MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b
SHA3-384 hash: 98d0ad225282c79c287d883ac25c66a0ea59f8934393b19dc5cd5bf010bf5ebbfa79a75cf51c9adce743e91fbf7c987e
SHA1 hash: 210a98e600635e5037af9218c42a6af2a3a1a5f1
MD5 hash: f7da840e557061558d686d692ba033e3
humanhash: winter-nuts-mexico-sierra
File name:f7da840e557061558d686d692ba033e3.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:562'216 bytes
First seen:2024-10-18 11:48:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 39a5f7fa9f5c10de8f3718b5b2b8bc8f (3 x LummaStealer, 1 x Vidar)
ssdeep 12288:92U8jcZdLsq/Jdo6/HR+vYj2zSQvD7pUEn83CEO:wjcTLbJdDHR+wj2Wy7pKyt
Threatray 15 similar samples on MalwareBazaar
TLSH T131C402027AD14472E5B25A320535DA629B7EFC300E608DDF635866BF6F703C2CA69D27
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f7da840e557061558d686d692ba033e3.exe
Verdict:
Malicious activity
Analysis date:
2024-10-18 11:59:12 UTC
Tags:
lumma stealer exfiltration
Link:
https://app.any.run/tasks/5050d3e6-eb49-42ea-8efd-afcb014e4a0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Lumma.707.20194.23034.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67124b35e706a56b5a02bea7
Tags:
Injection Exploit Obfusc
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ce9c9c11-861b-49c6-821a-49f655b46d99
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1537036
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b/
Threat name:
Win32.Trojan.StealC
Create hunting rule
Status:
Malicious
First seen:
2024-10-18 11:49:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3ug32dvripdkdrw4sjx4pyoudgwhweyimquwt7cq3abe6bhi5vq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1cb4ec0583c249bde7a222e8ca0d0018412a6a684c11d3019aba91c0a140d091
LummaStealer
4d184ef7c146700fd5bd1b81ac009ebe4cf6391e8cfdb82156f6326922abeb67
LummaStealer
4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b
LummaStealer
5a665f7a7d1c8ebc81dd0d767325e15e69ecd8b3cc672421f6b74ad554081f65
LummaStealer
7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498
LummaStealer
a573d737dd0f3f039762d34c1e05536e82370570986a7e05c8c21a5da6e72864
LummaStealer
d76c47511e1e7bd2719d404f1e62e0e6e69ee8db631f6c19ac863a4fbd38056d
LummaStealer
error
LummaStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/241018-ny2akaxgqk/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://conceptionnyi.sbs
https://platformcati.sbs
https://nervepianoyo.sbs
https://qualifielgalt.sbs
https://smashygally.sbs
https://fightyglobo.sbs
https://modellydivi.sbs
https://pioneeruyj.sbs
https://underlinefiue.sbs
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9f122769-e9cf-4a80-83ab-5186dedddac6
Unpacked files
SH256 hash:
38ef332c58cbcca62a7e8b193eb9ec78f46b8dba93ca5c9af246357e48b6a302
MD5 hash:
010509d28032082f9b90f8bb8d229421
SHA1 hash:
2fe3ef40152068a72735650ca1ce9d3c95f62864
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/1ee43dff-0edb-4b4e-827f-4c9631653da8/
Parent samples :
7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498
90063167aaf36431f1f81b05ecd37a67742948594e87fee8f6ac3b9167675c40
4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b
5a665f7a7d1c8ebc81dd0d767325e15e69ecd8b3cc672421f6b74ad554081f65
71527d46d6782df79cda9916bc582da504587add2b03daf87ce3a9fc88cde027
f67a453c7486224c13b7047ba6f03ee9d20635c18564da76102f0a5174a4260d
SH256 hash:
209f852480bddcb294f51ee450f4ad981720bf0238d7ab4178c23ca126853e1f
MD5 hash:
f2d3a07530ad9423e20f0285c26ab592
SHA1 hash:
e536e242bfa9334c8b15c82a62026d21678aa1c4
Link:
https://www.unpac.me/results/1ee43dff-0edb-4b4e-827f-4c9631653da8/
SH256 hash:
96d391463ccdc3c16f4f1e0737220b6b4e981d70ef56191524e4d4c5dae6f979
MD5 hash:
f082a6bd22bbc29ea3d78fffd76805f5
SHA1 hash:
5e449b561d88415f89ba576d0259f6e4bc156147
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/1ee43dff-0edb-4b4e-827f-4c9631653da8/
SH256 hash:
6f811d91533670728320168be3e75665ce944c6695b1e95e0a4d980add0b028a
MD5 hash:
ca278cc13deb9ab494e036a4cc233b40
SHA1 hash:
59ca431458a82668ff7ce23f27bd827a4572a10b
Link:
https://www.unpac.me/results/1ee43dff-0edb-4b4e-827f-4c9631653da8/
SH256 hash:
4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b
MD5 hash:
f7da840e557061558d686d692ba033e3
SHA1 hash:
210a98e600635e5037af9218c42a6af2a3a1a5f1
Link:
https://www.unpac.me/results/1ee43dff-0edb-4b4e-827f-4c9631653da8/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ee86de8758a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3237137/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments