MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
SHA3-384 hash: a2bb4ce52fbd9c5ba7683939c7470cd25cb8df2eaffb294133b1cf5aece7bea6fdb36fb2fea83c63b0750d29c4f27d0c
SHA1 hash: b0b3fc20e331f6dc9d53817ed69dab0ee9f984ac
MD5 hash: 74c16d81270252d41567d583dd4511b2
humanhash: triple-louisiana-neptune-floor
File name:setup_patched.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:14'786'272 bytes
First seen:2025-02-01 16:24:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f052f84efefe84f64ac7fab273eb8464 (9 x LummaStealer, 2 x Stealc, 2 x RemcosRAT)
ssdeep 196608:+xBymX/yVMNC5JfXdS6OM08jPhElMHpxDMBSXEoe8bRYdL4tSx0USapM7uxBm:yIVMNC5Jf46OC7i4lnFU4tKg
TLSH T1A8E602137690803EE56A02714C5FAF6481A97D738A318157F6E0FE1D2DF19C2B627B2B
TrID 70.6% (.AX) DirectShow filter (201555/2/20)
20.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 5b3931b29cd1631d (9 x LummaStealer, 3 x RemcosRAT, 2 x RedLineStealer)
Reporter aachum
Tags:AutoIT de-pumped exe LummaStealer


Avatar
iamaachum
https://secure.filenimbus.com/0MdWlkPTE0JmZpZD0zNWU1MQ => https://www.mediafire.com/file/mjhnbndqb773p29/#%F0%9D%93%9EpeN-Set-U%E1%B9%95__8559--Pa$$%F0%9D%93%9AeY@!.zip/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_patched.exe
Verdict:
No threats detected
Analysis date:
2025-02-01 16:51:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1cb71739-899d-4401-8ec7-1315a743dde1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e4acfa9881a7a01c4ec0f
Tags:
vmdetect phishing autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Unauthorized injection to a recently created process
DNS request
Connection attempt to an infection source
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context fingerprint invalid-signature microsoft_visual_cc overlay signed
Link:
https://www.filescan.io/uploads/679e4ad0f58e01de2b8b5562/reports/fe18670a-413d-4079-8e9d-652f44ee65ad/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
Result
Verdict:
UNKNOWN
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d73d88e3-59c9-43aa-95b8-8f66139e3055
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604567
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
PE file has a writeable .text section
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604567 Sample: setup_patched.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 103 u2.servicelandingkaraoke.shop 2->103 105 toppyneedus.biz 2->105 107 4 other IPs or domains 2->107 123 Suricata IDS alerts for network traffic 2->123 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 8 other signatures 2->129 13 setup_patched.exe 29 2->13         started        16 iTunesHelper.exe 14 2->16         started        signatures3 process4 file5 91 C:\Users\user\AppData\...\setup_patched.exe, PE32 13->91 dropped 93 C:\Users\user\...\setup_patched.exe (copy), PE32 13->93 dropped 95 C:\Users\user\AppData\Local\...\setup.exe, PE32 13->95 dropped 97 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 13->97 dropped 19 setup_patched.exe 108 13->19         started        99 C:\ProgramData\MsiSleuth\CoreFoundation.dll, PE32+ 16->99 dropped 101 C:\ProgramData\MsiSleuth\ASL.dll, PE32+ 16->101 dropped 117 Found direct / indirect Syscall (likely to bypass EDR) 16->117 22 iTunesHelper.exe 16->22         started        signatures6 process7 file8 63 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 19->63 dropped 65 C:\Users\user\AppData\...\zlib.dll (copy), PE32 19->65 dropped 67 C:\Users\user\AppData\Local\...\zliE793.tmp, PE32 19->67 dropped 69 68 other files (62 malicious) 19->69 dropped 25 psd.exe 37 19->25         started        29 ISBEW64.exe 19->29         started        31 ISBEW64.exe 19->31         started        33 4 other processes 19->33 139 Found direct / indirect Syscall (likely to bypass EDR) 22->139 signatures9 process10 file11 83 C:\Users\user\AppData\Roaming\...\zlib.dll, PE32 25->83 dropped 85 C:\Users\user\AppData\...\xGraphic32.dll, PE32 25->85 dropped 87 C:\Users\user\AppData\Roaming\...\tinyxml.dll, PE32 25->87 dropped 89 26 other files (23 malicious) 25->89 dropped 153 Maps a DLL or memory area into another process 25->153 155 Switches to a custom stack to bypass stack traces 25->155 157 Found direct / indirect Syscall (likely to bypass EDR) 25->157 35 more.com 3 25->35         started        signatures12 process13 file14 71 C:\Users\user\AppData\Local\Temp\vldlpvmqsc, PE32 35->71 dropped 73 C:\Users\user\AppData\Local\...\AutoIt3.exe, PE32 35->73 dropped 131 Writes to foreign memory regions 35->131 133 Found hidden mapped module (file has been removed from disk) 35->133 135 Maps a DLL or memory area into another process 35->135 137 Switches to a custom stack to bypass stack traces 35->137 39 AutoIt3.exe 14 35->39         started        44 conhost.exe 35->44         started        signatures15 process16 dnsIp17 113 toppyneedus.biz 104.21.29.142, 443, 49748, 49754 CLOUDFLARENETUS United States 39->113 115 u2.servicelandingkaraoke.shop 188.114.97.3, 443, 49821 CLOUDFLARENETUS European Union 39->115 75 C:\Users\user\AppData\Local\Temp\...\objc.dll, PE32+ 39->75 dropped 77 C:\Users\user\AppData\Local\...\libicuuc.dll, PE32+ 39->77 dropped 79 C:\Users\user\AppData\...\CoreFoundation.dll, PE32+ 39->79 dropped 81 4 other files (1 malicious) 39->81 dropped 145 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->145 147 Query firmware table information (likely to detect VMs) 39->147 149 Found many strings related to Crypto-Wallets (likely being stolen) 39->149 151 5 other signatures 39->151 46 iTunesHelper.exe 1 39->46         started        file18 signatures19 process20 signatures21 159 Maps a DLL or memory area into another process 46->159 161 Found direct / indirect Syscall (likely to bypass EDR) 46->161 49 more.com 3 46->49         started        process22 file23 59 C:\Users\user\AppData\Local\...\updater.exe, PE32 49->59 dropped 61 C:\Users\user\AppData\Local\Temp\bjaj, PE32 49->61 dropped 119 Writes to foreign memory regions 49->119 121 Maps a DLL or memory area into another process 49->121 53 updater.exe 49->53         started        57 conhost.exe 49->57         started        signatures24 process25 dnsIp26 109 steamcommunity.com 104.102.49.254, 443, 49987, 49988 AKAMAI-ASUS United States 53->109 111 127.0.0.1 unknown unknown 53->111 141 Switches to a custom stack to bypass stack traces 53->141 143 Found direct / indirect Syscall (likely to bypass EDR) 53->143 signatures27
Score:
38%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgxi3er6ya444hzgtldl3bkinbbphgoz4at36ej4knriief2226a._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250201-twlpzszpbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://toppyneedus.biz/api
Verdict:
Suspicious
Tags:
c2 lumma stealer lumma_stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/09d1b4c5-102e-4890-ae8d-d7d9ae3df9b5
Unpacked files
SH256 hash:
59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
MD5 hash:
74c16d81270252d41567d583dd4511b2
SHA1 hash:
b0b3fc20e331f6dc9d53817ed69dab0ee9f984ac
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
dd8dd2e8b3d0114ff22537bce6d9e7cf0ded294c74ab3fb8939b9b54306f4384
MD5 hash:
7e15f2471608ad8cbbf2f6d4136cb357
SHA1 hash:
0d18a22e66eb9e22236a5bd70794a77f25133772
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
5db2c78b17a7583b8f86a081c451a2cdec7371ce4925edfc9b03024c1d37b847
MD5 hash:
ffab1b26abbed0ec62ef8ce0e54cce32
SHA1 hash:
0da24089f01bc274d63fef3b55b78f2bfc282e38
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
02987ea5b50d55f9acf8704e31d253ddca7df963574992f0e8e8455571a3c13c
MD5 hash:
83ea9ac2cfb96b1a575a7324047e3b02
SHA1 hash:
124134c57c8eabe55b1ba632e62c44eac683d4c0
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
2a17aab9f3efb8e11ca6cecbf8aa243991e9816297baa590b086434a37530da8
MD5 hash:
791a4f17b565379e8bff4b20c61769ab
SHA1 hash:
12548cbdfd4b4991739638f4fb1888e35f31b045
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
ebdfbc4185094543ce11d54bcf7c6f1e50bfd34fe4a56fcc6d2ea7dcf49ac632
MD5 hash:
a3e7b5d4b47f917e26452baff882b27b
SHA1 hash:
145d7591b0a6ba71464cea46cddf8c11b40213b0
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
9f35f389357f600fa4bf7c28e7283e57c8893c6812a99559255310d2652e5ffe
MD5 hash:
667e159ec41a9570fc2eecc2088d6d2e
SHA1 hash:
15a1f02d18fdfd5ab4e6a4bbd27ddbafb87529ae
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
6450fda5d52366806222577224bb174829a2b8549e561718e7fd158d1b1d1630
MD5 hash:
8565729ddf3d562667148371e5e5c3da
SHA1 hash:
195ee7ab9620ca0bbd22fb9ed07b2f8ba35fa416
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
cd7093a42e207f7eb6042a6fc1d10ef89c2612b27db4923fb9bc1703979a4718
MD5 hash:
edb14774fb0ba7d440e546a27ede07fd
SHA1 hash:
2750bfab79a2ffd2c04b3428f812f23077ad03a7
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
529b17c954752cb628682672dda18184d8caf1a91d380592d80f2638937bc714
MD5 hash:
8c9d9ff9d2ad2d5d998d7d759054f345
SHA1 hash:
2857e9193b81967d7326e76444f226a1382c099c
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
987b927ffc5479139e06b205552aa0667e00d61b3e66aeedf60e9c7266bd5b09
MD5 hash:
a0fd86ebeda2be2e050cd05e6e89bdc0
SHA1 hash:
2e239ade6bce1308ddcdd4f1311095843754182f
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
6dc83ae0afa28cfae1923ff08585ddfb14e6a52ddb1e0a91a175c9d1558ef482
MD5 hash:
45e3d08cbe4a622960e8f958bacfc8e2
SHA1 hash:
3555b426d48ba985090d7554434680b02dda1a4e
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
b8a56cbd6431b4c5a2f32f7311fc1e11668e58cc996c5bc22e97b3c9b00bfbd3
MD5 hash:
ab508885c080850a5a3b16876f23ec56
SHA1 hash:
44a231f49af2b4a602b57beebb7ac9a1f6417a58
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
196ebb6bbd90971f02f38d96f04feb8dc7b39e75d9d78ead990613c7e17a80ec
MD5 hash:
528b3a094cd3f7d9cbf14cb26a188621
SHA1 hash:
4a6019de21795fd2df43c5fd6fb338804430937a
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
48a3a611eef5d5aec0e588d663ffd6a82e08c249e6dc9981fe9b9d61827ad346
MD5 hash:
5cd924e51c43bdec8e513ba6789b46b5
SHA1 hash:
5189a0832f29b07a79a4f0426697f4aad58119d0
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
16097578076773a514bf39b177ab08aa33c79bb8674188b4c186afa13d9ca5fb
MD5 hash:
511b0eebc0d3d3def362e544b7b30557
SHA1 hash:
52c5eb761747ce1cb2882b354b3993a76fc64d73
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
96a219864ab6f34131a603e8e545de9095189d0ea505553ffe91745101c06d81
MD5 hash:
ce6be5a0e90fc886f2c0297d5f9af9c1
SHA1 hash:
55a251624090cc7e204a2ee7ee9574bf42dc7eb5
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
e3ac6b1844bc8221e981440e747a944e5b7bbd674a54b59ebffe9fa95192d1ed
MD5 hash:
f8b417e754a6f093b1e446f223783f9c
SHA1 hash:
644a8a3741949db43aaac42e959b9d59cf11da2f
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
3f2f7b546063d271dfc62eb35c404c4926c2a56c084337f6975bd7658e647035
MD5 hash:
ad0b86186619ab605484443a35e65f06
SHA1 hash:
69987c29c3ac6fde8712843502eddab48a16a8b5
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
4d9f34689f75d965a669385dc654ed61e1b096350ba29dc5836eb61d83df11d3
MD5 hash:
1d46a1499a2e3ebbf00eb0850d5ed853
SHA1 hash:
8c52899e7831681c8edb09dbd888fc2bc06e0493
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
54d9f1cc50d97839cb4697556c707f6bb598078f8f124608ced46d850d989319
MD5 hash:
b02c9e32759a2b587d158d290986ad5c
SHA1 hash:
9770c3c2fa594ed6046d9df87d5b911cf894fa15
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
416fe8e836f35b20ac64dbfa2107a84ca0fb0adb4e2f7eda85899b27b15d912b
MD5 hash:
0a7e04ce1e0b5094fa22d9d81ab4ee87
SHA1 hash:
a16cbdf9e9494bfd6069db04096c39b50879f057
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
ca7e5f3f7e51b2a1f488b72473a9a4e0d078e0fa9083eebf37d9c7c1bbce0160
MD5 hash:
09a21e549580bf89a4f5ea0632407264
SHA1 hash:
b74c20bfdb2e82e86fdddbcc6e624181516f1b28
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
e946da2cf8a05bdb5a78ba5ef98fa22da8ff2ec5309c5260f4835d35fdcd22f4
MD5 hash:
50f46d3e3d6865cae6b4c818096194c4
SHA1 hash:
d25a63dea5c09b9bd1050c1cecbb8fe95e2f9520
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
c3fa1a9a64b8f385509e0f281ba3ee64423d0b49129f330726fcfe6c42a294cc
MD5 hash:
a2e9ca1b2dc3f576f7dec0c42c519522
SHA1 hash:
d4320c571432c8cbad756f895035df23cc1fde52
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
48e7eeda5079f81d513b13f3dbf4512cbb377f4492e23def4f38d8575ff67cfb
MD5 hash:
0b9059e7f9c318ca00053800c0e19a8a
SHA1 hash:
df8373d1f84fd90b219b743dbfe1e8bc81163ac4
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
de6a7e70cb122e4dcc524d1ba000483afe205dafdb92de9aca70b1821ef2b0bc
MD5 hash:
d739b65ca0c494f9fe6fa11779987bf1
SHA1 hash:
e0302b3c4063e08d598a9575fc3cccf73223c795
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
9151f9ff7d48cd433e66909182571d31bd963c5297bc9a31ad34664e28a0ab20
MD5 hash:
c5e821f09398be28db746b67b670c291
SHA1 hash:
e60ad4374ae05c7a7066bbcb0af827ea855e9c59
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
01f7af5cfac9e689b4bcc66b1446101b84d64f3e290452d7b01fbb9eaa1f785e
MD5 hash:
017c36f7f8fe46f40163b56aa78a9bcb
SHA1 hash:
ebc4ed5c78c9b7047e34c256ad20de9d5acfb16e
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
d5eff7da85ebbad590b01e733a50a3babf109d0d319425dc919ae2b2083f544f
MD5 hash:
ea77c5f6bae7e31a059f7133717d140c
SHA1 hash:
f436e8f3f016239d35c5d22c627fa5a70779bd51
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
a01709a3c9d5eaacc6ca6ca47ef2e4e4e00d883289621c5bfff96620bfd93d8c
MD5 hash:
a89bf69cd0836e08a79d5c216ae776ed
SHA1 hash:
7d7ff6143a729726f200b2201c4a0e7358d2274b
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
678359c47ac8bbbd30d02b4a3663a7b644d24b40255dd1029cc1b1fc0d454fd6
MD5 hash:
d3b55e81d22181faac45025fa324fbb6
SHA1 hash:
46dd39a49d024acc0a659b8e26014fa29dcc7e5e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
Parent samples :
822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
810cb4d332ade84e4bb0a4d952180ccb4e5428e19445f9f5d71cd57a7030cf2b
debc847630bcb249642a771c7c1559f847abd436bd93b83d2ce2bb41a55ea364
5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a
9fe86d6c49079c5c47955ea7b2c04a1b9e16340b88799fc02bceaee4e4f3e99e
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/e5c9381d-9b8c-40f4-81e4-adeae7ee4ae3/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/59ae8d923ec0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

zip 08eda537ce2a39d5040f276ee9b0d9718843498ecdac533d0f8447401b50b341

LummaStealer

Executable exe 59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc

(this sample)

  
Link
https://tria.ge/250201-ts2l2azmh1
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 08eda537ce2a39d5040f276ee9b0d9718843498ecdac533d0f8447401b50b341
  
Dropped by
MD5 dfc5be4f22baed379a9e059744364541

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
ADVAPI32.dll::SetSecurityDescriptorOwner
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowExW
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments