MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49317d725402f77e1253f32873158186473a7daf785786b3b310fc9dc8ba6121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49317d725402f77e1253f32873158186473a7daf785786b3b310fc9dc8ba6121
SHA3-384 hash: 2571a15782da7b466d7a9dc9230c7cc9741510d19cdfc2a34e626a1e25ff387c3f9119abae6eaab4de7e8a6e120b1710
SHA1 hash: c10ac13c4971781eeea01991b0fec0d474c95a98
MD5 hash: 0e3c053cccd97dc93b91dc9ceb00be01
humanhash: oscar-xray-quebec-virginia
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'105'280 bytes
First seen:2024-11-07 19:40:45 UTC
Last seen:2024-11-07 21:29:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:TNmpb83iuPJexaH3AIOPJBimQ0qnYkoNw+c1zuAVtKu8lNpYzVNVA3TcAES7dsFr:BmpbQPoacPaGE1YlYzF1aSF5d
Threatray 110 similar samples on MalwareBazaar
TLSH T1A9E52991A40562CFD48A66F48427CD46FF5D42BCCB214CE3F9A8B0B97DAACC111B9D27
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
30
# of downloads :
416
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-07 19:43:10 UTC
Tags:
lumma stealer possible-phishing loader stealc
Link:
https://app.any.run/tasks/c3a39ab8-a874-4f05-9620-dbff4c4a273f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.15104.26074.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672d17d749e92a05dde3fed6
Tags:
shellcode exploit extens spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/672d17d283eea00c65721ea1/reports/3b32202a-2661-4aa7-adb4-8a52e85444bd/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/49317d725402f77e1253f32873158186473a7daf785786b3b310fc9dc8ba6121
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/51574314-ead6-473f-9f18-9072702ea2fb
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1551545
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/49317d725402f77e1253f32873158186473a7daf785786b3b310fc9dc8ba6121
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49317d725402f77e1253f32873158186473a7daf785786b3b310fc9dc8ba6121/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-07 19:41:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 38 (44.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jeyx24sual3x4est6muhgfmbqzdtu7nppblynm5tcd6j3sf2meqq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
0c758d04a07b2b2edbde835ad766ba81e2c4b3dcf31b7fbb58f779c85bb69290
LummaStealer
128057316ab024aa6ba98ea385f98c49a7b8b36dd5adad1dc453091982c60a45
LummaStealer
645269624d45d56841d9308f5a84440842e4a065e87162428a9de1a2ca6c49a6
LummaStealer
8b5edd0e5fa82341d230811e5885fdb3de8537fc8416e3a13a2ec32542fa61f0
LummaStealer
b2b8924bf8517aa536decc71dc9bb3147187284ddf4d1ddff24986ce08053a97
LummaStealer
b599415ee3535fa2b984b7960113d70825900a3aefa3636fa6079419f71c4186
LummaStealer
d470c37e2ec5e94610b152fcba101178d488a280200233dca2704f04377cd62c
LummaStealer
e2bd2ba1f6d31950c1cb3da043adcfe1f90e67d2ceab30a420c61e7d4ca075c4
LummaStealer
eda98cb76067e775429795b3610ccf6226395c47f0da17f107182b61741c891f
LummaStealer
error
LummaStealer
fdef385c18f52c3ecfe3a8c2b71274cd7110cf15ac134d79d97874481646cd77
LummaStealer
+ 100 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241107-yd3yrszqbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://founpiuer.store/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9f772a97-bbf5-4a6e-af8f-eb6a24e70382
Unpacked files
SH256 hash:
db02bbf13a7b59abb198015e15fd7635deea53fa968ff9c97a4ab652bd2da478
MD5 hash:
fb60b50d5452f5ba4969236409ea2759
SHA1 hash:
6f34b27e81a38c9c8b12634d5785542ef8055599
Link:
https://www.unpac.me/results/07f7308f-77c6-4242-8ea5-a7dcc678c0d1/
SH256 hash:
49317d725402f77e1253f32873158186473a7daf785786b3b310fc9dc8ba6121
MD5 hash:
0e3c053cccd97dc93b91dc9ceb00be01
SHA1 hash:
c10ac13c4971781eeea01991b0fec0d474c95a98
Link:
https://www.unpac.me/results/07f7308f-77c6-4242-8ea5-a7dcc678c0d1/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49317d725402/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49317d725402f77e1253f32873158186473a7daf785786b3b310fc9dc8ba6121

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 49317d725402f77e1253f32873158186473a7daf785786b3b310fc9dc8ba6121

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments