MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83
SHA3-384 hash: eb18fc9784009be404e3121925ae55170a4840084c813f90a86a49fce6e537d8baf14bfd21207f043e275a59c8e8b171
SHA1 hash: cef9b19babe7df2bd51ad51602f5b3f248588a8a
MD5 hash: b5602601b4d7baacfc144311d09c7e6b
humanhash: uranus-purple-angel-ack
File name:b5602601b4d7baacfc144311d09c7e6b
Download: download sample
Signature LummaStealer
Create hunting rule
File size:610'816 bytes
First seen:2024-04-14 10:39:26 UTC
Last seen:2024-04-14 11:31:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7a19df34b14b62b6c4638a75f089976 (1 x LummaStealer)
ssdeep 12288:bFDBupvaVJI38M2E58tswKUBsK+4C5GogLFpg:ipctojUBsrxSp
TLSH T110D4CF50A39D6CE5F44229BDF2DFA3B98C3A5234636758E7CB496B5058021E0AF7F10B
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:32 exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
561
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83.exe
Verdict:
Malicious activity
Analysis date:
2024-04-14 10:42:21 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/7c074458-f782-466f-ab90-069e2b586830

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug lolbin packed shell32
Link:
https://www.filescan.io/uploads/661bb28608ebdfcacd04bec2/reports/0f2ec9b7-8ee6-4b9e-b7c4-2f5e3b1a07e0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1b4bd1bb-a5d5-4234-9912-43e8020739ff
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1425731
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-04-14 10:40:07 UTC
File Type:
PE (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dnxata3huydnbnxo2xkf7mi6dv2zlorexusiizsfqwanrpp3lwbq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240414-mqh9caga35/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
d021585f5cd26b44461031136f0ab4bfdcdbe06392f294b62efa0f6f5c8ad386
MD5 hash:
4bb50eac39a142d44fef0e5076db60f4
SHA1 hash:
ad5433a71f20e31addc1a551192cc7a70a8a8725
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/f895bb83-536c-4c0e-b740-a9157e1024df/
SH256 hash:
1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83
MD5 hash:
b5602601b4d7baacfc144311d09c7e6b
SHA1 hash:
cef9b19babe7df2bd51ad51602f5b3f248588a8a
Link:
https://www.unpac.me/results/f895bb83-536c-4c0e-b740-a9157e1024df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 1b6e098367a606d0b6eed5d45fb11e1d7595ba24bd248466458580d8bdfb5d83

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2811802/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::GetConsoleWindow
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowA

Comments


Avatar
zbet commented on 2024-04-14 10:39:28 UTC

url : hxxp://sdshsjakdjsaljdkasda.ru/images/logo3.jpg