MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae
SHA3-384 hash: 932445f4d672fb1aa208ae4e006653a40d9b6b0b7685ee3baf021387152b348603245e2cb54d5c8289a650068701201a
SHA1 hash: 2ad16b3d6b993090717af76364a394c333da80ff
MD5 hash: e58a1b5fdc2e313c0e122bf50488d749
humanhash: king-moon-muppet-hydrogen
File name:e58a1b5fdc2e313c0e122bf50488d749.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'884'160 bytes
First seen:2025-02-02 06:39:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:/86TRAU6O9R1dvVNaZATK0TX6GRMA0yRnmgz1SKmw/DiH:xAUB/XvaqVyny9F1SVd
Threatray 109 similar samples on MalwareBazaar
TLSH T1E295334A484B9A98D0FC0F31DBF94E583E82070842F56EBD47148A768067FC8B676E1F
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
456
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e58a1b5fdc2e313c0e122bf50488d749.exe
Verdict:
Malicious activity
Analysis date:
2025-02-02 07:09:27 UTC
Tags:
stealer lumma themida loader
Link:
https://app.any.run/tasks/971aa92f-bd71-4e96-8d9c-912fb341f870

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.32488.30057.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679f1350a9881a7a01c511f6
Tags:
extens virus spam sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/679f188d06d12bc30bf5553b/reports/453ede5d-84cc-40c7-ac6a-9cb30cecc54d/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ec3ec9ae-5c98-49ba-b6f1-084bc2cd7f60
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604934
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604934 Sample: OkR84QGzx7.exe Startdate: 02/02/2025 Architecture: WINDOWS Score: 100 28 warlikedbeliev.org 2->28 30 firstparty-azurefd-prod.trafficmanager.net 2->30 32 consentdeliveryfd.azurefd.net 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 7 other signatures 2->48 8 OkR84QGzx7.exe 12 2->8         started        signatures3 process4 dnsIp5 34 185.215.113.16, 49860, 80 WHOLESALECONNECTIONSNL Portugal 8->34 36 warlikedbeliev.org 172.67.181.203, 443, 49735, 49739 CLOUDFLARENETUS United States 8->36 50 Detected unpacking (changes PE section rights) 8->50 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->52 54 Query firmware table information (likely to detect VMs) 8->54 56 9 other signatures 8->56 12 chrome.exe 9 8->12         started        15 chrome.exe 8->15         started        signatures6 process7 dnsIp8 38 192.168.2.9, 138, 443, 49705 unknown unknown 12->38 40 239.255.255.250 unknown Reserved 12->40 17 chrome.exe 12->17         started        20 chrome.exe 15->20         started        process9 dnsIp10 22 www.google.com 172.217.18.4, 443, 49969, 63131 GOOGLEUS United States 17->22 24 a1883.dscd.akamai.net 2.22.242.139, 443, 50025, 63132 AKAMAI-ASN1EU European Union 17->24 26 13 other IPs or domains 17->26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-02-02 06:40:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=diubmldypgtn2qxd6twsiudah7pcwh7kmbwanh5vnhviazslkwxa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
145d98e48d061103fe23cc3be16b2cc47dcb8889a9a728d75f968fd83a3b1903
LummaStealer
1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae
LummaStealer
1d94cf7ba1566319f76cf67973ca6aa32efec7783a40d2f52652df47231f4475
LummaStealer
37a089c63027e2e68313b10197e1cde4f554ae631e5757c539ff4aa15acd72ed
LummaStealer
9097b54392451d73b37577c5f606e5959c62deab4f359cf671adc62897452b49
LummaStealer
b852e881c1897d85e3ba7b89065c7ed027bcd775ec34e465b870fd5b2640b1ec
LummaStealer
bee7221ed233c2f0c6309199bea905c595543fff90790ef42a4985c9301a86e1
LummaStealer
d95cc64a717e33a3c2d5516c7b7a0ae57a99443817fd28dfd3e86161ef9d68f0
LummaStealer
error
LummaStealer
+ 99 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250202-he9vps1rgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
c2 lumma lumma_stealer stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/62515408-c0c3-406a-8e5d-701eef574ce8
Unpacked files
SH256 hash:
20b3b1023208c467239e713f735e291e7c2f81b1313f1e690f32bcd6700f475f
MD5 hash:
32649a36da4e8756e7b437506224a15a
SHA1 hash:
1517141131b707c1326222a0aab6e09594ee9446
Link:
https://www.unpac.me/results/57c12e5b-0633-4989-94d9-9bba4244e187/
SH256 hash:
1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae
MD5 hash:
e58a1b5fdc2e313c0e122bf50488d749
SHA1 hash:
2ad16b3d6b993090717af76364a394c333da80ff
Link:
https://www.unpac.me/results/57c12e5b-0633-4989-94d9-9bba4244e187/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a28162c7879/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_lumma_2eabe9054cad5152567f0699947a2c5b
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 1a28162c7879a6dd42e3f4ed2450603fde2b1fea606c069fb569ea80664b55ae

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3338032/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments