MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
SHA3-384 hash: a411ac6c0ec23c8d0716af3c97041a17cc49701b704b9c82e1272380502f1c067e75ab37fe292e8eb9d992b41442fade
SHA1 hash: b43da7a9785fb47cc1174bb4a896866fbb1a0df0
MD5 hash: 30772bcce9852eb58cf05a75bcdce2f9
humanhash: spaghetti-india-friend-fourteen
File name:30772bcce9852eb58cf05a75bcdce2f9
Download: download sample
Signature LummaStealer
Create hunting rule
File size:6'198'600 bytes
First seen:2024-07-02 04:44:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:+pYdpXlLQCWYPzgXWx4qMO3X81hMTuJDdoi37BtYaCCKuZ5qM3g3b9LSsSuIAERN:+pGdbhgXWxRMO3XsmuxddCdoU3J7SuIR
Threatray 1 similar samples on MalwareBazaar
TLSH T18A56335273C818F4CEB0EA729F05D75C46FBFB852601AE43A35B2EA81DC35A4651B1EC
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter zbetcheckin
Tags:32 exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe
Verdict:
Malicious activity
Analysis date:
2024-07-02 05:26:46 UTC
Tags:
hijackloader loader lumma stealer
Link:
https://app.any.run/tasks/127e2e4d-f8bb-4db1-9cdb-aaa31b44e982

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66838612be8570b8fa890ccewin10vpnfull_triage
Tags:
Encryption Trojan Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Launching a process
DNS request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/668385cf910ce98966fb6e2e/reports/c86dfc1d-7a0b-4748-aa9c-28d77f37be97/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Valve Corporation
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5e9ea4e5-f60f-4da1-88d5-8d9b71ccfcbb
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1465836
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465836 Sample: 4OVYJHCTFA.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Antivirus detection for URL or domain 2->69 71 8 other signatures 2->71 9 4OVYJHCTFA.exe 14 2->9         started        12 EASteamProxy.exe 1 2->12         started        process3 file4 37 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 9->37 dropped 39 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 9->39 dropped 41 C:\Users\user\AppData\...\steam_api64.dll, PE32+ 9->41 dropped 43 7 other malicious files 9->43 dropped 15 EASteamProxy.exe 13 9->15         started        77 Maps a DLL or memory area into another process 12->77 79 Found direct / indirect Syscall (likely to bypass EDR) 12->79 19 cmd.exe 2 12->19         started        signatures5 process6 file7 47 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 15->47 dropped 49 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 15->49 dropped 51 C:\Users\user\AppData\...\steam_api64.dll, PE32+ 15->51 dropped 55 7 other malicious files 15->55 dropped 57 Found direct / indirect Syscall (likely to bypass EDR) 15->57 21 EASteamProxy.exe 1 15->21         started        53 C:\Users\user\AppData\Local\Temp\tbh, PE32 19->53 dropped 59 Injects code into the Windows Explorer (explorer.exe) 19->59 61 Writes to foreign memory regions 19->61 24 conhost.exe 19->24         started        26 explorer.exe 19->26         started        signatures8 process9 signatures10 73 Maps a DLL or memory area into another process 21->73 75 Found direct / indirect Syscall (likely to bypass EDR) 21->75 28 cmd.exe 2 21->28         started        process11 file12 45 C:\Users\user\AppData\Local\...\gqnmaqicmbds, PE32 28->45 dropped 81 Injects code into the Windows Explorer (explorer.exe) 28->81 83 Writes to foreign memory regions 28->83 85 Found hidden mapped module (file has been removed from disk) 28->85 87 3 other signatures 28->87 32 explorer.exe 28->32         started        35 conhost.exe 28->35         started        signatures13 process14 signatures15 63 Switches to a custom stack to bypass stack traces 32->63
Score:
72%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-06-20 18:57:46 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lbeul66sa5v4cuiyibs2oi3t7b2ake3l46ybghjw33l5tbvznd6a._file
Verdict:
malicious
Similar samples:
584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
LummaStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240702-fddprswfka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0be444ae-39be-4003-a4f5-d3e9182228db
Unpacked files
SH256 hash:
4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e
MD5 hash:
ad2735f096925010a53450cb4178c89e
SHA1 hash:
c6d65163c6315a642664f4eaec0fae9528549bfe
Link:
https://www.unpac.me/results/c9323023-cb1d-41bb-b3cc-f5af0edcb7bc/
SH256 hash:
1db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3
MD5 hash:
6b4ab6e60364c55f18a56a39021b74a6
SHA1 hash:
39cac2889d8ca497ee0d8434fc9f6966f18fa336
Link:
https://www.unpac.me/results/c9323023-cb1d-41bb-b3cc-f5af0edcb7bc/
SH256 hash:
f754f2c277cf7e20c53d7f6b70efaca6224a4aaa199277162dfe39cf52b06e36
MD5 hash:
f39228c3b1bc6986fa81f2fdc1a19b42
SHA1 hash:
7cba9d1effe57aeab4753abaaf3a5587a2b5f4f4
Link:
https://www.unpac.me/results/c9323023-cb1d-41bb-b3cc-f5af0edcb7bc/
SH256 hash:
584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
MD5 hash:
30772bcce9852eb58cf05a75bcdce2f9
SHA1 hash:
b43da7a9785fb47cc1174bb4a896866fbb1a0df0
Link:
https://www.unpac.me/results/c9323023-cb1d-41bb-b3cc-f5af0edcb7bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2917616/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments


Avatar
zbet commented on 2024-07-02 04:44:14 UTC

url : hxxp://lajollaautorepairs.com/cart/VBDVMGWB.exe