MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870
SHA3-384 hash:	7df904e31e3bd6069a3480c785bb27a4a5c0d3955f1fc363f8db111674ca33067502bb4638680c37282c41efa5af1639
SHA1 hash:	d04d7c0edb927009573eece3f96f75d7eece19d6
MD5 hash:	fae68cd5cdd689092cf3c25be89127f4
humanhash:	diet-orange-delaware-louisiana
File name:	AssumedAlready.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	10'485'735 bytes
First seen:	2024-11-15 12:21:51 UTC
Last seen:	2024-11-15 20:59:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep	24576:nSjoiEL099Vcc+wCnb3YNPHxB7AasL/GFdcCm1R3su4i:kekfD+lb3sHxBU7L/GFdc5PsuX
TLSH	T157B65492075A5094EF931A67FC30A9C6DAF03B607161EB3F161AC09CAB58261C35D7BF
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	c0c4ec64646464b6 (1 x LummaStealer)
Reporter	Racco42
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

423

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

AssumedAlready.exe

Verdict:

Malicious activity

Analysis date:

2024-11-14 20:57:34 UTC

Tags:

autoit autoit-loader

Link:

https://app.any.run/tasks/6a1a6ee2-e7d7-45bc-bcc5-0304b4c5e224

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.17201.13281.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67373dbd6bc7caf979b2e791

Tags:

autoit emotet nsis

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

installer microsoft_visual_cc overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/67373cedda907f44e3007b94/reports/4fa9f0c3-66dd-44c7-ad82-7f89ac33559f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5e3db45e-0a15-40e6-9418-9e2dfd702f41

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1556464

Signature

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

88%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-11-14 22:25:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 38 (28.95%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lgqpicjisbq65worh4uuuxldz4pxfwx3ombcok4tlk5hcgqndbya._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/241115-pjwl7stglq/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Enumerates processes with tasklist

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7b37904f-7b2a-4c91-9279-47bc6e8556b8

Unpacked files

SH256 hash:

d99145ab93f2f32ed3a553992213cdd23f9cd869e74665e449f55b7b4a461c8f

MD5 hash:

cb4e827ff80fc7cc0ad57315f808df3a

SHA1 hash:

f86a836c9fc6a7b1f4273cb575c5244d955b0fb3

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/fdafa591-f5b7-4f10-bf24-9059ebf4d141/

Parent samples :

ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d
d477322f8d90be3d37d78ab73d97d59e0ae6ca7ac32e2fdefd5668f67cb1fb62
bb932056cae8940742e50b4f2b994a802e703f7bc235e7dd647d085ae2b2baf7
39f3698e7359c0a93122897138c050ecb0b71d71843f68ba8d05a9ed7e7cb67b
d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a
774368536ee17949132b38f6067b9b6aea5362c1f23fb06410b4e8cec4c2ed5c
bb653dddd858f686a07ac236a6098d9da8dcb8524aedc8da2cb5a6f084cbfebc
edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e
06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437
59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870
9fa64c90a5f724bb282934ee693fac3b8f82a7a08039d52946904262f8d2ec6a
645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d

SH256 hash:

59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870

MD5 hash:

fae68cd5cdd689092cf3c25be89127f4

SHA1 hash:

d04d7c0edb927009573eece3f96f75d7eece19d6

Link:

https://www.unpac.me/results/fdafa591-f5b7-4f10-bf24-9059ebf4d141/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample