MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe
SHA3-384 hash: 41abfd45097414485f71fecc95feb7f2a132e3a1dd3dc482f12077b2526ec47b61f61977e25fab2e8c879884cfd57fec
SHA1 hash: 1555712d7f56f64a7c8c5076ca67022a2a140103
MD5 hash: 816dd8b601ee365db21c9ecf3b448098
humanhash: arizona-georgia-sweet-skylark
File name:Setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:450'048 bytes
First seen:2024-03-18 05:16:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:4hl6C8zKLhxs95ewR//TEGxCHZheI+h3FfMKvvuA3gmLh/3DCAMWTrB:4Dz1xUew5KQtFfzxgmLh/D/RT
TLSH T15CA4BFE4527BCA76DBDC03FC60626A0197BC4A85DBD3F708981448FA8C16792D5239FB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter tcains1
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
US US
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe.exe
Verdict:
Malicious activity
Analysis date:
2024-03-18 05:18:41 UTC
Tags:
lumma stealer loader xmrig
Link:
https://app.any.run/tasks/b2fe02d8-4f7c-4f9c-aae7-bff078928120

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Zusy-10023527-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Moving a file to the Program Files subdirectory
Replacing files
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
infostealer lumma net_reactor packed packed
Link:
https://www.filescan.io/uploads/65f7ce4f5cd908a33db77fd1/reports/f2d3370d-d651-4fe7-b59e-e94f081b01f4/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Craxs RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6eb385fc-e84b-4ce2-833a-2e48d66ca3a3
Result
Threat name:
LummaC, PureLog Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410569
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410569 Sample: Setup.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 101 pastebin.com 2->101 103 doughmebinnybunio.shop 2->103 105 joxi.net 2->105 111 Snort IDS alert for network traffic 2->111 113 Multi AV Scanner detection for domain / URL 2->113 115 Found malware configuration 2->115 119 20 other signatures 2->119 14 Setup.exe 2 2->14         started        signatures3 117 Connects to a pastebin service (likely for C&C) 101->117 process4 signatures5 157 Found many strings related to Crypto-Wallets (likely being stolen) 14->157 159 Contains functionality to inject code into remote processes 14->159 161 Writes to foreign memory regions 14->161 163 3 other signatures 14->163 17 RegAsm.exe 2 14->17         started        22 conhost.exe 14->22         started        process6 dnsIp7 97 195.20.16.153, 49712, 49726, 49727 EITADAT-ASFI Finland 17->97 99 doughmebinnybunio.shop 172.67.160.108, 443, 49705, 49706 CLOUDFLARENETUS United States 17->99 77 C:\Users\user\...\ZDYJN94CIGAHE4ZE.exe, PE32 17->77 dropped 79 C:\Users\user\...\DUBBLSAJPH1Y78CO44TLL8.exe, PE32 17->79 dropped 121 Query firmware table information (likely to detect VMs) 17->121 123 Found many strings related to Crypto-Wallets (likely being stolen) 17->123 125 Tries to harvest and steal browser information (history, passwords, etc) 17->125 127 Tries to steal Crypto Currency Wallets 17->127 24 DUBBLSAJPH1Y78CO44TLL8.exe 8 17->24         started        28 ZDYJN94CIGAHE4ZE.exe 4 17->28         started        file8 signatures9 process10 file11 85 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 24->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 24->87 dropped 143 Antivirus detection for dropped file 24->143 145 Multi AV Scanner detection for dropped file 24->145 147 Contains functionality to register a low level keyboard hook 24->147 30 cmd.exe 2 24->30         started        89 C:\Users\user\AppData\...\kwweifjdskdv.exe, PE32 28->89 dropped 91 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 28->91 dropped 149 Suspicious powershell command line found 28->149 151 Writes to foreign memory regions 28->151 153 Allocates memory in foreign processes 28->153 155 2 other signatures 28->155 32 RegSvcs.exe 15 5 28->32         started        36 powershell.exe 1 23 28->36         started        signatures12 process13 dnsIp14 38 Installer.exe 30->38         started        42 7z.exe 30->42         started        45 conhost.exe 30->45         started        49 4 other processes 30->49 95 45.15.156.43, 49716, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 32->95 75 C:\ProgramData\Corporation\recovery.dat, DOS 32->75 dropped 47 conhost.exe 36->47         started        file15 process16 dnsIp17 109 joxi.net 172.67.162.70, 443, 49723, 49724 CLOUDFLARENETUS United States 38->109 131 Writes to foreign memory regions 38->131 133 Allocates memory in foreign processes 38->133 135 Injects a PE file into a foreign processes 38->135 137 Contains functionality to detect sleep reduction / modifications 38->137 51 RegSvcs.exe 38->51         started        93 C:\Users\user\AppData\Local\...\Installer.exe, PE32 42->93 dropped file18 signatures19 process20 dnsIp21 107 pastebin.com 104.20.68.143, 443, 49725 CLOUDFLARENETUS United States 51->107 81 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 51->81 dropped 83 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 51->83 dropped 129 Sample is not signed and drops a device driver 51->129 56 cmd.exe 51->56         started        59 cmd.exe 51->59         started        61 cmd.exe 51->61         started        file22 signatures23 process24 signatures25 139 Encrypted powershell cmdline option found 56->139 141 Uses schtasks.exe or at.exe to add and modify task schedules 56->141 63 powershell.exe 56->63         started        65 conhost.exe 56->65         started        67 conhost.exe 59->67         started        69 schtasks.exe 59->69         started        71 conhost.exe 61->71         started        process26 process27 73 WmiPrvSE.exe 63->73         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe/
Threat name:
ByteCode-MSIL.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2024-03-17 20:10:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2v5rb5cvtrdnciljwe2f7d7gsmwbhmil4ptcsx2rohekqwrlw7a._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:zgrat rat stealer
Link:
https://tria.ge/reports/240318-fypmrshh6y/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detect ZGRat V1
Lumma Stealer
ZGRat
Malware Config
C2 Extraction:
https://doughmebinnybunio.shop/api
https://colorfulequalugliess.shop/api
Unpacked files
SH256 hash:
033af2c4efa6c3c65cdb997fbe7963a8984c502c46ebed96a0ff49350e9e1624
MD5 hash:
c2a27078d6917173d8a6500e334f1c91
SHA1 hash:
af958b0c33dd961cf1098e95c5c33d81788b4ece
Link:
https://www.unpac.me/results/c54fe566-cab7-41c5-916c-b97360b4c7f9/
SH256 hash:
26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe
MD5 hash:
816dd8b601ee365db21c9ecf3b448098
SHA1 hash:
1555712d7f56f64a7c8c5076ca67022a2a140103
Link:
https://www.unpac.me/results/c54fe566-cab7-41c5-916c-b97360b4c7f9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26abd887a2ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 26abd887a2ace236890b4d89a2fc7f3499609d885f1f314afa8b8e4542d15dbe

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments