MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60fc2b7de0e9c31478d55a832b5e5d2ad0d4f7cabcdc2b2749fef810c00f1989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	60fc2b7de0e9c31478d55a832b5e5d2ad0d4f7cabcdc2b2749fef810c00f1989
SHA3-384 hash:	2a70d2aff8a11fd9384573ca299acded275cbc99f8734b9a72d6994c73bdae950b9a3b380960c8d699d86960f78e53b2
SHA1 hash:	3f435a71f7f52c5defc9e7ebc6af040f0ef700c8
MD5 hash:	551b04a3bc032d4eeaa36ab746057310
humanhash:	berlin-lamp-golf-ack
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	530'944 bytes
First seen:	2024-12-04 17:21:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b7cdd6019135beeb17a526dcb48c0be4 (2 x LummaStealer)
ssdeep	12288:tNj8R33t+t0PS7qBUI4EM8G/DQpPVlrKJR9oRU2uSuXYh:tNoxtvuu7pyDQxVJKJn7Suoh
TLSH	T125B4F152B2C28472D8631A3199F4EB7A4D7EB8305F21AADFA754477ACE301C1CB3691D
TrID	49.9% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.6% (.EXE) OS/2 Executable (generic) (2029/13) 9.5% (.EXE) Generic Win/DOS Executable (2002/3) 9.4% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	jstrosch
Tags:	exe LummaStealer

jstrosch

Found at hxxp://49.12.117[.]119/auto/62b7269a5bba1e1025060d4103ce94db/241.exe by #subcrawl

Intelligence

File Origin

# of uploads :

# of downloads :

421

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-12-04 17:36:40 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/d8981825-c431-42e8-a776-d7434cae9945

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.6406.16124.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=675090bc12e85e185e75cc66

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Behavior that indicates a threat

DNS request

Connection attempt

Sending a custom TCP request

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/67508fc3af970b1e41828dda/reports/22fdef72-d1be-4cdb-a382-a5bd13a3e2c4/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/60fc2b7de0e9c31478d55a832b5e5d2ad0d4f7cabcdc2b2749fef810c00f1989

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/476c408c-cb31-452f-a11d-bc23c246719d

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1568553

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/60fc2b7de0e9c31478d55a832b5e5d2ad0d4f7cabcdc2b2749fef810c00f1989

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60fc2b7de0e9c31478d55a832b5e5d2ad0d4f7cabcdc2b2749fef810c00f1989/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-12-04 17:22:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 38 (23.68%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=md6cw7pa5hbri6gvlkbswxs5flinj56kxtocwj2j734bbqapdgeq._file

Verdict:

malicious

Label(s):

lummastealer

Similar samples:

error

LummaStealer

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/241204-vxj38asnbt/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://preside-comforter.sbs
https://savvy-steereo.sbs
https://copper-replace.sbs
https://record-envyp.sbs
https://slam-whipp.sbs
https://wrench-creter.sbs
https://looky-marked.sbs
https://plastic-mitten.sbs
https://hallowed-noisy.sbs

Verdict:

Suspicious

Tags:

Lumma_Stealer Stealer lumma c2

YARA:

n/a

Link:

https://app.threat.zone/submission/17637035-0eaa-405e-8e7b-868fc34d04e0

Unpacked files

SH256 hash:

91cd8c1ac37e8ae38a8d570ea64f0b1d98e2c78c26da2e268236bb2fd8fe601a

MD5 hash:

00c4a97e89746d16f30046f2a22a4456

SHA1 hash:

5d9e9c48b4468db57053e6db99e32f1b41da065e

Detections:

LummaStealer

win_lumma_auto

Link:

https://www.unpac.me/results/f945b603-ec85-46ba-b559-e4f6d071ff16/

SH256 hash:

60fc2b7de0e9c31478d55a832b5e5d2ad0d4f7cabcdc2b2749fef810c00f1989

MD5 hash:

551b04a3bc032d4eeaa36ab746057310

SHA1 hash:

3f435a71f7f52c5defc9e7ebc6af040f0ef700c8

Link:

https://www.unpac.me/results/f945b603-ec85-46ba-b559-e4f6d071ff16/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/60fc2b7de0e9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60fc2b7de0e9c31478d55a832b5e5d2ad0d4f7cabcdc2b2749fef810c00f1989

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 60fc2b7de0e9c31478d55a832b5e5d2ad0d4f7cabcdc2b2749fef810c00f1989

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3311715/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThreadpoolWork
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample