MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 642b22477ed760060155d8e6fc892590774ea57844694d22e47d23bb0473f10f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 642b22477ed760060155d8e6fc892590774ea57844694d22e47d23bb0473f10f
SHA3-384 hash: 7ac231e4bc313f15727f2ea79baa45a805cd1e524de80f1f7341d75c97ad7895822eb1b57bba9ed419f5631823628c5a
SHA1 hash: 95b3578c21adee532b48059d2e6d464676ac4768
MD5 hash: 8ea72d1dd14d5a570d5f5a595cfd1d5d
humanhash: uncle-oxygen-oranges-mexico
File name:Set-up.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:56'623'098 bytes
First seen:2024-10-30 14:32:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:ls7kmRZjC4EHIiF2ZZ08LEYHQyWXI8LHxvjOXlf:pvFW08LxQLXFzw
Threatray 1'475 similar samples on MalwareBazaar
TLSH T1F3C712DA4BDE334868173CD23DE10C7C63A456B32BF166182A8FB05656B6510D2F8FB9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 1cbc80bcf4cce0c0 (1 x LummaStealer)
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://github.com/FernandoKambambi/Spotify-Premium-for-Free-2024?tab=readme-ov-file => https://bitbucket.org/setup_installer/downloadfile/raw/fbd0d0a48a1a56ea55a650d601e3553933d4d494/JuiLodD.zip

Lumma C2:
https://goalyfeastz.site/api
https://contemteny.site/api
https://dilemmadu.site/api
https://authorisev.site/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Set-up.exe
Verdict:
Malicious activity
Analysis date:
2024-10-30 14:36:33 UTC
Tags:
lumma stealer loader arch-exec autoit-loader pastebin miner
Link:
https://app.any.run/tasks/1632baff-e773-41b6-9b06-8865122a6a19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672243b249e92a05dde1e43c
Tags:
powershell autoit emotet
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Searching for the window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc overlay
Link:
https://www.filescan.io/uploads/672243a42734cb737d90222e/reports/a4969cca-43d5-4717-aa73-a4bc151112b4/overview
Verdict:
Malicious
Labled as:
Malware_46.6
Link:
https://www.hybrid-analysis.com/sample/642b22477ed760060155d8e6fc892590774ea57844694d22e47d23bb0473f10f
Result
Verdict:
UNKNOWN
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.rans
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1545453
Signature
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545453 Sample: Set-up.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 82 goalyfeastz.site 2->82 84 servicedny.site 2->84 86 3 other IPs or domains 2->86 96 Suricata IDS alerts for network traffic 2->96 98 Antivirus detection for dropped file 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 4 other signatures 2->102 11 Set-up.exe 19 2->11         started        signatures3 process4 file5 66 C:\Users\user\AppData\Local\Temp\Warren, data 11->66 dropped 68 C:\Users\user\AppData\Local\Temp\Towers, data 11->68 dropped 70 C:\Users\user\AppData\Local\Temp\Lil, data 11->70 dropped 72 4 other malicious files 11->72 dropped 118 Writes many files with high entropy 11->118 15 cmd.exe 3 11->15         started        signatures6 process7 file8 80 C:\Users\user\AppData\...\Limitations.pif, PE32 15->80 dropped 92 Drops PE files with a suspicious file extension 15->92 94 Writes many files with high entropy 15->94 19 Limitations.pif 1 15->19         started        24 cmd.exe 2 15->24         started        26 conhost.exe 15->26         started        28 7 other processes 15->28 signatures9 process10 dnsIp11 88 goalyfeastz.site 172.67.145.203, 443, 49985, 49986 CLOUDFLARENETUS United States 19->88 90 147.45.47.81, 49995, 80 FREE-NET-ASFREEnetEU Russian Federation 19->90 50 C:\Users\...\X0JA3EDV7BU5B3IH21ST0OE852AR.exe, PE32 19->50 dropped 106 Query firmware table information (likely to detect VMs) 19->106 108 Tries to harvest and steal ftp login credentials 19->108 110 Tries to harvest and steal browser information (history, passwords, etc) 19->110 112 2 other signatures 19->112 30 X0JA3EDV7BU5B3IH21ST0OE852AR.exe 8 19->30         started        52 C:\Users\user\AppData\Local\Temp\506033\W, data 24->52 dropped file12 signatures13 process14 file15 74 C:\Users\user\AppData\Local\Temp\...\file.bin, Zip 30->74 dropped 76 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 30->76 dropped 78 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 30->78 dropped 120 Antivirus detection for dropped file 30->120 122 Multi AV Scanner detection for dropped file 30->122 124 Contains functionality to register a low level keyboard hook 30->124 126 Writes many files with high entropy 30->126 34 cmd.exe 2 30->34         started        signatures16 process17 file18 48 C:\Users\user\AppData\...\file.zip (copy), Zip 34->48 dropped 104 Writes many files with high entropy 34->104 38 7z.exe 2 34->38         started        42 Installer.exe 34->42         started        44 7z.exe 34->44         started        46 13 other processes 34->46 signatures19 process20 file21 54 C:\Users\user\AppData\Local\...\file_11.zip, Zip 38->54 dropped 114 Writes many files with high entropy 38->114 116 Contains functionality to detect sleep reduction / modifications 42->116 56 C:\Users\user\AppData\Local\...\file_10.zip, Zip 44->56 dropped 58 C:\Users\user\AppData\Local\...\Installer.exe, PE32 46->58 dropped 60 C:\Users\user\AppData\Local\...\file_9.zip, Zip 46->60 dropped 62 C:\Users\user\AppData\Local\...\file_8.zip, Zip 46->62 dropped 64 7 other malicious files 46->64 dropped signatures22
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/642b22477ed760060155d8e6fc892590774ea57844694d22e47d23bb0473f10f
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqvser3625qamakv3dtpzcjfsb3u5jlyiruu2ixepur3wbdt6ehq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc10a15e90
LummaStealer
1c2ec4c72c2f31a327b6ba4dfe27a607d311578e25d96cf34c54845eea986f36
LummaStealer
6f2c63f929acd8918c8f21f6141d1b13ca35a2b291d2d8d66771c80f481aea49
LummaStealer
986efaa8bb0469535ddac90dbe8cd3e7cd710e9570e7ff2edda7f82b893baa79
LummaStealer
b8ed5a17150da2a420cc39505357223261437d4e99ce94599a7ffdbbfe71e6cf
LummaStealer
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
LummaStealer
e5e142eea2e5369d6ddef616cd7acf6816ae9e194a77c00214be8575b983dc2f
LummaStealer
error
LummaStealer
+ 1'465 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/241030-rwvlsawrer/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://goalyfeastz.site/api
https://contemteny.site/api
https://dilemmadu.site/api
https://authorisev.site/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3d7aaa97-b97c-479f-be7e-8ece805d59ae
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/642b22477ed760060155d8e6fc892590774ea57844694d22e47d23bb0473f10f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 642b22477ed760060155d8e6fc892590774ea57844694d22e47d23bb0473f10f

(this sample)

  
Link
https://tria.ge/241030-rra2kswqen
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments