MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 645918fc92cdbb343ab2104304d207c8cb26de0d2b5f6a10ce7c9cd453994d4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 645918fc92cdbb343ab2104304d207c8cb26de0d2b5f6a10ce7c9cd453994d4c
SHA3-384 hash: 5e2cb258ae764a0891aa2a66957b9b457df94e5b4d960b346dc6f6033c1568d973c6cfdc8329558173329954a297931e
SHA1 hash: 00650ffb05699c059f0fe2a99eff4da90fbcb17a
MD5 hash: e0239fa69aee38817ef04770b76370ad
humanhash: arkansas-seven-december-delaware
File name:setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:10'103'128 bytes
First seen:2025-04-16 22:45:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15ad7db86b6051e69aa3c16e5539c4a5 (1 x LummaStealer, 1 x Rhadamanthys)
ssdeep 196608:mRRdtXr3ibV9KRKYZORvFsvfZpX3Nc+QBmuN:mzybVvkOla3r3Nccu
TLSH T1E0A612E37202C372E44E9CB14D5CD6B595299C247BBE01C3A3D4BB1B6A725C2373A94B
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 4cb26964b0cc45ba (2 x Rhadamanthys, 1 x RaccoonStealer, 1 x LummaStealer)
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://filecr.cfd/?MIuFAka8fpyzwWP6n2UKDBx7hvYQJbcjXsCNTo3G=SyDNmPxHK95IfX1Y0g8vhaAJqpstFrTdMOloLb423cR=WEPT7D1rNOId5l9yRnSizqHoVckGMfw8QmZbYxK36AXUjeC&p_title=Adobe-Premiere-Pro-2024-Build-24-2-Crack---Serial-Key-Download&h=40 => https://mega.nz/file/p8gwzRhA#wNpiNXV4gWpnwx-qRZnq5X4txTWKNHKywYNDzdVVbYk

Intelligence

File Origin
# of uploads :
1
# of downloads :
473
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-04-16 22:48:19 UTC
Tags:
stealer advancedinstaller
Link:
https://app.any.run/tasks/a6a9f4c5-23db-4c0a-8bb5-7b5949c4beba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2540/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680033f32203b3e10ccfdbcd
Tags:
virus shell spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug fingerprint installer invalid-signature microsoft_visual_cc overlay packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/6800333190767142c3d7fea3/reports/763ef16b-2111-4310-8ba8-4730af1c2559/overview
Verdict:
Suspicious
Labled as:
Malware_48.5
Link:
https://www.hybrid-analysis.com/sample/645918fc92cdbb343ab2104304d207c8cb26de0d2b5f6a10ce7c9cd453994d4c
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1e6fadde-bb25-411b-9aec-344d0298ee9a
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1666825
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1666825 Sample: setup.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 41 x.ss2.us 2->41 43 thundercoall.live 2->43 45 4 other IPs or domains 2->45 57 Antivirus detection for URL or domain 2->57 59 Yara detected LummaC Stealer 2->59 61 Yara detected AntiVM3 2->61 10 setup.exe 9 2->10         started        14 shark.exe 2->14         started        16 shark.exe 2->16         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 10->39 dropped 71 Maps a DLL or memory area into another process 10->71 73 Switches to a custom stack to bypass stack traces 10->73 18 tcpvcon.exe 2 10->18         started        signatures6 process7 dnsIp8 47 thundercoall.live 104.21.48.1, 443, 49685, 49689 CLOUDFLARENETUS United States 18->47 49 h1.dentistdomestic.shop 104.21.96.1, 443, 49698 CLOUDFLARENETUS United States 18->49 35 C:\Users\user\...\DJHNIZTF5MB1UREU.exe, PE32 18->35 dropped 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->63 65 Query firmware table information (likely to detect VMs) 18->65 67 Tries to harvest and steal ftp login credentials 18->67 69 4 other signatures 18->69 23 DJHNIZTF5MB1UREU.exe 5 18->23         started        27 conhost.exe 18->27         started        file9 signatures10 process11 dnsIp12 51 a8a00b7a27dd309f6.awsglobalaccelerator.com 15.197.198.189, 49705, 8545 TANDEMUS United States 23->51 53 x.ss2.us 18.64.155.5, 49706, 80 MIT-GATEWAYSUS United States 23->53 55 62.60.234.97, 1466, 49708, 49709 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 23->55 37 C:\ProgramData\shark.exe, PE32 23->37 dropped 29 cmd.exe 1 23->29         started        file13 process14 process15 31 conhost.exe 29->31         started        33 reg.exe 1 1 29->33         started       
Score:
19%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/645918fc92cdbb343ab2104304d207c8cb26de0d2b5f6a10ce7c9cd453994d4c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/645918fc92cdbb343ab2104304d207c8cb26de0d2b5f6a10ce7c9cd453994d4c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mrmrr7eszw5tiovscbbqjuqhzdfsnxqnfnpwuegopsoniu4zjvga._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery persistence spyware stealer
Link:
https://tria.ge/reports/250416-2pzx2awxez/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://thundercoall.live/gepc
https://jawdedmirror.run/ewqd
https://changeaie.top/geps
https://lonfgshadow.live/xawi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://owlflright.digital/qopy
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ff6267ee-06eb-4038-a60f-8cc47cf35348
Unpacked files
SH256 hash:
645918fc92cdbb343ab2104304d207c8cb26de0d2b5f6a10ce7c9cd453994d4c
MD5 hash:
e0239fa69aee38817ef04770b76370ad
SHA1 hash:
00650ffb05699c059f0fe2a99eff4da90fbcb17a
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
MD5 hash:
32da96115c9d783a0769312c0482a62d
SHA1 hash:
2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
058eb7ce88c22d2ff7d3e61e6593ca4e3d6df449f984bf251d9432665e1517d1
MD5 hash:
89f35cb1212a1fd8fbe960795c92d6e8
SHA1 hash:
061ae273a75324885dd098ee1ff4246a97e1e60c
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d
MD5 hash:
d1df480505f2d23c0b5c53df2e0e2a1a
SHA1 hash:
207db9568afd273e864b05c87282987e7e81d0ba
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
19342614ec43adfc3ec9b8413c80f2b8dbf34a6c5373d08800fa2e252e172052
MD5 hash:
daaf7584912d5f4c0416bda5ee04bed4
SHA1 hash:
78071016fec528c7cbbffb268bae131f9f85aedc
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6
MD5 hash:
9b79965f06fd756a5efde11e8d373108
SHA1 hash:
3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c
MD5 hash:
7e8b61d27a9d04e28d4dae0bfa0902ed
SHA1 hash:
861a7b31022915f26fb49c79ac357c65782c9f4b
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e
MD5 hash:
dd8176e132eedea3322443046ac35ca2
SHA1 hash:
d13587c7cc52b2c6fbcaa548c8ed2c771a260769
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65
MD5 hash:
074b81a625fb68159431bb556d28fab5
SHA1 hash:
20f8ead66d548cfa861bc366bb1250ced165be24
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819
MD5 hash:
2db5666d3600a4abce86be0099c6b881
SHA1 hash:
63d5dda4cec0076884bc678c691bdd2a4fa1d906
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9
MD5 hash:
624401f31a706b1ae2245eb19264dc7f
SHA1 hash:
8d9def3750c18ddfc044d5568e3406d5d0fb9285
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9
MD5 hash:
0f7d418c05128246afa335a1fb400cb9
SHA1 hash:
f6313e371ed5a1dffe35815cc5d25981184d0368
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639
MD5 hash:
4ec4790281017e616af632da1dc624e1
SHA1 hash:
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
5d9767d8cca0fbfd5801bff2e0c2adddd1baaaa8175543625609abce1a9257bd
MD5 hash:
721baea26a27134792c5ccc613f212b2
SHA1 hash:
2a27dcd2436df656a8264a949d9ce00eab4e35e8
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086
MD5 hash:
5a72a803df2b425d5aaff21f0f064011
SHA1 hash:
4b31963d981c07a7ab2a0d1a706067c539c55ec5
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
7101b3dff525ea47b7a40dd96544c944ae400447df7a6acd07363b6d7968b889
MD5 hash:
b5c8af5badcdefd8812af4f63364fe2b
SHA1 hash:
750678935010a83e2d83769445f0d249e4568a8d
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86
MD5 hash:
972544ade7e32bfdeb28b39bc734cdee
SHA1 hash:
87816f4afabbdec0ec2cfeb417748398505c5aa9
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
72c639d1afda32a65143bcbe016fe5d8b46d17924f5f5190eb04efe954c1199a
MD5 hash:
e86cfc5e1147c25972a5eefed7be989f
SHA1 hash:
0075091c0b1f2809393c5b8b5921586bdd389b29
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
76d8e4ed946deefeefa0d0012c276f0b61f3d1c84af00533f4931546cbb2f99e
MD5 hash:
206adcb409a1c9a026f7afdfc2933202
SHA1 hash:
bb67e1232a536a4d1ae63370bd1a9b5431335e77
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
785c49fd9f99c6eb636d78887aa186233e9304921dd835dee8f72e2609ff65c4
MD5 hash:
d76e7aaecb3d1ca9948c31bdae52eb9d
SHA1 hash:
142a2bb0084faa2a25d0028846921545f09d9ae9
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2
MD5 hash:
1ed0b196ab58edb58fcf84e1739c63ce
SHA1 hash:
ac7d6c77629bdee1df7e380cc9559e09d51d75b7
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
8e015cdf2561450ed9a0773be1159463163c19eab2b6976155117d16c36519da
MD5 hash:
b3f887142f40cb176b59e58458f8c46d
SHA1 hash:
a05948aba6f58eb99bbac54fa3ed0338d40cbfad
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f
MD5 hash:
07ebe4d5cef3301ccf07430f4c3e32d8
SHA1 hash:
3b878b2b2720915773f16dba6d493dab0680ac5f
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd
MD5 hash:
557405c47613de66b111d0e2b01f2fdb
SHA1 hash:
de116ed5de1ffaa900732709e5e4eef921ead63c
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
91508ab353b90b30ff2551020e9755d7ab0e860308f16c2f6417dfb2e9a75014
MD5 hash:
9fa3fc24186d912b0694a572847d6d74
SHA1 hash:
93184e00cbddacab7f2ad78447d0eac1b764114d
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
a5b733e3dce21ab62bd4010f151b3578c6f1246da4a96d51ac60817865648dd3
MD5 hash:
0c933a4b3c2fcf1f805edd849428c732
SHA1 hash:
b8b19318dbb1d2b7d262527abd1468d099de3fb6
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0
MD5 hash:
a6a3d6d11d623e16866f38185853facd
SHA1 hash:
fbeadd1e9016908ecce5753de1d435d6fcf3d0b5
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34
MD5 hash:
91a2ae3c4eb79cf748e15a58108409ad
SHA1 hash:
d402b9df99723ea26a141bfc640d78eaf0b0111b
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0
MD5 hash:
1d48a3189a55b632798f0e859628b0fb
SHA1 hash:
61569a8e4f37adc353986d83efc90dc043cdc673
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607
MD5 hash:
7a859e91fdcf78a584ac93aa85371bc9
SHA1 hash:
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
c23fe8d5c3ca89189d11ec8df983cc144d168cb54d9eab5d9532767bcb2f1fa3
MD5 hash:
7c7b61ffa29209b13d2506418746780b
SHA1 hash:
08f3a819b5229734d98d58291be4bfa0bec8f761
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29
MD5 hash:
73433ebfc9a47ed16ea544ddd308eaf8
SHA1 hash:
ac1da1378dd79762c6619c9a63fd1ebe4d360c6f
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
d6708d1254ed88a948871771d6d1296945e1aa3aeb7e33e16cc378f396c61045
MD5 hash:
4ccde2d1681217e282996e27f3d9ed2e
SHA1 hash:
8eda134b0294ed35e4bbac4911da620301a3f34d
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198
MD5 hash:
f1a23c251fcbb7041496352ec9bcffbe
SHA1 hash:
be4a00642ec82465bc7b3d0cc07d4e8df72094e8
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf
MD5 hash:
721b60b85094851c06d572f0bd5d88cd
SHA1 hash:
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1
MD5 hash:
dbc27d384679916ba76316fb5e972ea6
SHA1 hash:
fb9f021f2220c852f6ff4ea94e8577368f0616a4
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
e63550608dd58040304ea85367e9e0722038ba8e7dc7bf9d91c4d84f0ec65887
MD5 hash:
8d12ffd920314b71f2c32614cc124fec
SHA1 hash:
251a98f2c75c2e25ffd0580f90657a3ea7895f30
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf
MD5 hash:
fa770bcd70208a479bde8086d02c22da
SHA1 hash:
28ee5f3ce3732a55ca60aee781212f117c6f3b26
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
f28a8fe2cd7e8e00b6d2ec273c16db6e6eea9b6b16f7f69887154b6228af981e
MD5 hash:
1e4c4c8e643de249401e954488744997
SHA1 hash:
db1c4c0fc907100f204b21474e8cd2db0135bc61
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
f320f9c0463de641b396ce7561af995de32211e144407828b117088cf289df91
MD5 hash:
6d0550d3a64bd3fd1d1b739133efb133
SHA1 hash:
c7596fde7ea1c676f0cc679ced8ba810d15a4afe
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
f3a7a9c98ebe915b1b57c16e27fffd4ddf31a82f0f21c06fe292878e48f5883e
MD5 hash:
c9cbad5632d4d42a1bc25ccfa8833601
SHA1 hash:
09f37353a89f1bfe49f7508559da2922b8efeb05
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
f5025e74de2c1c6ea74e475b57771ac32205e6f1fa6a0390298bbe1f4049ac5d
MD5 hash:
57193bfbccefe3d5df8c1a0d27c4e8d4
SHA1 hash:
747f1d3841a9175826439d37e2387a4cf920641c
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f
MD5 hash:
8906279245f7385b189a6b0b67df2d7c
SHA1 hash:
fcf03d9043a2daafe8e28dee0b130513677227e4
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb
MD5 hash:
55b2eb7f17f82b2096e94bca9d2db901
SHA1 hash:
44d85f1b1134ee7a609165e9c142188c0f0b17e0
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/e3b0bf0a-73f0-4cdb-b7a6-6fa0812c08e4/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/645918fc92cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/645918fc92cdbb343ab2104304d207c8cb26de0d2b5f6a10ce7c9cd453994d4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_lumma_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 645918fc92cdbb343ab2104304d207c8cb26de0d2b5f6a10ce7c9cd453994d4c

(this sample)

  
Link
https://tria.ge/250416-2k6vsawwh1/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2540/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::OpenProcess
KERNEL32.dll::OpenSemaphoreW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::GetFileAttributesA
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertFindCertificateInStore
CRYPT32.dll::CertFreeCertificateContext
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegGetValueW
ADVAPI32.dll::RegNotifyChangeKeyValue
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CreateWindowExW

Comments