MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5
SHA3-384 hash: e3becbf968932f798c746550dba793f1bffb1fdd55081a0fe682861f5b9a1c25dbcf084a4221c087e8774a8c0d84de9e
SHA1 hash: 0f5b178446276a286849d4587ddfbd04ac19506a
MD5 hash: 67fd32cbf0200a2f1c4b187df54831b2
humanhash: magazine-seventeen-minnesota-spaghetti
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'920'448 bytes
First seen:2024-10-26 19:06:37 UTC
Last seen:2024-10-26 19:21:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:MgtcfqJNzDAL+y2XH11YgeK1FYIRIexz5G:uqz8LZ231XeK33s
Threatray 1 similar samples on MalwareBazaar
TLSH T1CDD55BB2B60976CBD88E2778C527DE82985D07B90B1009E79C6DF5BD7E63CC112B6C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
24
# of downloads :
389
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Zusy.561776.23492.6470.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671d3f825928ee28d55df86f
Tags:
Vmdetect Autorun Spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/671d3dd70b051f847ca74309/reports/5d66f3b5-7c0e-4b65-b0c4-4965eee0576d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/292d23fb-6109-4eec-a707-2cdf104a49af
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1542916
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542916 Sample: file.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 53 presticitpo.store 2->53 55 crisiwarny.store 2->55 57 15.164.165.52.in-addr.arpa 2->57 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 12 other signatures 2->73 8 file.exe 3 2->8         started        13 skotes.exe 19 2->13         started        15 skotes.exe 2->15         started        17 axplong.exe 2->17         started        signatures3 process4 dnsIp5 59 crisiwarny.store 172.67.170.64, 443, 49710, 49712 CLOUDFLARENETUS United States 8->59 61 185.215.113.16, 57704, 57806, 57808 WHOLESALECONNECTIONSNL Portugal 8->61 39 C:\Users\user\...\YHS9M0PH6O35IAJMDWKAQJ3.exe, PE32 8->39 dropped 41 C:\Users\...\QLAE99PY37QSBL3R6CQGIFAK2L.exe, PE32 8->41 dropped 43 C:\...\QG1S2M7C2XJMD63NXRU6TKJYAV5S6.exe, PE32 8->43 dropped 101 Query firmware table information (likely to detect VMs) 8->101 103 Tries to harvest and steal ftp login credentials 8->103 105 Tries to harvest and steal browser information (history, passwords, etc) 8->105 113 4 other signatures 8->113 19 QLAE99PY37QSBL3R6CQGIFAK2L.exe 4 8->19         started        23 QG1S2M7C2XJMD63NXRU6TKJYAV5S6.exe 9 1 8->23         started        25 YHS9M0PH6O35IAJMDWKAQJ3.exe 13 8->25         started        63 185.215.113.43, 57803, 57804, 57807 WHOLESALECONNECTIONSNL Portugal 13->63 45 C:\Users\user\AppData\...\0bf6069ebe.exe, PE32 13->45 dropped 47 C:\Users\user\AppData\...\ca1daec063.exe, PE32 13->47 dropped 49 C:\Users\user\AppData\Local\...\random[1].exe, PE32 13->49 dropped 51 C:\Users\user\AppData\Local\...\random[1].exe, PE32 13->51 dropped 107 Hides threads from debuggers 13->107 109 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->109 111 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->111 28 ca1daec063.exe 4 13->28         started        file6 signatures7 process8 dnsIp9 35 C:\Users\user\AppData\Local\...\skotes.exe, PE32 19->35 dropped 75 Antivirus detection for dropped file 19->75 77 Detected unpacking (changes PE section rights) 19->77 79 Machine Learning detection for dropped file 19->79 81 Tries to detect virtualization through RDTSC time measurements 19->81 30 skotes.exe 19->30         started        83 Modifies windows update settings 23->83 85 Disables Windows Defender Tamper protection 23->85 87 Disable Windows Defender notifications (registry) 23->87 89 Disable Windows Defender real time protection (registry) 23->89 65 185.215.113.206, 57792, 80 WHOLESALECONNECTIONSNL Portugal 25->65 91 Multi AV Scanner detection for dropped file 25->91 93 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 25->93 37 C:\Users\user\AppData\Local\...\axplong.exe, PE32 28->37 dropped 95 Tries to evade debugger and weak emulator (self modifying code) 28->95 97 Hides threads from debuggers 28->97 99 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->99 33 axplong.exe 28->33         started        file10 signatures11 process12 signatures13 115 Antivirus detection for dropped file 30->115 117 Detected unpacking (changes PE section rights) 30->117 119 Machine Learning detection for dropped file 30->119 127 2 other signatures 30->127 121 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->121 123 Tries to evade debugger and weak emulator (self modifying code) 33->123 125 Hides threads from debuggers 33->125
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2024-10-26 19:07:13 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lw3l2whe7etuwh7bibxpjgptrwjizt7iouhant53hnrkuy3ql3kq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241026-xsmdwsxfnb/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://crisiwarny.store/api
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fa711f3d-ac4d-44b9-99fa-33a1059812af
Unpacked files
SH256 hash:
2b86457eda77dc37ee4b2fbb23acd6e5b98d2d7cce7ecbdd81b9d9fc9f6c0bb1
MD5 hash:
7d06e2959150ddcc4b77d95905b9be47
SHA1 hash:
5c123f887f6981155d3bcab0253e66b93b09a5f7
Link:
https://www.unpac.me/results/c43832c3-b819-4e7f-bceb-12db1addcf98/
SH256 hash:
5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5
MD5 hash:
67fd32cbf0200a2f1c4b187df54831b2
SHA1 hash:
0f5b178446276a286849d4587ddfbd04ac19506a
Link:
https://www.unpac.me/results/c43832c3-b819-4e7f-bceb-12db1addcf98/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5db6bd58e4f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 5db6bd58e4f9274b1fe1406ef499f38d928ccfe8750e06cfbb3b62aa63705ed5

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments