MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47a1bbb47ede2daa62558515a9a4e98410a8b2d7c9e74fe5c45783969c48be39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47a1bbb47ede2daa62558515a9a4e98410a8b2d7c9e74fe5c45783969c48be39
SHA3-384 hash: 470b1ba8262a802ac8b39d7fc57f1081ecd2fa3b5c85dc73c1e66885a1bc4669eddbaf3048e8440ab76356e2caf29136
SHA1 hash: d5c7e9b3bc28e876ae223f9a6dd9b4d7f6cda9fd
MD5 hash: 1dfda6fc13c7efab9f6148e7339ab80c
humanhash: solar-sink-happy-stream
File name:orderconfirmation.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'678'161 bytes
First seen:2024-09-26 14:01:24 UTC
Last seen:2024-11-21 12:41:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 49152:+pz3iNJsAL41DAd5HF9rE1CNcwpXwC4wvNys3qPbaNraNZGDniQgWHGXUTuSq:+pCsA8q/HFZEoNBpXoijL5cWmR
TLSH T17406330637C9C5F2C924CA729F17EF994632F36639C44BC726968E465CE32A183437E9
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter Anonymous
Tags:77-105-161-194 exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
461
Origin country :
US US
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
orderconfirmation.exe
Verdict:
Malicious activity
Analysis date:
2024-09-26 14:02:34 UTC
Tags:
lumma stealer netsupport unwanted remote
Link:
https://app.any.run/tasks/0f83bf7d-c70c-4074-8780-4393f3919737

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f5695d56c487103d52d79f
Tags:
Encryption Trojan Vmdetect Alien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin masquerade microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66f5695cf741081b7c98d5c4/reports/48385476-16a5-48a6-98fb-1f1b022ae41d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/47a1bbb47ede2daa62558515a9a4e98410a8b2d7c9e74fe5c45783969c48be39
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/03990a0a-5476-4194-ac5f-b7964498b72a
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1519505
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519505 Sample: orderconfirmation.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus detection for dropped file 2->54 56 5 other signatures 2->56 9 orderconfirmation.exe 11 2->9         started        process3 file4 30 C:\Users\user\AppData\Local\...\Virtual.exe, PE32+ 9->30 dropped 32 C:\Users\user\AppData\Local\Temp\VBoxRT.dll, PE32+ 9->32 dropped 34 C:\Users\user\AppData\Local\...\VBoxDDU.dll, PE32+ 9->34 dropped 36 2 other files (none is malicious) 9->36 dropped 12 Virtual.exe 8 9->12         started        process5 file6 38 C:\Users\user\AppData\Roaming\...\Virtual.exe, PE32+ 12->38 dropped 40 C:\Users\user\AppData\Roaming\...\VBoxRT.dll, PE32+ 12->40 dropped 42 C:\Users\user\AppData\Roaming\...\VBoxDDU.dll, PE32+ 12->42 dropped 44 2 other files (none is malicious) 12->44 dropped 68 Found direct / indirect Syscall (likely to bypass EDR) 12->68 16 Virtual.exe 1 12->16         started        signatures7 process8 signatures9 46 Maps a DLL or memory area into another process 16->46 48 Found direct / indirect Syscall (likely to bypass EDR) 16->48 19 cmd.exe 2 16->19         started        process10 file11 28 C:\Users\user\AppData\...\ckmfqeimpicbuy, PE32 19->28 dropped 58 Injects code into the Windows Explorer (explorer.exe) 19->58 60 Writes to foreign memory regions 19->60 62 Found hidden mapped module (file has been removed from disk) 19->62 64 3 other signatures 19->64 23 explorer.exe 19->23         started        26 conhost.exe 19->26         started        signatures12 process13 signatures14 66 Switches to a custom stack to bypass stack traces 23->66
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/47a1bbb47ede2daa62558515a9a4e98410a8b2d7c9e74fe5c45783969c48be39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47a1bbb47ede2daa62558515a9a4e98410a8b2d7c9e74fe5c45783969c48be39/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-09-26 14:02:06 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6q3xnd63yw2uysvquk2tjhjqqikrmwxzhtu7zoek6bznhcixy4q._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/240926-rb4nystgjh/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://reinforcenh.shop/api
https://stogeneratmns.shop/api
https://fragnantbui.shop/api
https://drawzhotdog.shop/api
https://vozmeatillu.shop/api
https://offensivedzvju.shop/api
https://ghostreedmnu.shop/api
https://gutterydhowi.shop/api
https://teenylogicod.shop/api
https://ballotnwu.site/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e184bbf1-7b7a-43cb-99db-7409a24e9d4f
Unpacked files
SH256 hash:
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5
MD5 hash:
366fd6f3a451351b5df2d7c4ecf4c73a
SHA1 hash:
50db750522b9630757f91b53df377fd4ed4e2d66
Link:
https://www.unpac.me/results/bcdb4bda-cd4c-4330-b40a-2ba8e9a662e8/
SH256 hash:
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c
MD5 hash:
d029339c0f59cf662094eddf8c42b2b5
SHA1 hash:
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8
Link:
https://www.unpac.me/results/bcdb4bda-cd4c-4330-b40a-2ba8e9a662e8/
SH256 hash:
448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4
MD5 hash:
c8a2de7077f97d4bce1a44317b49ef41
SHA1 hash:
6cb3212ec9be08cb5a29bf8d37e9ca845efc18c9
Link:
https://www.unpac.me/results/bcdb4bda-cd4c-4330-b40a-2ba8e9a662e8/
SH256 hash:
47a1bbb47ede2daa62558515a9a4e98410a8b2d7c9e74fe5c45783969c48be39
MD5 hash:
1dfda6fc13c7efab9f6148e7339ab80c
SHA1 hash:
d5c7e9b3bc28e876ae223f9a6dd9b4d7f6cda9fd
Link:
https://www.unpac.me/results/bcdb4bda-cd4c-4330-b40a-2ba8e9a662e8/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47a1bbb47ede/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47a1bbb47ede2daa62558515a9a4e98410a8b2d7c9e74fe5c45783969c48be39

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 47a1bbb47ede2daa62558515a9a4e98410a8b2d7c9e74fe5c45783969c48be39

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3192680/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments