MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912
SHA3-384 hash: f05c0fd789a8cbc2e1fecd62c2c9dc133767550955d44e67a0f8d34e8ae86fd4d500bfc9a7ac1f613d4e604cda4eb571
SHA1 hash: 71093fd05686d6202bf4144f94920deefe551f96
MD5 hash: 05f42a351356393179165a84086f8c07
humanhash: neptune-asparagus-pizza-oregon
File name:furra.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:8'397'824 bytes
First seen:2025-02-08 17:09:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'075 x AgentTesla, 20'033 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 98304:s4IeiLEkjp/ABP9X6OmtVtNjgpiM+txC1xcTP8cY1JusPWBGu7oBCN7c4J+Rt+x9:s4tCpwJcY1JufL7oBH2IQxLLiU6
Threatray 1'384 similar samples on MalwareBazaar
TLSH T1C086592D63326C9AF3D20764D564B5A597240B2A7C27CFF58A93056D8D20E39D0B83BF
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:CryptBot exe LummaStealer


Avatar
iamaachum
https://github.com/legendary6911331/fffff/releases/download/dfdf/furra.exe

CryptBot Botnet: 20
CryptBot C2: http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805

Intelligence

File Origin
# of uploads :
1
# of downloads :
454
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-01-18 10:40:38 UTC
Tags:
amadey botnet stealer loader lumma auto stealc gcleaner cryptbot github generic themida tofsee autoit credentialflusher python telegram rdp
Link:
https://app.any.run/tasks/7f50c837-3ca0-4299-a44e-99fae283148e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilzilla-10018301-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/078f3d3e-4f19-49cd-82bd-0e5d996161f9
Result
Threat name:
LummaC, Cryptbot, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1610179
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Cryptbot
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-01-17 04:11:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ffm76c7zq2655nlkx4xvjuyozxekmrjrdo5gyz2pblw2vj2zjeja._file
Verdict:
malicious
Label(s):
cryptbot
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
4648e37901ccb1b4cc76c67a6d13d13d4233233bc8ef0f167f411821e682ba01
LummaStealer
7f1866e114a151362b538758b913a10dc2f9096694ed92aba0f9ccc062c95975
LummaStealer
c82b47ea3e67015d88b53cc87fc58657709ba3c0779f588d4a5cdaecf35c5e04
LummaStealer
edf2c8f079ea86db42b12764171511feadcfb170839dd1b2af48b408e9b75121
LummaStealer
error
LummaStealer
f547e0496838c475776821a193912e485805fb40644ba6d089a798a1edbc35ba
LummaStealer
+ 1'374 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250208-vn982sxpcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Embeds OpenSSL
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Enumerates VirtualBox registry keys
CryptBot
Cryptbot family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://berserkyfir.click/api
http://home.twelveff20pn.top/HfqvZFTxgmZzemQbMMGA1736773805
Verdict:
Malicious
Tags:
Win.Packed.Msilzilla-10018301-0
YARA:
n/a
Link:
https://app.threat.zone/submission/a5adf9ca-76f0-4421-ab88-44348229165c
Unpacked files
SH256 hash:
2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912
MD5 hash:
05f42a351356393179165a84086f8c07
SHA1 hash:
71093fd05686d6202bf4144f94920deefe551f96
Detections:
win_lumma_a0
Create hunting rule
Link:
https://www.unpac.me/results/36f5f0ff-7efa-41f2-ad89-8272ce491c4f/
SH256 hash:
5de30b387460d6d0d96a3d826468b20affff2e29ce0a33c93028f70795f11d34
MD5 hash:
1dcfec4d9eabe4f165e805082a3b5310
SHA1 hash:
f39fab853ee31ff96471ed8128549e26bdcceabe
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/36f5f0ff-7efa-41f2-ad89-8272ce491c4f/
SH256 hash:
b3b4b36c0fd0c6bfb032c2c584ae259a4da90724c3fd773127fad386a2113feb
MD5 hash:
a8fc72ca1fd62ec5134f7fb0549b74f4
SHA1 hash:
ff2ccc9c26a4bbfe2428fbac1647f0678d6dd89e
Detections:
CryptBot
Create hunting rule
Link:
https://www.unpac.me/results/36f5f0ff-7efa-41f2-ad89-8272ce491c4f/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2959ff0bf986/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 2959ff0bf986bddeb56abf2f54d30ecdc8a645311bba6c674f0aedaaa7594912

(this sample)

  
Link
https://tria.ge/250208-vf35rswkax/behavioral2
  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments