MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 251aa1051ddf9b6980064b57501532b96ae01a2dff959b45679143a8e3da324e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 251aa1051ddf9b6980064b57501532b96ae01a2dff959b45679143a8e3da324e
SHA3-384 hash: be2aecf1cb174d11503285d28e266f212261bbcf00148955b039229488ac9494e8dcae3224fbf44caee0a971fb4f5e23
SHA1 hash: fd9fd6605ddabc5dac6b6737c89b63af0d754e22
MD5 hash: 0afe94597545261f7a6fe6ea0d4d536e
humanhash: papa-glucose-arkansas-hamper
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'014'144 bytes
First seen:2024-10-16 03:50:59 UTC
Last seen:2024-10-16 04:39:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:lj4A4rLk+a2Aj/WETNa4rC5qUv0kVv/Z4igEayAsXi:lcdrpa2Aj/WgE4eVv0kVYfyD
Threatray 11 similar samples on MalwareBazaar
TLSH T1D7D54B52750AB6CBC4DE2BB88C67CEC3585E02F9472419C3D96CA5BABD67CC121F9C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.103/luma/random.exe

Intelligence

File Origin
# of uploads :
19
# of downloads :
403
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-16 03:52:01 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/b4163c39-4f0d-4ffc-8220-1c6918605938

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.78.13809.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670f38291d4ef219fa633077
Tags:
Vmdetect Autorun Lien Spam
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/670f382722d2b695ef7e4607/reports/1e95490f-34a8-4ce0-ab97-abc50512b2cb/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/251aa1051ddf9b6980064b57501532b96ae01a2dff959b45679143a8e3da324e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d7809584-fd89-4c06-8683-107564f18f5f
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1534682
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/251aa1051ddf9b6980064b57501532b96ae01a2dff959b45679143a8e3da324e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/251aa1051ddf9b6980064b57501532b96ae01a2dff959b45679143a8e3da324e/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-10-16 03:52:05 UTC
File Type:
PE (Exe)
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eunkcbi536nwtaagjnlvafjsxfvoagrn76kzwrlhsfb2ry62gjha._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
6f62e73187d3ae5000c18c8462a6e6480deed0f0c1b01270ec562dfd67b83000
LummaStealer
72f9a5e6f8fb331bd23bb1fdc1e4efc23decd6a5996ed92993c4fd50e80c38e3
LummaStealer
847ab97f46f9ebf8644cef91f88a99b13376b8d1e19cec46b20a9c64f2e013b5
LummaStealer
87f9f1dd0d4c76bd50533cd5e85d77332319d29acfb0da37142dd0e2d20f58e9
LummaStealer
8a13c6e39dc4ca5a2368efd2d0a9fdad9f08898836aa6dca215913038819e0d1
LummaStealer
95b1cfb989f22fc872400433acaa047fc01be081433137307523e4d116390598
LummaStealer
bca6b10158b6b5c86e2c29c4be5376e3e576dee27e1a121a2f288c35f1af25da
LummaStealer
ca3505a0ae6307f625171afa59845120711d805c4f63c3d4a6a6bd04c20f6914
LummaStealer
error
LummaStealer
f61486d206b225c70691b325e2d7cc5982ec57cedcb8eaa02e8875ccb4835b6f
LummaStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241016-eeg8xa1eld/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6714e37-7d5b-4c7e-8dc2-707980ea8303
Unpacked files
SH256 hash:
9ba4ef0d8cb0afc64159a2c4ccc0317e32b6d97c1467840340af7bb014afcf67
MD5 hash:
d2f57f3c15db272a374a96b15c842ca8
SHA1 hash:
324e372dd66e4bf766e520e695dca1e634e5ab24
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/49d2d55e-5560-46f2-8a9f-f7d2108b7458/
SH256 hash:
251aa1051ddf9b6980064b57501532b96ae01a2dff959b45679143a8e3da324e
MD5 hash:
0afe94597545261f7a6fe6ea0d4d536e
SHA1 hash:
fd9fd6605ddabc5dac6b6737c89b63af0d754e22
Link:
https://www.unpac.me/results/49d2d55e-5560-46f2-8a9f-f7d2108b7458/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/251aa1051ddf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/251aa1051ddf9b6980064b57501532b96ae01a2dff959b45679143a8e3da324e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 251aa1051ddf9b6980064b57501532b96ae01a2dff959b45679143a8e3da324e

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments