multi AV Scanner detection for dropped file 28->245 259 2 other signatures 28->259 45 jyidkjkfhjawd.exe 28->45         started        59 3 other processes 28->59 189 172.67.157.254 CLOUDFLARENETUS United States 31->189 191 104.102.49.254 AKAMAI-ASUS United States 31->191 247 Query firmware table information (likely to detect VMs) 31->247 249 Tries to steal Mail credentials (via file / registry access) 31->249 261 2 other signatures 31->261 193 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 33->193 195 127.0.0.1 unknown unknown 33->195 157 C:\Users\user\Documents\HJEHIJEBKE.exe, PE32 33->157 dropped 163 13 other files (9 malicious) 33->163 dropped 251 Detected unpacking (changes PE section rights) 33->251 253 Attempt to bypass Chrome Application-Bound Encryption 33->253 255 Drops PE files to the document folder of the user 33->255 263 7 other signatures 33->263 49 cmd.exe 33->49         started        61 2 other processes 33->61 159 C:\Users\user\AppData\Local\...\skotes.exe, PE32 35->159 dropped 265 3 other signatures 35->265 51 skotes.exe 35->51         started        53 cmd.exe 37->53         started        165 3 other files (1 malicious) 41->165 dropped 257 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->257 267 2 other signatures 41->267 55 64252d274d.exe 41->55         started        63 3 other processes 41->63 57 cmd.exe 43->57         started        file9 signatures10 process11 dnsIp12 205 104.21.18.19 CLOUDFLARENETUS United States 45->205 269 Detected unpacking (changes PE section rights) 45->269 271 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->271 273 Query firmware table information (likely to detect VMs) 45->273 289 4 other signatures 45->289 65 HJEHIJEBKE.exe 49->65         started        79 2 other processes 49->79 275 Creates HTML files with .exe extension (expired dropper behavior) 51->275 277 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 51->277 279 Tries to evade debugger and weak emulator (self modifying code) 51->279 291 2 other signatures 51->291 68 f3d6f9fcfe.exe 53->68         started        71 conhost.exe 53->71         started        207 188.114.96.3 CLOUDFLARENETUS European Union 55->207 281 Tries to steal Crypto Currency Wallets 55->281 73 f3d6f9fcfe.exe 57->73         started        75 conhost.exe 57->75         started        283 Loading BitLocker PowerShell Module 59->283 81 2 other processes 59->81 209 192.168.2.11 unknown unknown 61->209 211 239.255.255.250 unknown Reserved 61->211 285 Monitors registry run keys for changes 61->285 83 2 other processes 61->83 287 Uses schtasks.exe or at.exe to add and modify task schedules 63->287 77 cmd.exe 63->77         started        signatures13 process14 dnsIp15 225 Detected unpacking (changes PE section rights) 65->225 227 Tries to evade debugger and weak emulator (self modifying code) 65->227 229 Hides threads from debuggers 65->229 231 2 other signatures 65->231 141 C:\Users\user\AppData\Local\Temp\...\F9BD.bat, ISO-8859 68->141 dropped 86 cmd.exe 68->86         started        89 cmd.exe 73->89         started        91 f3d6f9fcfe.exe 77->91         started        93 conhost.exe 77->93         started        179 142.250.181.238 GOOGLEUS United States 83->179 181 142.250.184.228 GOOGLEUS United States 83->181 183 7 other IPs or domains 83->183 file16 signatures17 process18 file19 143 C:\Temp\3GEgnMlRi.txt, HTML 86->143 dropped 145 C:\Temp\.gif, HTML 86->145 dropped 95 mshta.exe 86->95         started        98 cmd.exe 86->98         started        100 cmd.exe 86->100         started        110 2 other processes 86->110 147 C:\Temp\5ZycQXqae.txt, HTML 89->147 dropped 102 mshta.exe 89->102         started        104 cmd.exe 89->104         started        106 cmd.exe 89->106         started        112 2 other processes 89->112 108 cmd.exe 91->108         started        process20 signatures21 309 Suspicious powershell command line found 95->309 311 Tries to download and execute files (via powershell) 95->311 114 powershell.exe 95->114         started        117 powershell.exe 98->117         started        120 powershell.exe 100->120         started        122 powershell.exe 102->122         started        124 powershell.exe 104->124         started        126 powershell.exe 106->126         started        process22 file23 139 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 114->139 dropped 128 483d2fa8a0d53818306efeb32d3.exe 114->128         started        131 conhost.exe 114->131         started        241 Powershell drops PE file 117->241 133 483d2fa8a0d53818306efeb32d3.exe 122->133         started        135 conhost.exe 122->135         started        signatures24 process25 signatures26 213 Detected unpacking (changes PE section rights) 128->213 215 Tries to detect sandboxes and other dynamic analysis tools (window names) 128->215 217 Tries to evade debugger and weak emulator (self modifying code) 128->217 137 Conhost.exe 128->137         started        219 Hides threads from debuggers 133->219 221 Tries to detect sandboxes / dynamic malware analysis system (registry check) 133->221 223 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 133->223 process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/02c7411fd491368727387ac793e3bb3fcd9b792f1a18cec7c0da5cd65cbccc72
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02c7411fd491368727387ac793e3bb3fcd9b792f1a18cec7c0da5cd65cbccc72/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2024-12-31 14:47:36 UTC
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=alduch6use3iojzypldzhy53h7gzw6jpdimm5r6a3jonmxf4zrza._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241231-r1wpmsvmbs/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fancywaxxers.shop/api
Verdict:
Suspicious
Tags:
lumma_stealer lumma c2 stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/90535b71-0e6f-481d-9d8e-f45ab29c87d8
Unpacked files
SH256 hash:
9edd188b512692ea8e58bbe9b00db632acef202d91f276935866ca005344b0b0
MD5 hash:
4af7c2aa932cb669f19305e1b11c215b
SHA1 hash:
7a5afc9e599841df0ab2f3395da4dce57cb579cb
Link:
https://www.unpac.me/results/c2ea0cf5-ce52-484e-82d3-1c71e9d1369b/
SH256 hash:
02c7411fd491368727387ac793e3bb3fcd9b792f1a18cec7c0da5cd65cbccc72
MD5 hash:
0be97a686bb58f470d1d096a12097fa8
SHA1 hash:
b35c19eb80c62bfae9ed4561165729bf96d3ea99
Link:
https://www.unpac.me/results/c2ea0cf5-ce52-484e-82d3-1c71e9d1369b/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02c7411fd491/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 02c7411fd491368727387ac793e3bb3fcd9b792f1a18cec7c0da5cd65cbccc72

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3337943/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments