MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d03b3ff5866b8064fc703327278785e0e582aa46e79eecad9c4a7fff1ad0a90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	1d03b3ff5866b8064fc703327278785e0e582aa46e79eecad9c4a7fff1ad0a90
SHA3-384 hash:	f49209ecf1a9b3bf480d71ef0a925c3522d619a542c63e90cd3da188f0467c06517420285ed0ecb9f39c95b3505f0e40
SHA1 hash:	97ee80d1b44aea7711a4465d902119965d4c3c94
MD5 hash:	3934bed89091117678e2f202033fa78a
humanhash:	spring-muppet-venus-march
File name:	Launcher_x32_x64.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	62'256'356 bytes
First seen:	2024-08-31 19:16:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f4680c52b4d4f6f1e0f92b81397ce8c4 (4 x MeduzaStealer, 1 x LummaStealer, 1 x CoinMiner)
ssdeep	786432:ecOGn1TedQegs5ibjYrzw0P7pmLn+ti0y3TfPZ3rGyn3ipTyf:ecOGn1edTrzq+ti9DSpQ
TLSH	T17BD7BF22B7C88A26F99E067281BBE755C37DA9110735EBCB1698FAD818723D14D313D3
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	bobross_malware2
Tags:	exe lumma LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Launcher_x32_x64.exe

Verdict:

Malicious activity

Analysis date:

2024-08-31 19:40:46 UTC

Tags:

alfac2 lumma stealer

Link:

https://app.any.run/tasks/775f1565-c4ae-4bb5-8a14-6369e63dcca9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66d36c3bad7abf2db5cfaa48

Tags:

Stealth Trojan

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Launching a process

Connection attempt

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

agenttesla anti-debug bash dotnet evasive expand fingerprint lolbin net njrat obfuscated overlay packed remote shell32

Link:

https://www.filescan.io/uploads/66d36c32577589de1265ea4d/reports/e665402d-e432-4506-9208-9aa706077823/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/1d03b3ff5866b8064fc703327278785e0e582aa46e79eecad9c4a7fff1ad0a90

Result

Verdict:

MALICIOUS

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1502259

Signature

AI detected suspicious sample

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to prevent local Windows debugging

Found malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Writes to foreign memory regions

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/1d03b3ff5866b8064fc703327278785e0e582aa46e79eecad9c4a7fff1ad0a90

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dub3h72ym24amt6hamzhe6dylyhfqkvenz465swzyst774nnbkia._file

Verdict:

unknown

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/240831-xzcs2a1arl/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

Lumma Stealer, LummaC

Malware Config

C2 Extraction:

https://tenseddrywsqio.shop/api
https://locatedblsoqp.shop/api
https://traineiwnqo.shop/api

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1ddc55a4-b71c-4243-b85a-7784a9266aeb

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d03b3ff5866b8064fc703327278785e0e582aa46e79eecad9c4a7fff1ad0a90

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetSidSubAuthorityCount ADVAPI32.dll::GetSidSubAuthority ADVAPI32.dll::RevertToSelf
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::SetKernelObjectSecurity
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken ADVAPI32.dll::SetThreadToken KERNEL32.dll::VirtualAllocExNuma KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::GetActiveProcessorGroupCount KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileMappingA KERNEL32.dll::GetWindowsDirectoryW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegGetValueW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample