MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 407190f2b9419fa424da63dd99ea669067e870c161c1cf05ab893b10fd1bb11c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	407190f2b9419fa424da63dd99ea669067e870c161c1cf05ab893b10fd1bb11c
SHA3-384 hash:	028d54da256fb57dd027d4dba9154de5cd980274a0d16d5cf846bb0bd648aba929453e2be49949ec94dbb455d056bff6
SHA1 hash:	16da556f595671292c27b14e1a10fcc8dc2e8a28
MD5 hash:	3301fb168edd9f04fd395ab3a6039f68
humanhash:	mockingbird-sierra-glucose-fanta
File name:	SecuriteInfo.com.FileRepMalware.29302.26686
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	7'733'760 bytes
First seen:	2025-02-11 09:53:10 UTC
Last seen:	2025-02-11 11:10:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	777ab48dc7b28664bc7f014cff892a29 (1 x LummaStealer)
ssdeep	49152:dsjuo5yck0hff/cc8elRfNhbdjkVUi9dLXANoSBiZW32S6H/E6IK:dsS4ycbhff/cpW
TLSH	T1D176A558BDEA9CC3DAC2D07DA5047BE6C9B77A6652934DF1C10E886CBE08E5D83D0385
TrID	30.2% (.EXE) Win64 Executable (generic) (10522/11/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4504/4/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	3271d4b6b6d47132 (11 x RedLineStealer, 2 x Adware.Generic, 2 x LummaStealer)
Reporter	SecuriteInfoCom
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

463

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

bb31b5c5ae12d8fd7b3c74d5fe5bcfe6.exe

Verdict:

Malicious activity

Analysis date:

2025-02-11 07:24:25 UTC

Tags:

amadey botnet stealer loader lumma xor-url generic themida cryptbot opendir stealc redline rat asyncrat remote lefthook credentialflusher auto telegram vidar gcleaner github evasion enigma antivm delphi quasar

Link:

https://app.any.run/tasks/d7b5af92-3fac-4c67-b572-4d7fb9839e5b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.29302.26686.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67ab1e7749f32dfb0d82f50c

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm embarcadero_delphi installer microsoft_visual_cc obfuscated packed

Link:

https://www.filescan.io/uploads/67ab4d46f03bdb5ce52434e5/reports/2ee25549-b68d-44a9-b1dd-f7f2714596f4/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/407190f2b9419fa424da63dd99ea669067e870c161c1cf05ab893b10fd1bb11c

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AtlasAgent

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a5197924-4bab-48e2-a18b-c8e0f09f9047

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1611941

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/407190f2b9419fa424da63dd99ea669067e870c161c1cf05ab893b10fd1bb11c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/407190f2b9419fa424da63dd99ea669067e870c161c1cf05ab893b10fd1bb11c/

Threat name:

Win32.Trojan.LummaC

Status:

Malicious

First seen:

2025-02-10 22:50:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ibyzb4vzigp2ijg2mpozt2tgsbt6q4gbmha46bnlre5rb7i3weoa._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/250211-lw87aasphn/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Downloads MZ/PE file

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b15fb555-4494-4aad-936c-9032635b9b8a

Unpacked files

SH256 hash:

407190f2b9419fa424da63dd99ea669067e870c161c1cf05ab893b10fd1bb11c

MD5 hash:

3301fb168edd9f04fd395ab3a6039f68

SHA1 hash:

16da556f595671292c27b14e1a10fcc8dc2e8a28

Link:

https://www.unpac.me/results/f0efe024-cfff-41d2-9ae5-d9985c4a9dcd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/407190f2b9419fa424da63dd99ea669067e870c161c1cf05ab893b10fd1bb11c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 407190f2b9419fa424da63dd99ea669067e870c161c1cf05ab893b10fd1bb11c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3435941/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::GetSystemInfo
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryInfoKeyA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample