MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b
SHA3-384 hash: 10d214caf47be0473ea4a851451f63617d9ba7d1418473d036a0317fb412cf41d9d4431f452734bc6092599d780faa4b
SHA1 hash: 40d399b25974e5d969a1f97604b35e93e19b82d3
MD5 hash: dee63473a06ba61e8c176166609f3dbc
humanhash: bakerloo-football-solar-vegan
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:670'361 bytes
First seen:2024-01-25 12:44:19 UTC
Last seen:2024-01-25 14:24:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 815a983dc2c1dcfdcf5ea58bd5240e72 (2 x Vidar, 2 x Rhadamanthys, 2 x RedLineStealer)
ssdeep 12288:h3VIyYfc7/SMQg5Z+9M+eF16C18NT6qxb8c3rfrVKHtmDajkzfFX0fte55nvVTIL:h3VRYkrQg5iwFwC18NTtV2mujkzfF3Pu
TLSH T1B1E48D88EBB364A1D7CD363CE14D9E51DDCAE88EB3E4CE84325466661ED114738CA31E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://109.107.182.3/lego/installs.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f.exe
Verdict:
Malicious activity
Analysis date:
2024-01-26 06:13:33 UTC
Tags:
amadey botnet stealer loader redline risepro fabookie evasion
Link:
https://app.any.run/tasks/5f8999f3-a417-4b1b-b748-629f259dcee5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472884/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.28381.27847.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint overlay packed
Link:
https://www.filescan.io/uploads/65b257d287258803c23efbfc/reports/da3dc231-632b-46da-9188-8ea1aa4e9e30/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
WeeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d6b3b0d-4258-49f1-8f54-8bfbae359aec
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1381040
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-25 12:45:06 UTC
File Type:
PE (Exe)
AV detection:
11 of 38 (28.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdzjtufoh4kd76ret24ykdhqznigiotjdrqnqdimqlbphsz7zjvq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240125-py23jafha7/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
503c5091dc43fd5039ae0803ce993d24a4a414d77cb537b07923523a68a544bf
MD5 hash:
eb3101111b8539e9c9bedbd11888cad2
SHA1 hash:
e46ea838dc4cde0f9f7abe04ac12cf1f12d089cc
Link:
https://www.unpac.me/results/e6bcf7f0-100e-448e-a8c5-7a303d148ab9/
SH256 hash:
10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b
MD5 hash:
dee63473a06ba61e8c176166609f3dbc
SHA1 hash:
40d399b25974e5d969a1f97604b35e93e19b82d3
Link:
https://www.unpac.me/results/e6bcf7f0-100e-448e-a8c5-7a303d148ab9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10f299d0ae3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/472884/
  
URLhaus
https://urlhaus.abuse.ch/url/2751510/

Comments