MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 680a2a5bb871538c112b32d8fe2c4d4619a2517f2c8007b0fd9fd560d2f5becb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 17 File information Comments

SHA256 hash:	680a2a5bb871538c112b32d8fe2c4d4619a2517f2c8007b0fd9fd560d2f5becb
SHA3-384 hash:	d8c22775159b7887c77f962ea7f0adb4ba5a9ef533b779c32c37b7411a1c033bac72dfd5a86fc1c9c407eced72672d9a
SHA1 hash:	a9fa8820790eb6373b86d17bff970ffe6f8d5a5b
MD5 hash:	6b9291dec6acd9928649c43e7f93c405
humanhash:	angel-arkansas-missouri-maryland
File name:	file.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	37'018'972 bytes
First seen:	2025-05-04 07:44:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep	393216:mwjLfGKDWoNiuktZvn5L7NnEo4RvM/p7mATxzdPGHEsmxHicKDml2HeeYIWor4B:mwjrrrSl5LREowU8GxZsmxCB2
TLSH	T19A87AE07A7FC4125F1F7973059B686A6593ABE206B31C2DF024A791D28727B0AF30767
TrID	87.2% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 4.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 1.0% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika	pebin
dhash icon	03fcb8c4fcd4c003 (1 x LummaStealer)
Reporter	zhuzhu0009
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

518

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file.exe

Verdict:

Malicious activity

Analysis date:

2025-05-03 12:01:31 UTC

Tags:

autoit lumma stealer autoit-loader loader

Link:

https://app.any.run/tasks/f3c42c44-9678-41d8-aa56-e181171fb30b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68160583432e243ac3e34f1e

Tags:

autoit emotet

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a file

Creating a process from a recently created file

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmstp explorer fingerprint hacktool installer lolbin microsoft_visual_cc netsh overlay overlay packed packed remote rundll32 wab

Link:

https://www.filescan.io/uploads/68171b04d95f3e34e95fdc5f/reports/14edb18b-b5d1-4b70-875f-05aa72a00cca/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/680a2a5bb871538c112b32d8fe2c4d4619a2517f2c8007b0fd9fd560d2f5becb

Score:

31%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/680a2a5bb871538c112b32d8fe2c4d4619a2517f2c8007b0fd9fd560d2f5becb

Gathering data

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-05-03 12:01:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nafcuw5yofjyyejlglmp4lcniym2eul7fsaapmh5t7kwbuxvx3fq._file

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/250504-jlgceafr6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Enumerates processes with tasklist

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://quaestort.live/toquw
https://brandihx.run/lowp
https://viriatoe.live/laopx
https://hexitiumt.digital/xane
https://opusculy.top/keaj
https://civitasu.run/werrp
https://scriptao.digital/vpep
https://praetori.live/vepr
https://disciplipna.top/eqwu

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/20e0e599-cb04-4374-ba0e-d4e07fe22480

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/680a2a5bb871/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/680a2a5bb871538c112b32d8fe2c4d4619a2517f2c8007b0fd9fd560d2f5becb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_beacon_detected Create hunting rule
Author:	0x0d4y
Description:	This rule detects cobalt strike beacons.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETDLLMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	Internal names found in LURK0/CCTV0 samples

Rule name:	SUSP_NET_Shellcode_Loader_Indicators_Jan24 Create hunting rule
Author:	Jonathan Peters
Description:	Detects indicators of shellcode loaders in .NET binaries
Reference:	https://github.com/Workingdaturah/Payload-Generator/tree/main

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/f3c42c44-9678-41d8-aa56-e181171fb30b

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample