MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff
SHA3-384 hash: 20e0fd575c546c83e61236b5bf3815dba2370d5e962fc6cab621f15e55b7e6e408dead04adcafa45ebd856ecea796d8d
SHA1 hash: b7e131f06fd949ed071c745111d5589cd3be7ef9
MD5 hash: ccf904b9afa2515f1120932e4bd1f148
humanhash: uniform-winner-missouri-mobile
File name:ccf904b9afa2515f1120932e4bd1f148.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:7'045'120 bytes
First seen:2024-12-28 08:27:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 196608:YZXavTeVG5FTdokwbzfD73IYRWVazi4rAySBQ1onE:BLeVmFCkwbzfDL1AyFMySB
TLSH T15B6633B0C7A97509FB79273671F68258E024264FF164B13A517F48B81A0FE64F9A30F9
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ccf904b9afa2515f1120932e4bd1f148.exe
Verdict:
Malicious activity
Analysis date:
2024-12-28 08:50:19 UTC
Tags:
cryptbot stealer autoit lumma
Link:
https://app.any.run/tasks/6ca04268-a9b6-4ded-b574-d0d189ccc165

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.31345.25654.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=676fb6b61bb06b888478dfa9
Tags:
vmdetect autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Connection attempt to an infection source
Moving a file to the %temp% directory
DNS request
Connection attempt
Sending an HTTP POST request
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/676fb6a6a561e5a2873b37bd/reports/c1bd17ed-7e87-41a1-9318-bdbfbfcc9d2a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d0844128-802b-48e8-8060-5b820fe06571
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1581578
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Leaks process information
LummaC encrypted strings found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581578 Sample: CLaYpUL3zw.exe Startdate: 28/12/2024 Architecture: WINDOWS Score: 100 41 spuriotis.click 2->41 43 yYkNteoVRFthbcESpvExVn.yYkNteoVRFthbcESpvExVn 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 12 other signatures 2->59 9 CLaYpUL3zw.exe 4 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\Temp\Set-up.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\...\PasoCattle.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\...\CLaYpUL3zw.exe.log, CSV 9->39 dropped 71 Detected unpacking (changes PE section rights) 9->71 73 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->73 75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->75 77 5 other signatures 9->77 13 PasoCattle.exe 19 9->13         started        15 Set-up.exe 9->15         started        signatures6 process7 dnsIp8 19 cmd.exe 2 13->19         started        47 home.fortth14ht.top 194.87.58.92, 49762, 49773, 49779 RELCOM-ASRelcomGroup19022019RU Russian Federation 15->47 49 httpbin.org 34.226.108.155, 443, 49719 AMAZON-AESUS United States 15->49 51 Multi AV Scanner detection for dropped file 15->51 signatures9 process10 file11 33 C:\Users\user\AppData\Local\...\Climb.com, PE32 19->33 dropped 61 Drops PE files with a suspicious file extension 19->61 23 Climb.com 19->23         started        27 cmd.exe 2 19->27         started        29 extrac32.exe 13 19->29         started        31 8 other processes 19->31 signatures12 process13 dnsIp14 45 spuriotis.click 172.67.128.184, 443, 49774, 49781 CLOUDFLARENETUS United States 23->45 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->63 65 Query firmware table information (likely to detect VMs) 23->65 67 Found many strings related to Crypto-Wallets (likely being stolen) 23->67 69 4 other signatures 23->69 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-12-28 07:28:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a36d5d4vd6rykxkak3vaioun4tjew6g7gl2eenacgbnkkfx5k37q._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241228-kc1v5awrgw/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Embeds OpenSSL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://hummskitnj.buzz/api
https://cashfuzysao.buzz/api
https://appliacnesot.buzz/api
https://screwamusresz.buzz/api
https://inherineau.buzz/api
https://scentniej.buzz/api
https://rebuildeso.buzz/api
https://prisonyfork.buzz/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6c083721-d860-4cb1-8e5b-a45ce6484fa6
Unpacked files
SH256 hash:
2a339c22863aded6696977d5da8a1b136b5acbd53cdd7084aa278073a4e1b1de
MD5 hash:
35ad28f7de5de5d35b980ed67aa09598
SHA1 hash:
df594ca08b6bb675b1aa4a2786579fd90f1a6b43
Detections:
CryptBot
Create hunting rule
Link:
https://www.unpac.me/results/34219df7-9156-4799-a3ef-0428b0a21e04/
Parent samples :
1ad8785caeb519b67ea168477437d8166d9747196a46d22313f48eb4ab86fec8
620a56b42afe5245088bbe070eab84b2ab6e5baaebb28be61c1cf339c7375006
80a8fee2e4d5909bf2dbe60be97d7ea44bbc5d9e3745caf83a06653287ea229c
aea1e74825e2d187e04a81bb5ce56593f5769c4b86218e5fc820d900801abdb4
794ae0a21b8b6845efc55b6afb6b8588452e12b426abf29d2d52ed66db0b175a
147e5a90a4aa996af89ed826f3ce38c8626fe94a291568c45c8df009f9f4b814
23f525572220eef117b077bc9ee2a39729a0b9b3c58543c814084e63bfca8e34
7039e6fb048b2a7511b7095958332a7300cc42e66142b4c815f18cd02b6f1b69
8077581cfece59ca6d8e06d5bedde9664014531a091d3c15732aeae4679dd40e
5866e752f869f91e6084a50c2ee65991de91b9e63f4ea9d1ac9bce9b4123a77d
06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff
68e2883db56393de9bd19bb69d5c0f0a4466060af05e20d0ac957361c0568699
bd533aee4fa009263848683ec6c04d34fc4b95318241e5a9a7311f37d699b1cb
bb6ed22605e38edeea643fc3ef43ced73ba96cc3740f8e1d4332932a36d45a41
SH256 hash:
a58da4d7b50178f5fff47f3c90af1e8103254f15af931f3ecd8dd4479901ae2a
MD5 hash:
bf9bea203da2194a2a8dff5de84fe3f3
SHA1 hash:
a3265f2d44d1a9fa573083b4960293e7baabb362
Link:
https://www.unpac.me/results/34219df7-9156-4799-a3ef-0428b0a21e04/
SH256 hash:
deb4c4e83e1adb2260878aa31059f751f48e2e433142a199b616128efba1ad0d
MD5 hash:
8b1414937e70e3ad5cfacc424dc701ac
SHA1 hash:
930bd7d902ec5093aa3639f8f6064592f744f59e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/34219df7-9156-4799-a3ef-0428b0a21e04/
Parent samples :
b57d78d93f74f7ae840ab03d3fda4f22a24ad35afcf9a53128cf82a92a67a085
06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff
659f55fe8c0a69b0f6c6440a777b409af34a8206613f7ed31b2b26cd821da339
fe4289d0e93af2b2bd4103c208c7887dfa2e776bc128ba00c8f5626dd386d689
5df0fcaba956997a24d19d6a56e95fb66f63e557627f461105e73e2baeae8e01
a6f505950424c626a2e800ee4d5b50de2e091d6b1f4f8ceeedc0e2e4af6aa6c0
d28fb0737213a89d3afc456a8735eeea48209d4d5ef31f8ec71a2c1796c660a3
befd287cf0e7ea186b496d2db1351ae25d279fa362babe0e0c0a00cb03287111
27a6c8ff6577be009fc1ad64de7c0856cb65407ee79b7fe1a48db58d3fccbc07
a38112572330fc431820c0c9fe01c670e4cf8504edebf8d4e1633299dcc14d5e
87b22dc6e19d8ae5d0a41560d6db0b3d7ae69a6e6a147fb5114b30ddf7710ace
f4d96aca90e5218b27a7d4a539d8ff5a16a6c4b94900bf1044c39254d51174fb
4e06f5dabc7a98dda7645f288f14ad415ad3791cd326940f08361aa1b84ca5ae
ec7755e923c5d31f0d3cd051a8d5fb52e4789d3a96ccd05210d38dea87221824
7ea240b6e590bb8cf4319ddc27b2ac6491ce0802b0cbb07e58bbad99f72e28d3
e285e972bd8877e3a8a5ac1cf4c7034c80c64866310e67131ab76655bbb69ee6
9137185e8f72c20aa75a54554a30ba0f8ab15696e57d4abad6d566df83dd9e89
9eefea2c305ae67db405c3fc3edb461259a9c0ec78b6cf156d084cd5b8eefc71
1f9869d28c20e90e919a1b739f83e96eac0b6d35f0fcdea932150e5fabb5c011
c82c126a95e90e070dc919b5bd4962af4dfb340b8d6f6e83bda42d63bc94eadd
1229329f146db6c61927e88dd7cb1cf4479352bc500f0a44a36d53916d82ee75
SH256 hash:
06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff
MD5 hash:
ccf904b9afa2515f1120932e4bd1f148
SHA1 hash:
b7e131f06fd949ed071c745111d5589cd3be7ef9
Link:
https://www.unpac.me/results/34219df7-9156-4799-a3ef-0428b0a21e04/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06fc3e8f951f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 06fc3e8f951fa3855d4056ea043a8de4d24b78df32f4423402305aa516fd56ff

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3331772/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3331766/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments