MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2
SHA3-384 hash:	970f30d64213c789cf9c670beebaec7280c4c0b7cf95759222ee92dc0f814c0e2ab3a9ac4a6736a1df003e407610c342
SHA1 hash:	e222920bddb6a6959a79541f7d866a7087048472
MD5 hash:	2a302c859a9ad3a02c688e9f812221be
humanhash:	butter-hawaii-lactose-oranges
File name:	2a302c859a9ad3a02c688e9f812221be.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	5'776'384 bytes
First seen:	2024-05-28 14:21:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	89c8abd38fd3ffc06ee06d01f9b3cbbf (7 x LummaStealer, 2 x RaccoonStealer)
ssdeep	98304:2W5kzFFGFU5S71sl34ugqQLtD7Yiipo/58b5UYDPQRA7b9uXyZJSgx7GbGNH:zwp5G2nQ7Yiipo/AVDPQm7b9uO5Zm
TLSH	T10046233B13550184E2D8C939CA37BED571F3437EDBC068BD6AEBE9C516168E49223A43
TrID	42.7% (.EXE) Win32 Executable (generic) (4504/4/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

358

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2.exe

Verdict:

Malicious activity

Analysis date:

2024-05-28 14:23:49 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/3649c39d-d077-42a8-b467-37d1d46e336c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Vmprotect-10026625-0

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6655e89b3d0e5a324e765425win7simulatehigh_evasion

Tags:

Xpack

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed packed packed vmprotect xpack

Link:

https://www.filescan.io/uploads/6655e88f9c0b71aaf52a2c4d/reports/d860ce9c-561b-4f59-a536-7c0001c76471/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c43787df-4212-4998-a894-d6f132ce04de

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1448918

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected VMProtect packer

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2/

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2024-05-28 13:07:46 UTC

File Type:

PE (Exe)

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kfaj5fnws3s4f2gxodj7vuuzo3cklzp7kt47yxvcebrns7k4ntja._file

Verdict:

malicious

Label(s):

raccoon

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma stealer vmprotect

Link:

https://tria.ge/reports/240528-rpj7gagg5z/

Behaviour

Suspicious behavior: EnumeratesProcesses

VMProtect packed file

Lumma Stealer

Malware Config

C2 Extraction:

https://detailbaconroollyws.shop/api
https://horsedwollfedrwos.shop/api
https://patternapplauderw.shop/api
https://understanndtytonyguw.shop/api
https://considerrycurrentyws.shop/api
https://messtimetabledkolvk.shop/api
https://deprivedrinkyfaiir.shop/api
https://relaxtionflouwerwi.shop/api

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/af03b54e-69cd-4669-8260-8f5969473dbd

Unpacked files

SH256 hash:

51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2

MD5 hash:

2a302c859a9ad3a02c688e9f812221be

SHA1 hash:

e222920bddb6a6959a79541f7d866a7087048472

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/7037f3d4-3409-4114-b99f-34399c1510ce/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 51409e95b696e5c2e8d770d3fad29976c4a5e5ff54f9fc5ea22062d97d5c6cd2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2866970/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample