MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1453178b719dcae88b06c47b7dffd103fe18aebfc6d14d66f669593e2571017a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1453178b719dcae88b06c47b7dffd103fe18aebfc6d14d66f669593e2571017a
SHA3-384 hash: f728b0d60a53e351f00ca26af4838758fd24ac4d2f71923f546a9caf4e236eb634700886ccc6e725e218cd0922898ae1
SHA1 hash: 1f2367a27458aef65de7e09809b6d2d726f2682b
MD5 hash: 04238b206acc44654c4ec01fc33b0d05
humanhash: beryllium-illinois-snake-sweet
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'976'768 bytes
First seen:2024-10-23 05:42:20 UTC
Last seen:2024-10-23 06:25:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:yGmgo5CjJeqpR2r4TN+FzobNE0JPK92dv62uSg6TZf/gZX:25CjJPpR2rIN+Fzobr5KkBOOdf4X
Threatray 101 similar samples on MalwareBazaar
TLSH T1D6D54B72A40561CFD4DE23F88537CD8A991D42B98B2828D79C5C60BEBE77CC11AB6D34
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
20
# of downloads :
412
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-23 05:44:18 UTC
Tags:
lumma stealer loader stealc amadey botnet themida
Link:
https://app.any.run/tasks/fb98bcb4-b685-47c3-9b85-15a7bfba258d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.25838.21463.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67188e1b5a02f8393c7331cd
Tags:
Shellcode
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/67188ce9c7aed0374dace19b/reports/0158ccf9-817d-4fed-8e08-52e1e0a243c2/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/1453178b719dcae88b06c47b7dffd103fe18aebfc6d14d66f669593e2571017a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/346db4b6-e35a-4c62-9d3e-d3c8c5c6e02e
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1539824
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1453178b719dcae88b06c47b7dffd103fe18aebfc6d14d66f669593e2571017a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1453178b719dcae88b06c47b7dffd103fe18aebfc6d14d66f669593e2571017a/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-10-23 05:43:13 UTC
File Type:
PE (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crjrpc3rtxforcygyr5x376rap7brlv7y3iu2zxwnfmt4jlraf5a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
074ee51d9bc6abc3f6c43925201998cdcb801413fc80cde720e493a0dc0e6dd5
LummaStealer
08643496ffbec35a84e902dbdbfe27b8b1043d66627dec62d3c6a2f0de76111c
LummaStealer
303e18730050b2e5c1eb01fc50eaa8fb78b95f09b5d5d83b09afe48cf13230c0
LummaStealer
38b2d343fb93e9aeaa57bd3c81075cbfda6bd8c0d4addf83c14aded16f4fa423
LummaStealer
524cda8f505ddf7f92904505ff9562170146d6c2b81b506a89033f2f283ae5cc
LummaStealer
64ebff6e8bc8771871fc410bbda0c6ceef6ffde7c01714913e69f074d3d94210
LummaStealer
6f62e73187d3ae5000c18c8462a6e6480deed0f0c1b01270ec562dfd67b83000
LummaStealer
72f9a5e6f8fb331bd23bb1fdc1e4efc23decd6a5996ed92993c4fd50e80c38e3
LummaStealer
8a13c6e39dc4ca5a2368efd2d0a9fdad9f08898836aa6dca215913038819e0d1
LummaStealer
error
LummaStealer
fba3ebbff6756032c1d3b1053f3d563912b44400aa143a4235dffe108de242fa
LummaStealer
+ 91 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241023-gekp5stdmf/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af3078c6-cdd4-43c6-8796-40757ca3d174
Unpacked files
SH256 hash:
5c153dc2dc402ed8f2a505f09fe2f5bbfa7a8a39e88c864de285e88209686c25
MD5 hash:
8ea80d0ec87ae6a08853d111ebeb2f72
SHA1 hash:
cdb41e28e342affb1c6266cb2c3a4f7b21513c5e
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/d3fb9693-f00a-4aef-9dee-658e47801f8e/
SH256 hash:
1453178b719dcae88b06c47b7dffd103fe18aebfc6d14d66f669593e2571017a
MD5 hash:
04238b206acc44654c4ec01fc33b0d05
SHA1 hash:
1f2367a27458aef65de7e09809b6d2d726f2682b
Link:
https://www.unpac.me/results/d3fb9693-f00a-4aef-9dee-658e47801f8e/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1453178b719d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1453178b719dcae88b06c47b7dffd103fe18aebfc6d14d66f669593e2571017a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 1453178b719dcae88b06c47b7dffd103fe18aebfc6d14d66f669593e2571017a

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments