MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04eb716f3da2e504a2a42de697b19bcc66b673fcfbeab0ef0b44d61567409c1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04eb716f3da2e504a2a42de697b19bcc66b673fcfbeab0ef0b44d61567409c1c
SHA3-384 hash: 7b3d977b4f8cbdcbc9ba99c0354f917ef0c3038411467d1f1e60075e9d895b7335ccdadfd25ca556be2953273d30bbc2
SHA1 hash: abb044e92060787cc31afdc26e18b0cbcbd451fa
MD5 hash: aba267cea6cfb575df0f5eae54e22459
humanhash: mobile-romeo-bakerloo-comet
File name:aba267cea6cfb575df0f5eae54e22459.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:7'798'568 bytes
First seen:2024-02-20 15:26:43 UTC
Last seen:2024-07-25 01:52:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:1CbX2SIGOItWvMzsyfia505DCzjXAQj0d8sA811V/AUH:AIGZzV6KzHfE11V/Z
TLSH T10A76F8137985C800C2286533C9EFEA1987AD3F485D53E62B76B83BAC553737B281F199
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8e8f07068c8c4f0 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer signed

Code Signing Certificate

Organisation:Philips OLD City
Issuer:Philips OLD City
Algorithm:sha512WithRSAEncryption
Valid from:2024-02-18T12:01:30Z
Valid to:2027-06-02T00:00:00Z
Serial number: 04edc0337ebebe47b03be447bc2cd2d7
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3e199a08bac3641dd637f29be2238fdf23227a4570461f05d9a6e5db9c142294
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477083/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin msbuild net obfuscated overlay
Link:
https://www.filescan.io/uploads/65d4c4cf22703c3491a7aff9/reports/79603bac-215c-47eb-80e1-ad8e1c2dc553/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/04eb716f3da2e504a2a42de697b19bcc66b673fcfbeab0ef0b44d61567409c1c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/65d426f0-79d6-4ca6-99f9-d4ca9c5d38bb
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1395410
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04eb716f3da2e504a2a42de697b19bcc66b673fcfbeab0ef0b44d61567409c1c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04eb716f3da2e504a2a42de697b19bcc66b673fcfbeab0ef0b44d61567409c1c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atvxc3z5ulsqjivefxtjpmm3zrtlm4747pvlb3ylitlbkz2atqoa._file
Verdict:
malicious
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma stealer
Link:
https://tria.ge/reports/240220-svrdeaae8s/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Lumma Stealer
Malware Config
C2 Extraction:
https://isotrimorphicnongrasse.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Unpacked files
SH256 hash:
04eb716f3da2e504a2a42de697b19bcc66b673fcfbeab0ef0b44d61567409c1c
MD5 hash:
aba267cea6cfb575df0f5eae54e22459
SHA1 hash:
abb044e92060787cc31afdc26e18b0cbcbd451fa
Detections:
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Link:
https://www.unpac.me/results/3bf90546-b031-4bd5-80d4-3cf7838e089f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04eb716f3da2e504a2a42de697b19bcc66b673fcfbeab0ef0b44d61567409c1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/477083/

Comments