MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43ffd1d60c05d7b75c4fba5f21cad771f98e6c42af01b767e574143603546579. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	43ffd1d60c05d7b75c4fba5f21cad771f98e6c42af01b767e574143603546579
SHA3-384 hash:	dc15a3b63ba5a26b75af7c59af37f9cdc7a96eb8df1d36c2634c2657fe8ae95d1eaeaf4dafa36f2976c6eabf34ae47d7
SHA1 hash:	778a438bb451fb333adfe44c00ac8765bdeff1ef
MD5 hash:	72495bc5ddc3bd55a1f0c69fe26b528a
humanhash:	spring-robin-coffee-wisconsin
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	2'994'688 bytes
First seen:	2024-10-29 13:09:09 UTC
Last seen:	2024-10-29 14:36:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:W237ptIOL0tOe24MpVw19yB+DFVeZiUoc+TyF:ZrptIOL04e24MpV49yMVeZm9WF
TLSH	T102D56CE1B90472CFE49E17B88927DE46592C47B52B1049C3ED6C647EBD73CC12ABAC18
TrID	42.7% (.EXE) Win32 Executable (generic) (4504/4/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	exe LummaStealer

Bitsight

url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin

# of uploads :

# of downloads :

417

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-10-29 13:10:02 UTC

Tags:

loader

Link:

https://app.any.run/tasks/574fcf57-b1a6-4fb1-8eee-7e7d6ef9ea4e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.28100.10387.UNOFFICIAL

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6720deb25928ee28d55ea437

Tags:

Shellcode Exploit Extens Spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for analyzing tools

Connection attempt to an infection source

Behavior that indicates a threat

DNS request

Connection attempt

Sending a custom TCP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed packed packer_detected

Link:

https://www.filescan.io/uploads/6720deab2734cb737d8fb0d6/reports/3216a167-234a-4487-a447-8a3afc32a9d7/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/43ffd1d60c05d7b75c4fba5f21cad771f98e6c42af01b767e574143603546579

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/968b7418-971e-4692-b8a4-1cf64ec61ebb

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1544501

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/43ffd1d60c05d7b75c4fba5f21cad771f98e6c42af01b767e574143603546579

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/43ffd1d60c05d7b75c4fba5f21cad771f98e6c42af01b767e574143603546579/

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2024-10-29 13:10:06 UTC

File Type:

PE (Exe)

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ip75dvqmaxl3oxcpxjpsdswxoh4y43ccv4a3oz7foqkdma2umv4q._file

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery evasion stealer

Link:

https://tria.ge/reports/241029-qectzawapj/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/76a3f072-7971-4818-af8c-21a3ca13f90e

Unpacked files

SH256 hash:

2ecb369dd5078c28b6be1a5cb94b1d8410e3a89246fca76b683572ca958fe988

MD5 hash:

8a852da14fa180e51b48eda8b1762a60

SHA1 hash:

760a0993a68bc6e8c6b7857c7b75d79591ee57d5

Link:

https://www.unpac.me/results/fcea2bf0-1397-42be-a2e9-f0bcf246e6cc/

SH256 hash:

43ffd1d60c05d7b75c4fba5f21cad771f98e6c42af01b767e574143603546579

MD5 hash:

72495bc5ddc3bd55a1f0c69fe26b528a

SHA1 hash:

778a438bb451fb333adfe44c00ac8765bdeff1ef

Link:

https://www.unpac.me/results/fcea2bf0-1397-42be-a2e9-f0bcf246e6cc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43ffd1d60c05d7b75c4fba5f21cad771f98e6c42af01b767e574143603546579

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 43ffd1d60c05d7b75c4fba5f21cad771f98e6c42af01b767e574143603546579

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

Dropped by

Amadey

Dropped by

Amadey

Delivery method

Distributed via web download

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample