MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c
SHA3-384 hash: 9fb7997cd75e8046d21453cc149d0b22c1d99cbcf1b16744ab10810317cf03523cb47026240fdc0fad04d990f10519e4
SHA1 hash: 39f9c46ed50c91ed254613f66e92e54efc25c0de
MD5 hash: 0f333d1dc472f44255bd3cfccbdf0653
humanhash: california-hot-steak-pennsylvania
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:4'313'504 bytes
First seen:2023-09-09 14:09:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 3 x NetSupport, 2 x ConnectWise)
ssdeep 98304:o9iZasQra4ios7RjnRU4UApr2Y54eRlwY74Eagb:fZa5+osNbxrkUlwY7
Threatray 32 similar samples on MalwareBazaar
TLSH T141166C31324AC52FE96201B0192C9A9B552CBF760BB254CBB3DC2E7E1BB55C21736E17
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter monitorsg
Tags:ClearFake exe LummaStealer signed

Code Signing Certificate

Organisation:Blogger.com
Issuer:Blogger.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-05T21:13:57Z
Valid to:2024-09-05T21:33:57Z
Serial number: 476cac169be7169847a72de486a561ca
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: caa1e87aea285af62cc7ea7045c819f4e78489186609389630847ac7b2d27330
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
monitorsg
hXXps://ziucsugcbfyfbyccbasy[.]com/vvmd54/ (Injected) --> hXXps://ziucsugcbfyfbyccbasy[.]com/ZgbN19Mx (Keitaro) --> hXXps://ziucsugcbfyfbyccbasy[.]com/lander/chrome/_index.php (landing) --> hXXps://stats-best[.]site/fp.php (fingerprint) --> hXXps://ucee34789ea9be39b529507e86a9.dl.dropboxusercontent[.]com (download)

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-09 14:12:12 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/295738e1-5657-474e-8f42-c9fb160e744c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447634/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Searching for the window
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Gathering data
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/27d71daa-3ebb-4bc5-95a5-868f1e93a0b8
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306680
Signature
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
Installs a MSI (Microsoft Installer) remotely
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1306680 Sample: file.exe Startdate: 09/09/2023 Architecture: WINDOWS Score: 100 71 tse1.mm.bing.net 2->71 95 Snort IDS alert for network traffic 2->95 97 Found malware configuration 2->97 99 Yara detected LummaC Stealer 2->99 101 2 other signatures 2->101 9 mergecap.exe 11 2->9         started        12 msiexec.exe 16 41 2->12         started        16 file.exe 22 2->16         started        signatures3 process4 dnsIp5 53 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32+ 9->53 dropped 55 C:\Users\user\AppData\...\wiretap-1.8.0.dll, PE32+ 9->55 dropped 57 C:\Users\user\AppData\...\mergecap.exe, PE32+ 9->57 dropped 65 5 other files (1 malicious) 9->65 dropped 18 mergecap.exe 2 9->18         started        21 conhost.exe 9->21         started        73 104.21.44.214, 443, 49732 CLOUDFLARENETUS United States 12->73 59 C:\Windows\Installer\MSI7139.tmp, PE32 12->59 dropped 61 C:\Windows\Installer\MSI6EB4.tmp, PE32 12->61 dropped 63 C:\Windows\Installer\MSI6E56.tmp, PE32 12->63 dropped 67 12 other files (8 malicious) 12->67 dropped 103 Performs DNS queries to domains with low reputation 12->103 105 Drops executables to the windows directory (C:\Windows) and starts them 12->105 23 msiexec.exe 12->23         started        25 msiexec.exe 12->25         started        27 MSI7139.tmp 12->27         started        75 pinnacleopensource.xyz 172.67.203.236, 443, 49728, 49729 CLOUDFLARENETUS United States 16->75 77 windowsupdatebg.s.llnwi.net 16->77 69 5 other malicious files 16->69 dropped 107 Installs a MSI (Microsoft Installer) remotely 16->107 29 cmd.exe 1 16->29         started        31 msiexec.exe 16->31         started        file6 signatures7 process8 signatures9 83 Writes to foreign memory regions 18->83 85 Maps a DLL or memory area into another process 18->85 33 cmd.exe 2 18->33         started        87 Uses cmd line tools excessively to alter registry or file data 29->87 89 Found hidden mapped module (file has been removed from disk) 29->89 37 conhost.exe 29->37         started        39 cmd.exe 1 29->39         started        41 cmd.exe 1 29->41         started        43 2 other processes 29->43 process10 file11 51 C:\Users\user\AppData\Local\...\qiupvanxclot, PE32 33->51 dropped 91 Injects code into the Windows Explorer (explorer.exe) 33->91 93 Writes to foreign memory regions 33->93 45 explorer.exe 12 33->45         started        49 conhost.exe 33->49         started        signatures12 process13 dnsIp14 79 104.21.1.50, 49758, 49760, 49762 CLOUDFLARENETUS United States 45->79 81 follovertv.fun 172.67.128.138, 49756, 49764, 49779 CLOUDFLARENETUS United States 45->81 109 System process connects to network (likely due to code injection or exploit) 45->109 111 Query firmware table information (likely to detect VMs) 45->111 113 Found many strings related to Crypto-Wallets (likely being stolen) 45->113 115 Tries to harvest and steal browser information (history, passwords, etc) 45->115 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Suspicious
First seen:
2023-09-09 14:10:07 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjlzqnndvm56kloib2skg5ybyquu3x5reh4e2sworphtfgob2koa._file
Verdict:
malicious
Similar samples:
04b99b0b9a0e98d04478003c86bf4fa3d20c56313c716b62e7be74ae7b95bf70
LummaStealer
b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959
LummaStealer
bd043af859a796897462ed7a5aadb1c4a145f67f01a00c49b45a4b80564da6bb
LummaStealer
c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48
LummaStealer
dbf9cc65461c7bc650938156d3751d4ae0ce4312d3899f747e590767c0ef0408
LummaStealer
e6ea06c6f7b53007e854e986734e79bb0dd84680611e9a3ee9e586cc7a964bd2
LummaStealer
e728a9ec09d7e49171144459b742ee41dabaf206970d2a2260694204cd1f5161
LummaStealer
f2e2427107648e8d7be5f4e42341c702ceddb442191434128cbbf15c0325d8e9
LummaStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/230909-rf4vhsbf87/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Use of msiexec (install) with remote resource
Blocklisted process makes network request
Unpacked files
SH256 hash:
32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c
MD5 hash:
0f333d1dc472f44255bd3cfccbdf0653
SHA1 hash:
39f9c46ed50c91ed254613f66e92e54efc25c0de
Link:
https://www.unpac.me/results/cde8fa25-decf-495c-af48-dce4b8765221/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c

(this sample)

  
Link
https://infosec.exchange/@monitorsg/111035582856109219
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447634/

Comments