MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24a26ac9cd209bf84831dae7d778fceb46b1e30b48454c130a6e62accdc1369e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 10 File information Comments

SHA256 hash:	24a26ac9cd209bf84831dae7d778fceb46b1e30b48454c130a6e62accdc1369e
SHA3-384 hash:	f34b0c1d2d525fefe735354eccd79ea11e6ab79816094eedaa0cba141c1b9470fa536f31c7bbb0063cccc732feebb657
SHA1 hash:	5c67453947128df910b46d5356f2ac5a8bae0cc9
MD5 hash:	c45a36ec4b4f8d8412c60db459c2b9d2
humanhash:	papa-yankee-fourteen-autumn
File name:	SDIO_R773.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	5'304'144 bytes
First seen:	2025-01-11 10:54:16 UTC
Last seen:	2025-01-14 07:53:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5d6fd7b1c30a5b028e18dcdea9485e90 (1 x LummaStealer)
ssdeep	98304:JvoSyiXIQu22Q+LFmIFSy3WNxB5PlRqt+0GIKMZgOaP3oL+M1p+Plrdfoh:Jv19XLu22r0IFf3WTPlot+0hSr3oL+M7
Threatray	1 similar samples on MalwareBazaar
TLSH	T1F4366D5AFB4365F4F52356718A4FE77F8B146E368022DD6BFB0EEA08B4735162809312
TrID	31.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 22.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 17.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 5.7% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika	pebin
File icon (PE):
dhash icon	b270f0d4cce4d4f0 (2 x LummaStealer)
Reporter	SquiblydooBlog
Tags:	exe lumma LummaStealer signed T H SUPPORT SERVICES LTD

Code Signing Certificate

Organisation:	T H SUPPORT SERVICES LTD
Issuer:	Certum Extended Validation Code Signing 2021 CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2024-11-26T12:07:48Z
Valid to:	2025-11-26T12:07:47Z
Serial number:	502f183b00b497dfc821d09deb30526b
Intelligence:	10 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	0a2caaf3a1e6490de521ccca8452705af0bd9a4a91d7f02cd8d3588404bcf77c
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

505

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SDIO_R773.exe

Verdict:

No threats detected

Analysis date:

2025-01-11 15:27:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8386219b-4085-451c-b7b5-9a0ec23a332f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67824e092c8240e189bbd4e4

Tags:

injection dropper obfusc

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Behavior that indicates a threat

DNS request

Connection attempt

Sending a custom TCP request

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm control explorer lolbin mingw overlay packed packed packer_detected tracker

Link:

https://www.filescan.io/uploads/67824e071b01484d158eb2f2/reports/364bd121-b359-404f-84b3-0785396bffc2/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/24a26ac9cd209bf84831dae7d778fceb46b1e30b48454c130a6e62accdc1369e

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b751911b-8b53-4d1f-9a41-a0e570e0d03b

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1589146

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates HTML files with .exe extension (expired dropper behavior)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Malicious sample detected (through community Yara rule)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

20%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/24a26ac9cd209bf84831dae7d778fceb46b1e30b48454c130a6e62accdc1369e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24a26ac9cd209bf84831dae7d778fceb46b1e30b48454c130a6e62accdc1369e/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=esrgvsonecn7qsbr3lt5o6h45ndldyyljbcuyeyknzrkztobg2pa._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

error

LummaStealer

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250111-mz4xeaxkg1/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/209f4786-8611-4ba8-aac4-51f6e4990bf1

Unpacked files

SH256 hash:

bb9569e8cc30eab8adc7c1d2cc42c4788eedcdbfafbc777029fecab13f7200cf

MD5 hash:

fb6e1a338f3217764c50757330ff1551

SHA1 hash:

7f2c9639d599fb18fc0ce774c3421cb92c26daf7

Detections:

LummaStealer

Link:

https://www.unpac.me/results/30ad0cc3-5204-4e31-8224-e075325d6d15/

SH256 hash:

734075a804e6640be3d7c7a6f912208dcfca93aad172f5d14744d3929a144761

MD5 hash:

404dd46a3dc6e7f9e7787b6a32858af0

SHA1 hash:

67831d9921294da82f79a8e584cbdffaee2ddf8f

Link:

https://www.unpac.me/results/30ad0cc3-5204-4e31-8224-e075325d6d15/

SH256 hash:

24a26ac9cd209bf84831dae7d778fceb46b1e30b48454c130a6e62accdc1369e

MD5 hash:

c45a36ec4b4f8d8412c60db459c2b9d2

SHA1 hash:

5c67453947128df910b46d5356f2ac5a8bae0cc9

Link:

https://www.unpac.me/results/30ad0cc3-5204-4e31-8224-e075325d6d15/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/24a26ac9cd20/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/24a26ac9cd209bf84831dae7d778fceb46b1e30b48454c130a6e62accdc1369e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetFileSecurityW ADVAPI32.dll::SetFileSecurityW
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetConsoleMode KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleScreenBufferInfo KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo WS2_32.dll::getnameinfo WS2_32.dll::WSAAddressToStringA WS2_32.dll::WSAIoctl WS2_32.dll::WSARecv WS2_32.dll::WSARecvFrom
WIN_USER_API	Performs GUI Actions	USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample