MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d3912a3736bd80fa7e6466f3ab3a2441ee56f5b05f1511b01c35553ed0e44f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d3912a3736bd80fa7e6466f3ab3a2441ee56f5b05f1511b01c35553ed0e44f1
SHA3-384 hash: 8a524da8fa666c8b67b1d412a4c170859bf9aa6a25eea20941daa5489625f952fbc32c1edf2b397dd8a0adedcfc16a29
SHA1 hash: cfbdb1d267c5334ff299ce96192355711b579379
MD5 hash: 4a6ab7ae294abd5c3b0268447277af29
humanhash: colorado-april-kilo-montana
File name:CL_LauncherB1.exe1
Download: download sample
Signature LummaStealer
Create hunting rule
File size:321'536 bytes
First seen:2025-03-10 13:11:46 UTC
Last seen:2025-03-11 16:22:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a5567ee58392b29f5e89d9992d4d311 (2 x LummaStealer)
ssdeep 6144:UbSFVgW+UVYjKBuukrcLcEX61KsU+bZUPuHle:Um+6YjKwrcLcOcB
Threatray 47 similar samples on MalwareBazaar
TLSH T16E647D15F6A414F9E9A7823CCD424906EB72BC864761E7CF13E04A963F276E09E3E711
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter KatzenTech
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
418
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CL_LauncherB1.exe1
Verdict:
Malicious activity
Analysis date:
2025-03-11 02:29:06 UTC
Tags:
github lumma stealer delphi antivm enigma
Link:
https://app.any.run/tasks/0044c5f7-e55d-4f56-9f50-8768dc64ef1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cf00f40d1b39e3a208c693
Tags:
shell overt sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint masquerade microsoft_visual_cc obfuscated packed
Link:
https://www.filescan.io/uploads/67cee537f8726576332ecdbc/reports/b889f476-bb86-4996-8acc-e9278ad50ba6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/6d3912a3736bd80fa7e6466f3ab3a2441ee56f5b05f1511b01c35553ed0e44f1
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1633736
Signature
Adds a directory exclusion to Windows Defender
Found API chain indicative of debugger detection
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633736 Sample: CL_LauncherB1.exe1.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 80 27 github.com 2->27 31 Multi AV Scanner detection for submitted file 2->31 33 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->33 35 Joe Sandbox ML detected suspicious sample 2->35 37 2 other signatures 2->37 9 CL_LauncherB1.exe1.exe 2 2->9         started        signatures3 process4 signatures5 41 Found API chain indicative of debugger detection 9->41 43 Adds a directory exclusion to Windows Defender 9->43 12 cmd.exe 1 9->12         started        15 cmd.exe 1 9->15         started        17 conhost.exe 9->17         started        process6 signatures7 45 Suspicious powershell command line found 12->45 47 Adds a directory exclusion to Windows Defender 12->47 19 powershell.exe 23 12->19         started        22 powershell.exe 14 16 15->22         started        process8 dnsIp9 39 Loading BitLocker PowerShell Module 19->39 25 WmiPrvSE.exe 19->25         started        29 github.com 140.82.121.3, 443, 49718 GITHUBUS United States 22->29 signatures10 process11
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d3912a3736bd80fa7e6466f3ab3a2441ee56f5b05f1511b01c35553ed0e44f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d3912a3736bd80fa7e6466f3ab3a2441ee56f5b05f1511b01c35553ed0e44f1/
Threat name:
Win64.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-09 20:05:11 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nu4rfi3tnpma7j7gizxtvm5ciqpok323axyvcgybynkvh3ioityq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
65babd32307b6ab12ac27ff6355d55d37c059f21df0401f0963a91111ad009b4
LummaStealer
6d3912a3736bd80fa7e6466f3ab3a2441ee56f5b05f1511b01c35553ed0e44f1
LummaStealer
719a14f950dbf12b1099c161b0fa33fe283ce27895ccaa114a608f45dfb78f59
LummaStealer
86f515ab3d89987d7fd6e036335c3a5d3775fb21323899e4583bb487e8e6a05f
LummaStealer
8825d7b1d64005759065ca7b04c6d29842adb768684e742ffbb92bd0568f2b4d
LummaStealer
9e733c194f978e19d3a2afc233a0084e9e8497cd360eda29b63de8fad5c2cd56
LummaStealer
e42e988a47f4f684249bc8e1e370a32fc53831929adc86b7b1d45fbd3de7fb9a
LummaStealer
error
LummaStealer
+ 37 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery execution spyware stealer
Link:
https://tria.ge/reports/250310-qfl42awvcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cueddlycrea.run/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e1882c0e-90f5-4a3c-a806-8bd1622997ac
Unpacked files
SH256 hash:
6d3912a3736bd80fa7e6466f3ab3a2441ee56f5b05f1511b01c35553ed0e44f1
MD5 hash:
4a6ab7ae294abd5c3b0268447277af29
SHA1 hash:
cfbdb1d267c5334ff299ce96192355711b579379
Link:
https://www.unpac.me/results/d122ea54-cf66-40a7-9d07-7a18fd39a3d5/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d3912a3736b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d3912a3736bd80fa7e6466f3ab3a2441ee56f5b05f1511b01c35553ed0e44f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW

Comments