MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64a604a8f103b52f36a9f45ba809babfa68ee6d9e052818477d45350051ac499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LunaLogger


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64a604a8f103b52f36a9f45ba809babfa68ee6d9e052818477d45350051ac499
SHA3-384 hash: ab252aee4f632a43104f46ca4cfc1a5d7e51540bc3b15ea913d92873c62e7f50c5f67c2eadabd3bedbf96a4add05fdbf
SHA1 hash: d0550e4278fffeaf1a7038ffde4cd87fdc48631d
MD5 hash: d499c556c99cc0746d487c5e4442fdcd
humanhash: apart-mountain-nuts-twelve
File name:DiscordX.exe
Download: download sample
Signature LunaLogger
Create hunting rule
File size:22'630'742 bytes
First seen:2023-04-18 10:09:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 393216:qxAlnfLFDrzCAQIgBRT/m3pqCdk4KZFgJJMF7:bljFDrzCAyTKDg/wo7
Threatray 51 similar samples on MalwareBazaar
TLSH T1CD37336E1944359BCCBFD0BA550AB93313877D3BE3E172CF63A4703B5A278525A2B109
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 10264696964d2810 (1 x LunaLogger)
Reporter YAMalwareGuy
Tags:discord exe LunaLogger Python


Avatar
YAMalwareGuy
This sample has been created from https://github.com/Smug246/Luna-Grabber, like a lot of "discord hacks" online.

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DiscordX.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 10:12:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c903893-de9d-476e-855a-f2cb43af11f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
DNS request
Sending a custom TCP request
Launching a process
Reading critical registry keys
Launching the process to change network settings
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80175/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay
Link:
https://www.filescan.io/uploads/643e6c7c000396b4e9992a37/reports/783227db-6af9-4aaa-ae73-8984949ef663/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/64a604a8f103b52f36a9f45ba809babfa68ee6d9e052818477d45350051ac499
Result
Verdict:
MALICIOUS
Result
Threat name:
Luna Logger
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1215830
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Yara detected Luna Logger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848755 Sample: DiscordX.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 60 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Luna Logger 2->34 8 DiscordX.exe 132 2->8         started        process3 file4 19 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 8->19 dropped 21 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 8->21 dropped 23 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 8->23 dropped 25 80 other files (none is malicious) 8->25 dropped 36 May check the online IP address of the machine 8->36 12 DiscordX.exe 5 8->12         started        signatures5 process6 dnsIp7 27 api.ipify.org 12->27 30 api4.ipify.org 173.231.16.77, 443, 49697 WEBNXUS United States 12->30 15 cmd.exe 1 12->15         started        signatures8 38 May check the online IP address of the machine 27->38 process9 process10 17 conhost.exe 15->17         started       
Gathering data
Threat name:
Win64.Trojan.Beapy
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 11:39:24 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mstajkhrao2s6nvj6rn2qcn2x6ti5zwz4bjidbdx2rjvabi2ysmq._file
Verdict:
unknown
Similar samples:
1e6112420d4e9561e458e074dad3ebed54ae6f759d5c3ae9844c8a61ac7f33d3
LunaLogger
20632d113408af16371070219ed4e9f260a3cc23db39fcddce2580ebf6669b5f
LunaLogger
22cb2fba2dde578f61c82ed450c88c9060629fa7736bb7e27a584c97473c0883
LunaLogger
329d77b0ab5af0e568b9d56e3c3f7afc4266bf2cea0bd816ed4e67d4c9a09692
LunaLogger
3c1b7eed78ed128b6463c8b6eb35e46b78f2a9946d0b2a093e51630919b5054a
LunaLogger
6ae3599bcbb951c7fe73ab6060a654b5ced2e83cf3ff15038bec95743232425e
LunaLogger
75e9498c9de4ca202f86709a5b58448b64f09ab94440007fe6a9a0ea7c1e633e
LunaLogger
77555fc73bde72d601c995f884b564d9f12e3577221ffece363c0f8786745dff
LunaLogger
8e4ce102a531d540a1f643396d6ddfc0da9acc963ca995bcba9d07909ebb58e0
LunaLogger
a20cc7c8887cad9fce369f6b2113b21958926bdef91f6b544f01bbbbd2b12dc7
LunaLogger
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller upx
Link:
https://tria.ge/reports/230418-l7c8zsag64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64a604a8f103b52f36a9f45ba809babfa68ee6d9e052818477d45350051ac499

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LunaLogger

Executable exe 64a604a8f103b52f36a9f45ba809babfa68ee6d9e052818477d45350051ac499

(this sample)

  
Delivery method
Distributed via web download

Comments