MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e
SHA3-384 hash: c80bc31a2c898cf9de684ff45e91cb54661ebd7b2659e2116c808681aa17139485591085f2f6b12187ce8259aecc80c8
SHA1 hash: 70d66ee841754f39e7abffeb8f980be3f1e50033
MD5 hash: 3b2250172cdc65f249533ad138ef8ab5
humanhash: uranus-single-massachusetts-missouri
File name:3b2250172cdc65f249533ad138ef8ab5.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:375'296 bytes
First seen:2024-09-27 14:45:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:zhhct8bwd3MYhdPGRfvsaFP2s2k5yR7261AuXBAnRhCFiVBLbb/g3ipkai080i:b1bwlMUPGlvlP/2kER72eAuXinRhaMXN
Threatray 139 similar samples on MalwareBazaar
TLSH T19884234A3AD08763F4F5C6B28CB596A48F313F7BC98DE27BB1119E79125AD0593B0C14
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
641.7z
Verdict:
Malicious activity
Analysis date:
2024-09-27 12:19:47 UTC
Tags:
evasion autoit-loader privateloader loader lumma stealer stealc miner netreactor smokeloader risepro vidar socks5systemz proxy g0njxa
Link:
https://app.any.run/tasks/b13bd169-e7f9-4449-b421-364c4e16abbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilzilla-10036350-0
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f6c5324b14762f62124d26
Tags:
Static Micro Virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66f6c530b0f518b6a9fc9721/reports/688064f1-0854-40ff-b254-564524a2b6c3/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3aecfd29-0263-495a-b15c-f61aa317be56
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1520608
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-09-27 11:36:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyriekz7p5tfg4sawr3akycvazkowlbdyh2xy7slwuwtzpc63vpa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
2a8ad4c9af3031fde7d322613cfba967c63ff6e5657c74ba8693050039f07f6e
LummaStealer
6335282918d5ab79ed7704a1dc655915f829c435997e31d20780d6eda030a440
LummaStealer
8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616
LummaStealer
941e7002f11290e3ed9dd99d8cc0abc62f6cf69b923ae30b89741579854a8a70
LummaStealer
f75acf936390f89239c43552717efb65c4c3190b16a7eec62dcd0053a045e91d
LummaStealer
+ 129 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/240927-r5a9hazdrb/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://reinforcenh.shop/api
https://stogeneratmns.shop/api
https://fragnantbui.shop/api
https://drawzhotdog.shop/api
https://vozmeatillu.shop/api
https://offensivedzvju.shop/api
https://ghostreedmnu.shop/api
https://gutterydhowi.shop/api
https://lootebarrkeyn.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0742bf0e-1521-4d9c-ad6a-a28888dab080
Unpacked files
SH256 hash:
652c891ff5215ac669e77ed2982fa21aec72316f8243a1da2b04ddf51b73e353
MD5 hash:
76943f17e2dca7cb98402ed13f5d49ea
SHA1 hash:
766909a2d9c5cf6f54084b0e7bef0e44310cf9fa
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/b3722c87-cafb-44f0-9fd8-bc61890c0ac0/
SH256 hash:
1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e
MD5 hash:
3b2250172cdc65f249533ad138ef8ab5
SHA1 hash:
70d66ee841754f39e7abffeb8f980be3f1e50033
Link:
https://www.unpac.me/results/b3722c87-cafb-44f0-9fd8-bc61890c0ac0/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1622822b3f7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3186589/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments