MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63375a7cf3fbf5b233ac070617e238c90135c66459f1c19a31af356a721b1ed9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	63375a7cf3fbf5b233ac070617e238c90135c66459f1c19a31af356a721b1ed9
SHA3-384 hash:	6dd016172ae917504a2b83495a89de8336ce2953701b39a7f6744f6cb9b51a1420709a4bd4f8e1ab29f316136ca8f506
SHA1 hash:	0f5bfde63012a1311ee8f6363d5d6d50899db759
MD5 hash:	896418905011db3776f73ad7fa70a8be
humanhash:	eleven-nevada-ink-kansas
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	3'006'976 bytes
First seen:	2024-10-25 10:31:39 UTC
Last seen:	2024-10-25 12:02:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	24576:ormPBww1qVw7XgXeI1LbOw8jurYtp8F3y0CFdrENMiICoLW1u1RCVPhQ6Gt7+pFk:orm5/gXfOw6uG7Rfq12CT/OzaDVk
TLSH	T19DD54B92A90976CBD48E27789527CEC2589C07F9071188C3AAAC747E7E77CC617B7C24
TrID	42.7% (.EXE) Win32 Executable (generic) (4504/4/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	exe LummaStealer

Bitsight

url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin

# of uploads :

# of downloads :

423

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-10-25 10:35:58 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/17d4081b-7653-415c-a67e-41486e4838e8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.2100.12500.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=671b73a6a75e41aa672160ce

Tags:

Malware

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Searching for the window

Query of malicious DNS domain

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed packed packer_detected

Link:

https://www.filescan.io/uploads/671b73a3d13ed5948b4d4b03/reports/cc8d577e-04a8-450f-811a-15a20c06baef/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/63375a7cf3fbf5b233ac070617e238c90135c66459f1c19a31af356a721b1ed9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/772f39f3-7013-47ed-b29e-6ef370d768cd

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1542005

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/63375a7cf3fbf5b233ac070617e238c90135c66459f1c19a31af356a721b1ed9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63375a7cf3fbf5b233ac070617e238c90135c66459f1c19a31af356a721b1ed9/

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2024-10-25 10:32:07 UTC

File Type:

PE (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mm3vu7ht7p23em5ma4dbpyryzeatlrtelhy4dgrrv42wu4q3d3mq._file

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery evasion stealer

Link:

https://tria.ge/reports/241025-mkyrvayapf/

Behaviour

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Lumma Stealer, LummaC

Malware Config

C2 Extraction:

https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fccfedb1-3a69-4eb5-859c-a4eaba431c5f

Unpacked files

SH256 hash:

3f15d6cf9d1e24041cf47e11f0103e856b5b51fc20bf2f4012d6b872316cd30f

MD5 hash:

874fd78aa5e63a1cba5a68900c685a34

SHA1 hash:

e912cbf0dc69181262e48b7b5ed4361316d4dacb

Detections:

LummaStealer

Link:

https://www.unpac.me/results/b9f6b170-0232-444e-9917-73acbc883acb/

SH256 hash:

63375a7cf3fbf5b233ac070617e238c90135c66459f1c19a31af356a721b1ed9

MD5 hash:

896418905011db3776f73ad7fa70a8be

SHA1 hash:

0f5bfde63012a1311ee8f6363d5d6d50899db759

Link:

https://www.unpac.me/results/b9f6b170-0232-444e-9917-73acbc883acb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/63375a7cf3fbf5b233ac070617e238c90135c66459f1c19a31af356a721b1ed9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 63375a7cf3fbf5b233ac070617e238c90135c66459f1c19a31af356a721b1ed9

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample