MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56b595884990bb8b2ca455ccc13f376d7d6db15b55fe44c89bf670e1839f3945. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	56b595884990bb8b2ca455ccc13f376d7d6db15b55fe44c89bf670e1839f3945
SHA3-384 hash:	950e1fcf9865520b25943c222cb3cc5514aa77581f4c40b12ee7e74778e2c140446586b182005ea92d34e13a24fb0892
SHA1 hash:	edd7a9261f6a19a6b89ff4007e5e593d83159892
MD5 hash:	7a6f63cf039ffff9fe1fa04dac047e52
humanhash:	blossom-quebec-texas-nineteen
File name:	SecuriteInfo.com.Win32.RATX-gen.12409.6334
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	9'990'656 bytes
First seen:	2024-10-23 10:35:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	196608:ppZR18/Li1SyzpFy9OLyVZuAxGEdovBR5b96buCv9f60CmQJN+:jewSyzK9JVZ5xvU903v9i0NwN
Threatray	1'498 similar samples on MalwareBazaar
TLSH	T130A62303FB658971D35A6B36D5AB01054FB9E5CA7223C70F748B1BAB2887B65EC04B07
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

395

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.RATX-gen.12409.6334

Verdict:

Malicious activity

Analysis date:

2024-10-23 10:51:15 UTC

Tags:

purecrypter netreactor

Link:

https://app.any.run/tasks/57b14923-d133-4631-8dba-02340d62a1dd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.12409.6334.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6718d2629e67c246820376e5

Tags:

shellcode

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/56b595884990bb8b2ca455ccc13f376d7d6db15b55fe44c89bf670e1839f3945

Result

Verdict:

SUSPICIOUS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a3afb40-9350-49a8-a01d-329b05fca65f

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1540097

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/56b595884990bb8b2ca455ccc13f376d7d6db15b55fe44c89bf670e1839f3945

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/56b595884990bb8b2ca455ccc13f376d7d6db15b55fe44c89bf670e1839f3945/

Threat name:

Win32.Spyware.Lummastealer

Status:

Malicious

First seen:

2024-10-20 04:18:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k22zlccjsc5ywlfekxgmcpzxnv6w3mk3kx7ejse36zyoda47hfcq._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

37e7b15bd9b8ace5fd0e0a61b942748c772c8892d4ea1a4b4769ee72a9021636

LummaStealer

56b595884990bb8b2ca455ccc13f376d7d6db15b55fe44c89bf670e1839f3945

LummaStealer

56deefa3e5f170c045ab28f8db2f5a0cac6038e6516662f3b277082320f441be

LummaStealer

7d6ecc4f0fd766ab53ce87180e20b34a8a8c33890fc77330727110b7fd8ca35a

LummaStealer

e248fadae0d118a037233f54168f9a19a6c17969e68dd1a09dd1f7a59474b93d

LummaStealer

error

LummaStealer

+ 1'488 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/241023-mm9xwsxckq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Lumma Stealer, LummaC

Suspicious use of NtCreateUserProcessOtherParentProcess

Malware Config

C2 Extraction:

https://conceptionnyi.sbs
https://platformcati.sbs
https://nervepianoyo.sbs
https://qualifielgalt.sbs
https://smashygally.sbs
https://fightyglobo.sbs
https://modellydivi.sbs
https://pioneeruyj.sbs

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/60fd5eda-c867-4afb-b30e-587e4f276cd2

Unpacked files

SH256 hash:

f77e45569638ad3701fdfa71a6fae80724f5bef5652ae2aadd70897b1a75f9c8

MD5 hash:

17627798ee7ec363c61ac1ddfe0d8cb8

SHA1 hash:

f001d20fd61f1a3261ce8aedd51e4bdb0793d8d1

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d3931e46-abb3-4ad7-9eae-98038c0d04d9/

SH256 hash:

56b595884990bb8b2ca455ccc13f376d7d6db15b55fe44c89bf670e1839f3945

MD5 hash:

7a6f63cf039ffff9fe1fa04dac047e52

SHA1 hash:

edd7a9261f6a19a6b89ff4007e5e593d83159892

Link:

https://www.unpac.me/results/d3931e46-abb3-4ad7-9eae-98038c0d04d9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/56b595884990bb8b2ca455ccc13f376d7d6db15b55fe44c89bf670e1839f3945

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample