MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa
SHA3-384 hash: 3c76cad33c8af91ada206c583979836c56a9f3cdfc6d07d9379c51f44a27d885545600771a265274544b01f096290aae
SHA1 hash: 011be923a27b204058514e7ab0ffc8d10844a265
MD5 hash: 87fc5821b29f5cdef4d118e71c764501
humanhash: comet-arizona-spring-don
File name:SecuriteInfo.com.Win32.CrypterX-gen.14771.3084
Download: download sample
Signature LummaStealer
Create hunting rule
File size:7'261'184 bytes
First seen:2025-03-06 15:19:56 UTC
Last seen:2025-03-07 15:45:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c949bece784d757329c70b20520186b (1 x LummaStealer)
ssdeep 98304:lLoJoGHhBU37lVCPk8wbdLNV5ZYuLNV5ZY:lLoJpBU37lVCfYdLH5PLH5
TLSH T1D37681E2E42F6881DED63D7D55117EDCC532AB2607C378B8914E1E29EF002198EE5BC6
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4504/4/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon b071f0f0c4ccf0d4 (1 x LummaStealer)
Reporter SecuriteInfoCom
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
497
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
New Text Document.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-03-06 14:32:17 UTC
Tags:
sfx dropper loader opendir stealer stealc telegram auto generic autoit tas17 salatstealer cryptbot lumma rat xworm vidar hausbomber dcrat qrcode
Link:
https://app.any.run/tasks/a0f498a4-31f1-4405-9fe7-60fb2f39c872

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.14771.3084.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c9bf26c668b65489bf788d
Tags:
phishing
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
microsoft_visual_cc
Link:
https://www.filescan.io/uploads/67c9bd314a3011c802c97c40/reports/95a3e4fd-ac11-4fec-8920-647ed578d53a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44a9ec59-a964-4c2a-81ad-dbbb11f462ff
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631088
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-03-06 14:59:05 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dptxaevxy4q6jvacp4quxlkdeu6b6aiwy2zkinsgqxmnneja4kva._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250306-sqtyqs1xfw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
c2 stealer lumma_stealer lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/3c98b7f8-f536-4c75-a639-e98c575cb240
Unpacked files
SH256 hash:
6de4d2f785c4cf6f32ba45e2902c7b233174c4b052a28f2c7d139899f7f8248c
MD5 hash:
e1115d28f639422f00709c533c300c09
SHA1 hash:
d74d1ceb6b515e82ccc37a1909be15015f7fd2c3
Detections:
win_lumma_auto
Create hunting rule
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/14a666cb-5ad5-47a8-88ef-e823e1ef25bf/
SH256 hash:
1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa
MD5 hash:
87fc5821b29f5cdef4d118e71c764501
SHA1 hash:
011be923a27b204058514e7ab0ffc8d10844a265
Link:
https://www.unpac.me/results/14a666cb-5ad5-47a8-88ef-e823e1ef25bf/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1be77012b7c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3469487/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetCommandLineA

Comments