MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35
SHA3-384 hash: 21a8f0179d9a43b90f6af9fe00f668d7b2e125a7ab2016a9ff0a02ef17fd6e4d3b07f630d455b55459e0d6f0a4449269
SHA1 hash: 89cdf9166b2987cd213e3b8cf6b183a16991fffa
MD5 hash: fd80439642b730b676a0362ab6ef7afd
humanhash: missouri-oranges-happy-bakerloo
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'124'224 bytes
First seen:2024-11-14 10:52:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:sSvxOPisjXrsaCdqrSAhEdNTq3+qLu2Vh2Un:4RrsaCdqmZTq342e
Threatray 21 similar samples on MalwareBazaar
TLSH T1C3E55B9AA94671CFD48E96B8993BCD4258DC03F9472C35D3A828A4FA7D63CC315F6C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-14 16:47:42 UTC
Tags:
lumma stealer themida loader stealc
Link:
https://app.any.run/tasks/df9cd825-c8a1-4473-8cf5-422e7f38f1f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Zusy.561776.16930.31735.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6735d6be4ca0f9db40c452d7
Tags:
shellcode extens spam sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/5ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aae2d1af-36de-447a-a84d-084dcf4707e5
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1555744
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2024-11-14 10:53:11 UTC
File Type:
PE (Exe)
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3grqqyflzfvmrypddja53w5desjvdchurhdz6v3qptbwwhsjm2q._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1d822b3faabb8f65fc30076d32a95757a2c369ccb64ae54572e9f562280ae845
LummaStealer
34c768dc6ccd4328321bec83e5f61ad3a66e32d1aa019b81fa37e1578033524c
LummaStealer
49761948995eb54234f6fa179ddaf3646656a1d7545865740eba8965bf5b6cc4
LummaStealer
58426adb70dc326d18520d6db9a16aeb5d9091f23d9a17462cb1ea947f470ee0
LummaStealer
6094e39d84c42971e1efba0875fa34052dc3d2cd24f8b884b383aaaf32fe3cec
LummaStealer
6b16c2a1897f02f6f05f97ffcadd357071dc660708312b5c71341f9bb4bc285a
LummaStealer
6ddd2f425a66b16c56eaa2c711fbe2e998f34c3f03abef17c38c6d7209089680
LummaStealer
801b5e73f7824b75f2af42a0ecb466cde6855b5d8e5e31d3009ec3af8ca39308
LummaStealer
error
LummaStealer
f8520d764363ff22784c2bd6f77829ffe7396637936d68855bf56ae1f0c6dd5e
LummaStealer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer
Link:
https://tria.ge/reports/241114-myzajaycjn/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/35d7fbb8-b0fb-40a5-8369-342e5ec06a5c
Unpacked files
SH256 hash:
8e18841c7d6de2ad95f9e5c2311b5bf60d7ff4644b78e9a7fd1b33e165ea5fe8
MD5 hash:
0e90ec4588beace455169765e6dd9822
SHA1 hash:
5d779daadf813a55274083eb2fbc1a6da59f55c0
Link:
https://www.unpac.me/results/9b5028ea-5b97-4d3e-a256-9b87af7244d2/
SH256 hash:
5ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35
MD5 hash:
fd80439642b730b676a0362ab6ef7afd
SHA1 hash:
89cdf9166b2987cd213e3b8cf6b183a16991fffa
Link:
https://www.unpac.me/results/9b5028ea-5b97-4d3e-a256-9b87af7244d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 5ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments